Soc Adventurez In TiETW
12-09, 13:55–14:40 (Europe/London), Track 3

A golden goose of Microsoft and a secret weapon in a defenders world... Yet what is it, and how does it work? How can we use it to detect evil when my EDR does not? This talk aims to look at the practical (ab)uses, drawbacks, and considerations presented within the Microsoft Threat Intelligence Event Tracing for Windows Log provider, contextualized to a SOC environment running on Microsoft's Defender for Endpoint.

The Windows Threat Intelligence Provider is a log provider used by Microsoft and EDR vendors as part of the Microsoft Virus Initiative, providing information on APIs that are known to be potentially abused for malicious behaviour such as during process injection. Unlike in user land, monitoring of these calls takes place in the kernel, preventing any old attacker from the usual routines of patching, unhooking, and going about their business without kernel tampering.

This talk has a heavy focus on using Microsoft Defender for Endpoint with additional toolsets and related telemetry to piece together logging data returned from Defender and the TiEtw Provider, comparing them, and then writing detections that beat out default EDR analysis and thresholds by putting the data directly in the hands of those who know the environment the best, the SOC.

There will be discussion on current drawbacks and issues with both provider and MDE implementations, including cat and mouse evasion mechanisms that could be employed.

A blue security person and aspiring maker and breaker of all the things, with interests from DFIR to DevOps. Currently architecting and implementing solutions to challenges in security operations and beyond for three years.