Defeating EDR Evading Malware with Memory Forensics

Explore groundbreaking memory forensics techniques for detecting malware that evades Endpoint Detection and Response (EDR) systems in this DEF CON 32 conference presentation. Dive into the ongoing arms race between EDR software and malware developers, examining how attackers exploit system vulnerabilities for code injection, lateral movement, and credential theft at the lowest levels of hardware and software. Learn about innovative detection methods for various bypass techniques, including direct and indirect system calls, module overwriting, malicious exception handlers, and debug register abuse. Discover newly developed plugins for the Volatility memory analysis framework (version 3) that enhance the capability to identify sophisticated EDR evasion tactics used in high-profile attacks and by ransomware groups.