“How do I detect technique X in Windows?” Applied Methodology to Definitively Answer this Question

Presented at DerbyCon 9.0 Finish Line (2019), Sept. 6, 2019, 2 p.m. (45 minutes).

Traditionally, the answer to this question has been to execute an attack technique in a controlled environment and to observe relevant events that surface. While this approach may suffice in some cases, ask yourself the following questions: “Will this scale? Will this detect current/future variants of the technique? Is this resilient to bypass?” If your confidence level in answering these questions is not high, it’s time to consider a more mature methodology for identifying detection data sources. With a little bit of reverse engineering, a defender can unlock a multitude of otherwise unknown telemetry. This talk will establish a methodology for identifying detection data sources and will cover concepts including Event Tracing for Windows, WPP, TraceLogging, and security product analysis.


Presenters:

  • Matt Graeber
    Matt Graeber, a researcher at SpecterOps is an attacker and vulnerability researcher at heart who has fully embraced detection engineering as a discipline not only to improve the state of security but to also enable continuous offensive maturity. Matt is a naive security optimist who believes that the future of security is bright. He also spends much of his time pondering the concept of trust, how it applies to Infosec, and how automation can be applied to a mature definition of it. Lastly, Matt enjoys giving and receiving warm, welcoming hugs.

Links:

Similar Presentations: