SANS Online Training Special: Get an iPad Mini, Chromebook Flip, or $250 Off until 10/30! 

Security West 2020

San Diego, CA | Wed, May 6 - Wed, May 13, 2020
Event starts in 197 Days

Threat Hunting via Windows Event Logs

  • Eric Conrad
  • Thursday, May 9th, 7:15pm - 9:15pm

Windows event logs continue to be the best source to centrally hunt malice in a Windows environment. Virtually all malware may be detected via event logs, after making small tweaks the logging configuration.

Recent malware attacks leverage 'fileless malware', typically using PowerShell for post exploitation. Why? No EXE for antivirus or HIPS to squash, nothing saved to the filesystem, sites that use application whitelisting allow PowerShell, and little to no default logging.

We will discuss DeepBlueCLI, an open source Powershell framework for threat hunting via Windows Event Logs (including the latest PowerShell-fueled post exploitation). DeepBlueCLI will go toe-to-toe with the latest attacks: this talk will explore the evidence malware leaves behind, leveraging Windows command line auditing (now natively available in Windows 7+) and PowerShell logging.

We will also discuss DeepWhite: an open source detective application whitelisting framework that relies on Microsoft Sysinternal's Sysmon and supports auto-submission of EXE, DLL and driver hashes via a free Virustotal Community API key.

Bonus Sessions

The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:

  • Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.
Thursday, May 7
Session Speaker Time Type
Welcome Reception & Early Check-In Thursday, May 7th, 5:00pm - 7:00pm Reception
Friday, May 8
Session Speaker Time Type
General Session - Welcome to SANS Bryan Simon Friday, May 8th, 8:00am - 8:30am Special Events
Saturday, May 9
Session Speaker Time Type
Coffee & Donuts with the College Students Saturday, May 9th, 7:30am - 9:00am Special Events