What Event Logs? Part 1: Attacker Tricks to Remove Event Logs
- Thursday, January 11th, 2018 at 10:30 AM EST (15:30:00 UTC)
- Matt Bromiley
You can now attend the webcast using your mobile device!
Overview
For more information about the course please visit or for training: FOR508
Working without Windows Event Logs - a two-part webcast series. Many analysts rely on Windows Event Logs to help gain context of attacker activity on a system, with log entries serving as the correlative glue between additional artifacts. But what happens when the attackers find ways to remove the logs, or worse, stop the logs from writing? We must find a way to adapt.
In part 1 of this series, SANS instructor and incident responder Matt Bromiley will focus on techniques, old and new, that attackers are using to neutralize event logs as a recording mechanism. Ranging from clearing of logs to surgical, specific event removal, in this webcast we will discuss how the attackers are doing what they're doing, and the forensic techniques we can use to detect their methods. There has been a lot of discussion lately about attackers' ability to fool the system into not writing event logs - but are our attackers truly staying hidden when they do this? Let's find out!
We will also discuss the best steps your organization can take to ensure that your logs are being preserved and available for when you need them.
Speaker Bio
Matt Bromiley
Matt Bromiley is a SANS digital forensics and incident response (IR) instructor, teaching FOR508 Advanced Incident Response, Threat Hunting, and Digital Forensics and SANS FOR572 Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response. He is also an IR consultant at a global IR and forensic analysis company, combining experience in digital forensics, log analytics, and incident response and management. His skills include disk, database, memory and network forensics; incident management; threat intelligence and network security monitoring. Matt has worked with organizations of all shapes and sizes, from multinational conglomerates to small, regional shops. He is passionate about learning, teaching and working on open source tools.
Need Help? Visit our FAQ page or email webcast-support@sans.org.
Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.
