Loading…
Botconf 2018 has ended
Back To Schedule
Thursday, December 6 • 11:10 - 11:50
Hunting and Detecting APTs using Sysmon and PowerShell Logging

Log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Many security professionals and Blue Team members appreciate a good and detailed written APT report by any renowned security company. This is especially true, if they document and explain some new and stealthy technique that was used and not well known yet by defenders.

One such technique is "WMI event subscription" for persistence, which has been used by APT29.
Another one is the "Logon Script" technique ("UserInitMprLogonScript" reg key) used by APT28.
A third technique that is discussed very often is (ab-)using Powershell and "living off the land" (LOL).
To even top this one, attackers are using "unmanaged Powershell" (e.g. using PowerPick) to evade command line based detection. But thanks to the Powershell logging features available since version 5, even this can be detected.

I will discuss and show how to detect all of these techniques by using Sysmon data and Powershell logging (with Splunk as a SIEM).

Speakers

Thursday December 6, 2018 11:10 - 11:50 CET
Auditorium Marthe Condat 118 Route de Narbonne, 31400 Toulouse, France