In this talk you will be shown logging, consuming, and analyzing (on a small & large scale) WMI tracing logs, Windows Event Logs, PowerShell logs, Cuckoo malware sandbox Windows logs (to give yourself new ideas/hunts), and more. Everything shown is free (granted you have 1-2+ available Windows Licenses) and can be setup and deployed in less than a day (Zero 2 Hero). You will have a demonstration of immediate benefits for active/historical breach detection, sysadmin, helpdesk, and forensics for windows hosts. Demonstrations will also be shown for things, that would be a supplement to Sysmon, such as once an "entity" already has DomainAdmin creds ( ie: detecting https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ ). Slides and scripts will be released immediately after the presentation (git commit+push cronjob).

Nate - Utility man who, in his short 4 yr career in infosec, has worked on everything from engineering a 40Gbps+ Bro solution to incident response to database/SIEM implementation+design. Adam - Bio will fit in one line... a malware reverse engineer and incident responder.

Nate - @neu5ron , Adam - @acalarch

Back to Derbycon 2017 video list