Effectively Detecting Modern Code Injection Techniques with Volatility 3 | Andrew Case скачать в хорошем качестве

Effectively Detecting Modern Code Injection Techniques with Volatility 3 | Andrew Case

🔗 Join us in-person and virtually at our Wild West Hackin' Fest: information security conferences — https://wildwesthackinfest.com/ 🔗 Register for Infosec Webcasts, Anti-casts & Summits. – https://poweredbybhis.com In this talk, attendees will be shown how to use Volatility 3, the latest version of the most widely used open-source memory forensics framework, to detect methods that modern, stealthy malware uses to inject code such as process hollowing, process ghosting, module stomping, and their many variants that are used to bypass scanners that rely on outdated detections. 00:00 - Welcome, intro 00:50 - Brand new Plug-Ins! 01:06 - Volatility 3 Overview 02:39 - Volatility 2 will be phased out in April, 2025 03:15 - Why memory forensics? 05:46 - CISA Emergency Directive demands it 07:23 - VAD and tracking malware in memory 08:01 - vadinfo plugin results 10:34 - DLLs 11:29 - DLL load times 12:35 - LSASS DLLS after mimikatz 13:37 - Timeline examination of DLL loading 15:38 - Traditional Injection Techniques artifacts 16:50 - malfind Detecting Shellcode 17:22 - Reflective DLL injection 19:30 - Process hollowing 22:07 - Filtering in volatility 3! 24:05 - hollowprocesses plugin 27:01 - Detecting malware with no executable memory allocation 30:57 - Summary, so far… 34:16 - Overwritten PE Headers thwarted by examining threads 36:12 - Suspicious threads plugin 39:38 - Process Ghosting and Transaction Tampering 42:51 - Transacted hollowing 45:02 - Conclusions 45:55 - Q&A - Does unmapping LSASS make the OS unstable? 47:25 - A - Volatility 3 looks for violations of system state ///Black Hills Infosec Socials Twitter:   / bhinfosecurity   Mastodon: https://infosec.exchange/@blackhillsi... LinkedIn:   / antisyphon-training   Discord:   / discord   ///Black Hills Infosec Shirts & Hoodies https://spearphish-general-store.mysh... ///Black Hills Infosec Services Active SOC: https://www.blackhillsinfosec.com/ser... Penetration Testing: https://www.blackhillsinfosec.com/ser... Incident Response: https://www.blackhillsinfosec.com/ser... ///Backdoors & Breaches - Incident Response Card Game Backdoors & Breaches: https://www.backdoorsandbreaches.com/ Play B&B Online: https://play.backdoorsandbreaches.com/ ///Antisyphon Training Pay What You Can: https://www.antisyphontraining.com/pa... Live Training: https://www.antisyphontraining.com/co... On Demand Training: https://www.antisyphontraining.com/on... Antisyphon Discord:   / discord   Antisyphon Mastodon: https://infosec.exchange/@Antisy_Trai... ///Educational Infosec Content Black Hills Infosec Blogs: https://www.blackhillsinfosec.com/blog/ Wild West Hackin' Fest YouTube:    / wildwesthackinfest   Antisyphon Training YouTube:    / antisyphontraining   Active Countermeasures YouTube:    / activecountermeasures   Threat Hunter Community Discord:   / discord   Join us at the annual information security conference in Deadwood, SD (in-person and virtually) — Wild West Hackin' Fest: https://wildwesthackinfest.com/