BEGIN:VCALENDAR
VERSION:2.0
PRODID:Data::ICal 0.24
BEGIN:VEVENT
DESCRIPTION:   'Title: Malicious memory techniques on Windows and how to sp
 ot them\n   When: Friday\, Aug 12\, 11:45 - 12:45 PDT\n   Where: Virtual -
  BlueTeam Village - Talks\n\n   SpeakerBio:Connor Morley\n   Connor Morley
  is a senior security researcher at WithSecure. A keen\n   investigator of
  malicious TTP’s\, he enjoys experimenting and\n   dissecting malicious 
 tools to determine functionality and developing\n   detection methodology.
  As a researcher and part time threat hunter he\n   is experienced with tr
 aditional and ‘in the wild’ malicious\n   actors’ behaviour.\n\n   D
 escription:\n   My presentation will cover malicious memory techniques whi
 ch will\n   focus on the Windows operating system. These will span from re
 latively\n   simple in-line hooking techniques used to jump to malicious c
 ode or\n   circumvent legitimate code execution\, all the way to manipulat
 ion of\n   exception handling mechanisms. The talk will also cover informa
 tion on\n   problematic situations which occur when designing detection me
 chanisms\n   for such activities in the real world where cost-balancing is
  required\n   for resource management.\n\n   I will explain in-line hookin
 g\, Kernel patching (InfinityHook\,\n   Ghost_in_the_logs)\, Heaven-Gate h
 ooking and Vectored Exception Handler\n   (VEH) manipulation techniques (F
 ireWalker) and how they can be\n   detected. In-line hooking and Heavens-G
 ate hooking involves the\n   practice of manipulating the loaded memory of
  a module within a\n   specific processes memory space. Kernel Patching in
 volves injecting a\n   hook into the Kernel memory space in order to provi
 de a low level\,\n   high priority bypassing technique for malicious progr
 ams to circumvent\n   ETW log publication via vulnerable kernel driver ins
 tallation. VEH\n   manipulation is the use of the high priority frameless 
 exception\n   mechanism in order to circumvent memory integrity checks\, m
 anipulate\n   flow control and even run malicious shellcode. Detection for
  all these\n   techniques will involve advancing from the explanation of i
 ts\n   execution to the telemetry sources that can be leveraged for detect
 ion\n   purposes. In all cases this involves the examination of volatile\n
    memory\, however as each technique targets a different native\n   funct
 ionality\, the mechanisms required to analyze the memory differ\n   greatl
 y. The deviations can be relatively simple\, but in some cases an\n   unde
 rstanding of undocumented mechanisms and structures is required to\n   aff
 ect detection capability\n\n   Examination of un-tabled module function mo
 difications will also\n   provide insight into some of the difficulties in
 volved in this\n   detection development work. This section will provide t
 he audience\n   with a low level technical understanding of how these tech
 niques are\n   targeted\, developed and used by malicious actors and some 
 possible\n   solutions for detection\, with an explanation of the inherent
  caveats\n   in such solutions (primarily around resource availability or 
 accuracy\n   trade-offs).\n\n   A full explanation on devised detection me
 thodology and collectable\n   telemetry will be provided for each maliciou
 s technique. This will\n   cover the overall detection capabilities as wel
 l as exploring the low\n   level mechanisms used to collect this data from
  the monitored system\n   such as OP code heuristics and memory location a
 ttribution crossing\n   CPU mode boundaries. Included in this explanation 
 will be an\n   explanation on issues encountered with collection\, typical
 ly related\n   to OS architecture choices\, and how these can also be circ
 umvented to\n   enable effective monitoring.\n\n   Audience members should
  leave my presentation having a firm grasp on\n   the fundamentals of all 
 the techniques outlined and why attackers may\n   choose to employ them in
  different scenarios. Along with a functional\n   understanding of the mal
 icious technique\, the audience members will\n   also be supplied with a w
 orking understanding of detection options for\n   these techniques and cle
 ar examples of how monitoring can be deployed\n   and integrated into thei
 r solutions.\n\n   Malicious actors are always trying to find new ways to 
 avoid detection\n   by evermore vigilant EDR systems and deploy their payl
 oads. Over the\n   years\, the scope of techniques used has branched from 
 relatively\n   simplistic hash comparison and sandbox avoidance to low lev
 el log\n   dodging and even direct circumvention of EDR telemetry acquisit
 ion. By\n   examining some of the techniques used on Windows systems this 
 talk\n   will highlight will highlight the range of capabilities defensive
 \n   operators are dealing with\, how some can be detected and\, in rare\n
    cases\, the performance and false-positive obstacles in designing\n   d
 etection capability.\n\n   '\n\n
DTEND:20220812T194500Z
DTSTART:20220812T184500Z
LOCATION:BTV - Virtual - BlueTeam Village - Talks
SUMMARY:Malicious memory techniques on Windows and how to spot them
END:VEVENT
END:VCALENDAR