Recent malware attacks leverage PowerShell for post exploitation. Why? No EXE for antivirus or HIPS to squash, nothing saved to the filesystem, sites that use application whitelisting allow PowerShell, and little to no default logging.
Event logs continue to be the best source to centrally hunt malice in a Windows environment. Virtually all malware may be detected (including the latest PowerShell-fueled post exploitation) via event logs, after making small tweaks the logging configuration. DeepBlueCLI will go toe-to-toe with the latest attacks: this talk will explore the evidence malware leaves behind, leveraging Windows command line auditing (now natively available in Windows 7+) and PowerShell logging.
DeepBlueCLI is an open source framework that automatically parses Windows event logs, either on Windows (PowerShell version) or now on ELK (Elasticsearch, Logstash and Kibana) running on Linux/Unix (Python version). ELK has revolutionized SIEMs, offering an open source alternative to expensive commercial solutions, and scaling to sizes many commercial SIEMs cannot reach.