The Best Online Cybersecurity Training in the World - SANS OnDemand


To attend this webcast, login to your SANS Account or create your Account.

Introducing the New DFIR “Hunt Evil“ Poster

  • Tuesday, June 5th, 2018 at 1:00 PM EDT (17:00:00 UTC)
  • Rob Lee and Mike Pilkington
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.

You can now attend the webcast using your mobile device!


In this webcast, Rob Lee and Mike Pilkington will take you through a deep-dive of the new Hunt Evil poster. The new Hunt Evil poster is a significant update to the Find Evil poster introduced in 2014. Like the old poster, it is designed to help incident responders and threat hunters search for anomalous activity that could indicate intruder activity in the environment. The first side is titled "Find Evil: Know Normal". It focuses on what processes are normal on a Windows 10 host, how they launch, and how they interact. This is a useful reference to recognize whats normal in Windows, and help to focus attention on any outliers. The second side is titled "Hunt Evil: Lateral Movement". Its an all-new design that provides a graphic cheat sheet of the most likely techniques attackers will use to move data and execute code remotely. Every adversary, including the most skilled, will use some form of lateral movement technique described in the poster. Join Rob and Mike as they discuss how the Hunt Evil poster can help make responders and hunters more efficient at scoping, hunting, and anticipating future attacker activity across the network.

Speaker Bios

Rob Lee

Rob Lee is the curriculum lead and author for digital forensic and incident response training at the SANS Institute. With more than 15 years of experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention and incident response, he provides consulting services in the Washington, D.C. area. Before starting his own business, Rob worked with government agencies in the law enforcement, defense and intelligence communities as a lead for vulnerability discovery and exploit development teams, a cyber forensics branch, and a computer forensic and security software development team. He also worked for a leading incident response service provider and co-authored Know Your Enemy: Learning About Security Threats, 2nd Edition.

Mike Pilkington

Mike Pilkington is a Senior Security Consultant for a Fortune 500 company in the oil & gas industry. He has been an IT professional since graduating in 1996 from the University of Texas with a B.S. in Mechanical Engineering. Since joining his company in 1997, he has been involved in software quality assurance, systems administration, network administration, and information security. Outside of his normal work schedule, Mike has also been involved with the SANS Institute as an instructor in the Digital Forensics and Incident Response program.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.