Prevention eventually fails. Bypassing tools such as Windows Defender Antivirus may be challenging, but it can be done. What then? What's left? Command and control (C2) frameworks such as Cobalt Strike, Sliver, and Metasploit typically leave telltale signs of their presence. This talk will largely be demo-based, showing how to analyze Windows event logs (including Sysmon logs) to hunt for traces left behind by modern C2 frameworks.
Learn more about Continous Monitoring and Security Operations: www.sans.org/u/1vzW
About the Speaker
Eric Conrad, a SANS Faculty Fellow and course author of three popular SANS courses. He has over 28 years of information security experience , has created numerous tools and co-authored the CISSP Study Guide. Eric is the Chief Technology Officer (CTO) of Backshore Communications, a company focusing on hunt teaming, intrusion detection, incident handling, and penetration testing. He is a graduate of the SANS Technology Institute with a Master of Science degree in Information Security Engineering and also holds various industry certifications including the Certified Information Systems Security Professional (CISSP), GSE, GPEN, GCIH, GCIA, GCFA, GAWN, and GSEC.