Many analysts rely on Windows Event Logs to help gain context of attacker activity on a system, with log entries serving as the correlative glue between other artifacts. But what happens when attackers find ways to remove, or worse, stop logs find writing. We must adapt!
In this @Night, we'll examine techniques attackers use to subvert Windows Event logging. We'll discuss how defenders can detect these techniques, and catch attackers before they can cause too much harm. Lastly, we'll also look at steps your organization can take to preserve these important artifacts in the event your attacker(s) want to remove them from the environment.