Event Tracing for Windows (ETW) is a powerful debugging and system telemetry feature that's been available since Windows 2000, but greatly expanded in recent years. Modern versions of Windows offer hundreds of ETW providers that are a veritable treasure trove of forensic data. This talk will take a fresh look at operationalizing ETW to combat contemporary intrusion methodologies and tradecraft. We'll walk through real world examples, covering both common malware behaviors and stealthy attacks that "live off the land", and demonstrate how to effectively utilize key ETW providers to detect and respond to these techniques.

First inspired by David Lightman, Dave Hull has been working with computers for most of his life. Professionally, he's been chasing hackers for more than a decade. He's an engineer at Tanium, writing code to extend and enhance the IR capabilities of the platform. Prior to Tanium, he was the technical lead for IR in Microsoft's Office 365. He contributes to open source projects and has created a number of open source IR tools including Kansa, a modular framework for IR written in PowerShell. Hull has presented at a number of security conferences including SecTOR, the SANS DFIR Summit, SecKC and BSides. Matt Hastings has been the majority of his career in varies incident response roles. Currently he is a director at Tanium, responsible for their Endpoint Detection and Response products. Previously, Matt worked as a consultant doing anything people would pay money for, but mostly that included enterprise-wide incident response, financial crime investigations and penetration testing. Matt has previously presented at other industry conferences such as: Black Hat, Defcon, BSides, and BruCon.

Matt - @_mhastings_ & Dave - @davehull

Back to Derbycon 2017 video list