#EMET Log Mining
Purpose: Identify potential 0-day exploits by looking for things blocked by EMET
Data Required: Windows Application Event logs (which contain EMET logs)
Window's Enhanced Mitigation Experience Toolkit (EMET) is a set of technologies that monitor for and block certain conditions that commonly arise as the result of common exploit patterns. It's commonly used on endpoints (but is also available on servers).
The idea here is to examine the EMET logs to find things that it has blocked (processes it has killed before they could become dangerous). These may be simple bugs in legit applications, or they could be indications of exploit attempts.
It's not clear what actual analysis techniques might be useful here yet, short of simply examining every EMET log individually. Need more research on this one.
- Intrusion Hunting for the Masses, David Sharpe (HackMiami 2016)