06-27, 17:10–18:10 (Europe/Vienna), Mittlerer Saal (Track 1)
In this talk, we walk through a real intrusion observed in an EDR-monitored enterprise environment. The case did not start with a major incident or a flood of alerts. It began with two ambiguous notifications in the Defender portal that the customer could not immediately classify. What looked like a minor signal turned into a live hunt: an operator attempting fileless execution, interacting with endpoint controls, trying to disable or bypass defenses, and carefully pivoting through the network.
Modern intrusions rarely fail because one alert says everything. They fail when small, imperfect traces are recognized early enough and correlated into a timeline the operator did not expect.
In this case, OSINT and TTP comparison helped us put the observed behavior into context. We found overlaps with previously reported activity dating back to 2022, showing which parts of the operator’s tradecraft remained stable and which had been adapted to the current defensive environment. This makes the case relevant now: the tooling changed, but the operational habits, decision points, and forensic residue remained recognizable. The focus is not attribution for its own sake, but understanding how recognizable patterns can support an active investigation.
We will show how the investigation moved through three decisive phases: identifying the initial execution pattern, separating real attacker activity from low-signal security telemetry, and reconstructing the operator’s movement from endpoint, identity, and network evidence. Along the way, we will discuss what the defender’s environment made possible, where visibility was missing, and why the attacker’s interaction with Defender became an investigative advantage rather than just a detection failure.
The focus is Incident Response depth: not attribution, not tool training, but the reconstruction of attacker behavior from imperfect telemetry. Attendees will see how current fileless and defense-evasion techniques can still produce useful traces, which log sources made the difference in this case, and how two initially unclear Defender for Endpoint notifications were turned into a defensible incident timeline.
Jonas has been working in Cyber security for more than 15 years, specializing in Incident Response and the defense against advanced persistent threats. His experience spans firewall security, endpoint security, and digital forensics, with a strong focus on supporting organizations during critical security incidents. In his work, Jonas helps customers investigate complex intrusions, contain active threats, and turn technical findings into actionable decisions for crisis management. He regularly works at the intersection of technical analysis, organizational response, external advisors, and law enforcement. He is particularly interested in identifying and disrupting APT actors by combining forensic evidence, endpoint and network telemetry, and threat intelligence to understand attacker behavior and improve defensive strategies.