Introduction to WHIDS an Open Source Endpoint Detection System for Windows
2019-10-24, 13:15–16:15, DieKirch-Echternach

WHIDS is one of the first open source endpoint detection solution for windows designed with fast Incident Response in mind. It comes with a powerful rule definition format known as Gene allowing one to achieve complex detection primitives. One of its strengths compared to other approaches is that it dumps artifacts (process, file, registry) based on the criticality of the events detected. This allows one to collect artifacts as close as possible of the alert generated. This approach reduces considerably the incident response process while putting the focus on artifact analysis automation.

The purpose of this workshop will be twofold. In the first place I will introduce the tool and the rule definition format (30 to 45 mins). In a second part some hands-on with the attendees will be made (the rest of the time). The first part of the hands-on will cover simple WHIDS deployment and tweaking. Then comes a realistic case study. In the first place we will study a technique (or a malware) common to everyone and walk through all the steps leading to the final rule creation. Then the attendees will study on their own a technique or malware sample of their choice and build the appropriate detection rule(s). In the last part we will discuss on the possible implementations in a production environment.


All the tools being used during the training will be open source or free tools. * Sysmon from Sysinternals * WHIDS * Gene * Public dataset of detection rules

All the necessary VMs (Linux + Windows) will be prepared in advance for the attendees to win time during the training.

Targetted Audiance

  • People who care about threat detection on Windows
  • Any Blue Team member