Hunting for APT in network logs
2021-09-02, 10:00–13:00, Workshops

Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.

The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.

Netflow Mitre Matrix view
Full packet captures vs Netflow
Zeek packages
RDP initial comprometation
Empire Powershell and CobaltStrike or what to expect after initial loader execution.
Empire powershell initial connection
Beaconing. RITA
Scanning detection
Internal enumeration detection

Lateral movement techniques widely used
Kerberos attacks
PSExec and fileless ways of delivering payloads in the network
Zerologon detection

Data exfiltration
Data exfiltration over C2 channel
Data exfiltration using time size limits (data chunks)
DNS exfiltration

Detecting ransomware in your network

Real incident investigation

4 years experience as a full time IT-Security Analyst I am currently responsible for malicious software analysis, forensics, incident response, Security Product researches and development.

Speaker at:
- OWASP Ukraine 2018: Security issues with Chrome extensions on practical use cases.
- DC38032 Lviv 2019: MacOS forensics and anti forensics (tips and tricks)
- Lviv Polytechnic National University training: Windows Persistence mechanisms

  • Security researcher for last 5 years
  • Started my career as penetration tester at UnderDefense
  • Malware analyst in the past
  • Splunk enthusiast
  • Maintaining blog about Threat hunting and Malware Analysis in my free time (
This speaker also appears in: