DeepSec 2025 Talk: Offensive SIEM: When the Blue Team Switches Perspective – Erkan Ekici & Shanti Lindström
Traditional SIEM solutions focus on detecting attacks—but what if we flipped the script? Instead of waiting for adversaries to act, defenders can use SIEM proactively to identify local privilege escalation risks before they’re exploited. By analyzing Sysmon and Windows event logs, blue teams can uncover hidden misconfigurations in services, scheduled tasks, DLL loads, and centralized application deployments that could allow an attacker to escalate privileges to SYSTEM. Sometimes, this approach might even reveal new CVEs lurking in your environment. This talk will showcase practical techniques for leveraging SIEM as an offensive discovery tool, helping defenders think like attackers to strengthen security from within.
We asked Erkan and Shanti a few more questions about their talk.
Please tell us the top 5 facts about your talk.
- SIEM is usually reactive.
- It can be used proactively instead.
- Sysmon and Windows logs in our scope for this presentation and how they can reveal misconfigurations.
- Those misconfigurations can lead to SYSTEM-level escalation.
- This method may expose new CVEs.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
While doing security assessments, we often performed manual local enumeration on individual Windows clients. That gave us the idea to use SIEM-collected logs instead. With a SIEM, you can query the entire enterprise at once to identify misconfigurations and privilege escalation risks, instead of checking machines one by one.
Why do you think this is an important topic?
After gaining an initial foothold, attackers often need to escalate privileges in order to dump credentials, disable security protections, and move further inside the network. Understanding and detecting these escalation paths is critical for defense.
Is there something you want everybody to know – some good advice for our readers, maybe?
The talk will showcase example queries for identifying privilege escalation risks, but the mindset behind it is useful far beyond that. We want to encourage people to use SIEM logs proactively—not just for incident response, but to uncover misconfigurations and vulnerabilities before attackers do.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
AI is definitely the hot topic, and it’s a real game changer. It will make attackers more effective, but it will also make defenders stronger—if we learn to use it wisely. The key is to adopt it where it gives us an advantage, instead of falling behind.
Erkan Ekici
Cybersecurity Professional | Blue Team Specialist | Police officer
Since childhood, I dreamed of becoming either a police officer or a hacker. I chose law enforcement, developing investigative skills that now fuel my cybersecurity career. Specializing in Windows Client security, I conduct security assessments, security research, enhance defenses, incident response and protect against other threats.
Shanti Lindström
Veteran cybersecurity professional with 17 years of experience. Started with 8 years in offensive security, discovering multiple Microsoft vulnerabilities that earned official CVEs. Leveraged this offensive mindset to transition into 9 years of defensive security work. This unique career progression provides exceptional insight into both attacker techniques and defensive strategies, creating a comprehensive security perspective few professionals possess.