DeepSec 2025 Talk: Offensive SIEM: When the Blue Team Switches Perspective – Erkan Ekici & Shanti Lindström
Traditional SIEM solutions focus on detecting attacks—but what if we flipped the script? Instead of waiting for adversaries to act, defenders can use SIEM proactively to identify local privilege escalation risks before they’re exploited. By analyzing Sysmon and Windows event logs, blue teams can uncover hidden misconfigurations in services, scheduled tasks, DLL loads, and centralized application deployments that could allow an attacker to escalate privileges to SYSTEM. Sometimes, this approach might even reveal new CVEs lurking in your environment. This talk will showcase practical techniques for leveraging SIEM as an offensive discovery tool, helping defenders think like attackers to strengthen security from within. We asked Erkan and Shanti a few more questions about their talk. Please tell us the top 5 facts about your talk. SIEM is usually reactive. It can be used proactively