How to become a Windows Logging Ninja presented at saintcon 2016

by Michael Gough,

Summary : Logging is probably the least understood security tool, yet one of the most powerful security tools you can have in your arsenal. Logging may seem a daunting task because InfoSec and IT professionals do not have the resources to understand where to start, what to set and why.
Proper Windows Logging is essential to defending our networks. Every DBIR report references it. Every Incident Response firm asks for them. Compliance wants you to do it. Retail breaches have shown why we need to improve it. This course focuses on Windows logging and what you need to Enable, Configure and Harvest to successfully use logs to defend your network and find malicious activity and even malware!
This course will walk through real APT attacks and commodity malware infections and how logging was used to detect the attack and what information it provided and why you should start doing it. The Windows Logging Cheat Sheet(s) will be used so you can enable and configure logging on your own systems in order to harvest the various security related logs.
Once logging is properly configured, we will execute malware and evaluate what the logs tell us. We will use what we have learned to find the remnants and artifacts of the infection. Various logging solutions will be discussed and examples provided for what alerts you should be using and looking for. A new growing area of exploitation, PowerShell logging will be discussed so we can keep an eye on Dave, Carlos and HD ;-).
Attendees will receive a licensed copy of LOG-MD to audit their system to discover what needs to be enabled and configured, scripts will be provided to enable and configure the system, to speed things, up then LOG-MD will be used to harvest the logs and review the results of the hacking labs.