Explore techniques for detecting memory resident malware in this 27-minute conference talk from Derbycon 7. Learn about the importance of memory hunting, attacker techniques, and post-breach detection methods. Discover how to use .NET reflection for malware detection, including a demonstration of running a detection script. Examine the challenges of CLR hooking and gain insights from Microsoft Threat Intelligence. Conclude with a Q&A session to deepen your understanding of memory-based malware detection strategies.
Overview
Syllabus
Intro
Overview
Why is memory hunting important
Attacker techniques
API
Post Breach Detection
Dotnet Reflection
Dotnet Reflection Script
Running the Script
Venting Sources
Microsoft Threat Intelligence
The Problem
CLR Hook
Conclusion
Questions
Related Courses
-
Cyber Threat Hunting and DFIR - Understanding Malware Attack Steps
-
Powershell-Fu - Hunting on the Endpoint
-
The Marriage of Threat Intelligence and Incident Response or Threat Hunting for the Rest of Us
-
Mem2Img - Memory-Resident Malware Detection via Convolution Neural Network
-
Hunting Evil - Threat Intelligence and Malware Analysis Techniques
