Many analysts rely on Windows Event Logs to help gain context of attacker activity on a system, with log entries serving as the correlative glue between additional artifacts, but what happens when the attackers find ways to remove the logs, or worse, stop the logs from writing? We must find a way to adapt.
In part 2 of this series, SANS instructor and incident responder Matt Bromiley will discuss techniques to identify lateral movement when Windows Event Logs are not present. Sometimes logs roll without preservation, and sometimes attackers remove them from infected systems. Despite this, there are still multiple artifacts we can rely on to identify where our attackers came from, and where they went.