A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Tracing Adversaries: Detecting Attacks with ETW - Matt Hastings & Dave Hull Derbycon 2017 (Hacking Illustrated Series InfoSec Tutorial Videos)

Tracing Adversaries: Detecting Attacks with ETW
Matt Hastings & Dave Hull
Derbycon 2017

Event Tracing for Windows (ETW) is a powerful debugging and system telemetry feature that's been available since Windows 2000, but greatly expanded in recent years. Modern versions of Windows offer hundreds of ETW providers that are a veritable treasure trove of forensic data. This talk will take a fresh look at operationalizing ETW to combat contemporary intrusion methodologies and tradecraft. We'll walk through real world examples, covering both common malware behaviors and stealthy attacks that "live off the land", and demonstrate how to effectively utilize key ETW providers to detect and respond to these techniques.

First inspired by David Lightman, Dave Hull has been working with computers for most of his life. Professionally, he's been chasing hackers for more than a decade. He's an engineer at Tanium, writing code to extend and enhance the IR capabilities of the platform. Prior to Tanium, he was the technical lead for IR in Microsoft's Office 365. He contributes to open source projects and has created a number of open source IR tools including Kansa, a modular framework for IR written in PowerShell. Hull has presented at a number of security conferences including SecTOR, the SANS DFIR Summit, SecKC and BSides. Matt Hastings has been the majority of his career in varies incident response roles. Currently he is a director at Tanium, responsible for their Endpoint Detection and Response products. Previously, Matt worked as a consultant doing anything people would pay money for, but mostly that included enterprise-wide incident response, financial crime investigations and penetration testing. Matt has previously presented at other industry conferences such as: Black Hat, Defcon, BSides, and BruCon.

Matt - @_mhastings_ & Dave - @davehull

Back to Derbycon 2017 video list

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast