BEGIN:VCALENDAR
VERSION:2.0
PRODID:Data::ICal 0.24
BEGIN:VEVENT
DESCRIPTION:   'Title: Defeating EDR Evading Malware with Memory Forensics\
 n   When: Friday\, Aug 9\, 13:00 - 13:45 PDT\n   Where: LVCC West/Floor 1/
 Hall 1/Track 4 - [1]Map\n\n   Description:\n\n   Endpoint detection and re
 sponse (EDR) software has gained significant\n   market share due to its a
 bility to examine system state for signs of\n   malware and attacker activ
 ity well beyond what traditional anti-virus\n   software is capable of det
 ecting. This deep inspection capability of\n   EDRs has led to an arms rac
 e with malware developers who want to evade\n   EDRs while still achieving
  desired goals\, such as code injection\,\n   lateral movement\, and crede
 ntial theft. This monitoring and evasion\n   occurs in the lowest levels o
 f hardware and software\, including call\n   stack frames\, exception hand
 lers\, system calls\, and manipulation of\n   native instructions. Given t
 his reality\, EDRs are limited in how much\n   lower they can operate to m
 aintain an advantage. The success of EDR\n   bypasses has led to their use
  in many high-profile attacks and by\n   prolific ransomware groups.\n\n  
  In this talk\, we discuss our research effort that led to the\n   develop
 ment of new memory forensics techniques for the detection of\n   the bypas
 ses that malware uses to evade EDRs. This includes bypass\n   techniques\,
  such as direct and indirect system calls\, module\n   overwriting\, malic
 ious exceptions handlers\, and abuse of debug\n   registers. Our developed
  capabilities were created as new plugins to\n   the Volatility memory ana
 lysis framework\, version 3\, and will be\n   released after the talk.\n\n
      1. тАЬOperation Dragon Castling: APT group targeting betting\n       
 companies\,тАЭ [2]link\, 2023.\n\n     2. тАЬDefeating Guloader Anti-Analy
 sis Technique\,тАЭ [3]link\, 2023.\n\n     3. тАЬA Deep Dive Into ALPHV/Bl
 ackCat Ransomware\,тАЭ [4]link\, 2024.\n\n     4. тАЬAPT Operation Skeleto
 n Key\,тАЭ [5]link\, 2023.\n\n     5. тАЬLockBit Ransomware Side-loads Cob
 alt Strike Beacon with\n       Legitimate VMware Utility\,тАЭ [6]link\, 20
 24.19\n\n     6. тАЬBlueBravo Uses Ambassador Lure to Deploy\,тАЭ [7]link\
 , 2024.\n\n     7. тАЬUNMASKING THE DARK ART OF VECTORED EXCEPTION HANDLIN
 G:\n       BYPASSING XDR AND EDR IN THE EVOLVING CYBER THREAT LANDSCAPE\,т
 АЭ\n       [8]link\, 2023.\n\n     8. тАЬDirty Vanity: A New Approach to C
 ode injection & EDR\n       by-pass\,тАЭ [9]link\, 2022.\n\n     9. Volexi
 ty\, тАЬSurge Collect Pro\,тАЭ [10]link\, 2022.\n\n     10. тАЬcapstone\,т
 АЭ [11]link\, 2024.\n\n     11. тАЬSilencing cylance: A case study in mode
 rn edrs\,тАЭ [12]link\,\n       2019.\n\n     12. тАЬAv/edr evasion тАФ ma
 lware development p тАФ 3\,тАЭ [13]link\,\n       2023.\n\n     13. тАЬA p
 ractical guide to bypassing userland api hooking\,тАЭ [14]link\,\n       2
 022.\n\n     14. A. Case\, A. Ali-Gombe\, M. Sun\, R. Maggio\, M. Firoz-Ul
 -Amin\, M.\n       Jalalzai\, and G. G. R. III\, тАЬHookTracer: A System f
 or Automated\n       and Accessible API Hooks Analysis\,тАЭ Proceedings of
  the 18th\n       Annual Digital Forensics Research Conference (DFRWS)\, 2
 019.\n\n     15. F. Block\, тАЬWindows memory forensics: Identification of
 \n       (malicious) modifications in memory-mapped image files\,тАЭ\n    
    Forensic Science International: Digital Investigation\, 2023.\n       (
 Online). Available: [15]link\n\n     16. F. Block and A. Dewald\, тАЬWindo
 ws memory forensics: Detecting\n       (un)intentionally hidden injected c
 ode by examining page table\n       entries\,тАЭ Digital Investigation\, v
 ol. 29\, pp. S3тАУS12\, 07 2019.\n\n     17. тАЬCCob\,тАЭ [16]link\, 2024.
 \n\n     18. тАЬLets Create An EDR. . . And Bypass It! Part 1\,тАЭ [17]lin
 k\,\n       2020.\n\n     19. тАЬr77 rootkit\,тАЭ [18]link\, 2024.\n\n    
  20. тАЬDeep Vanity\,тАЭ [19]link\, 2022. 20\n\n     21. тАЬPeruns-Fart\,т
 АЭ [20]link\, 2023.\n\n     22. тАЬFREEZE тАУ A PAYLOAD TOOLKIT FOR BYPASS
 ING EDRS USING\n       SUSPENDED PROCESSES\,тАЭ [21]link\, 2023.\n\n     2
 3. тАЬProcess Cloning\,тАЭ [22]link\, 2023.\n\n     24. тАЬAPT Group Chime
 ra\,тАЭ [23]link\, 2022.\n\n     25. тАЬRed Team Tactics: Combining Direct
  System Calls and sRDI to\n       bypass AV/EDR\,тАЭ [24]link\, 2019.\n\n 
     26. тАЬHellтАЩs Gate\,тАЭ [25]link\, 2020.\n\n     27. тАЬHaloтАЩs Gat
 e\,тАЭ [26]link\, 2021.\n\n     28. тАЬTartarus Gate\,тАЭ [27]link\, 2021.
 \n\n     29. тАЬBypassing User-Mode Hooks and Direct Invocation of System\
 n       Calls for Red Teams\,тАЭ [28]link\, 2020.\n\n     30. тАЬSysWhispe
 rs2\,тАЭ [29]link\, 2022.\n\n     31. тАЬAn Introduction into Stack Spoofi
 ng\,тАЭ [30]link\, 2023.\n\n     32. тАЬSilentMoonwalk: Implementing a dyn
 amic Call Stack Spoofer\,тАЭ\n       [31]link\, 2022.\n\n     33. тАЬSpoof
 ing Call Stacks To Confuse EDRs\,тАЭ [32]link\, 2022.\n\n     34. тАЬBehin
 d the Mask: Spoofing Call Stacks Dynamically with\n       Timers\,тАЭ [33]
 link\, 2022.\n\n     35. тАЬHellHall\,тАЭ [34]link\, 2023.\n\n     36. [35
 ]link\, 2008.\n\n     37. тАЬDefeating Guloader Anti-Analysis Technique\,т
 АЭ [36]link\,\n       2022.21\n\n     38. тАЬGULoader Campaigns: A Deep Di
 ve Analysis of a highly evasive\n       Shellcode based loader\,тАЭ [37]li
 nk\, 2023.\n\n     39. тАЬGh0stRat Anti-Debugging : Nested SEH (try - catc
 h) to Decrypt\n       and Load its Payload\,тАЭ [38]link\, 2021.\n\n     4
 0. тАЬSyscalls via Vectored Exception Handling\,тАЭ [39]link\, 2024.\n\n  
    41. тАЬBypassing AV/EDR Hooks via Vectored Syscall - POC\,тАЭ [40]link\
 ,\n       2022.\n\n     42. тАЬMutationGate\,тАЭ [41]link\, 2024.\n\n     
 43. Cymulate Research\, тАЬBlindSide\,тАЭ [42]link\, 2023.\n\n     44. тАЬ
 In-Process Patchless AMSI Bypass\,тАЭ [43]link\, 2022.\n\n     45. тАЬPatc
 hlessCLR\,тАЭ [44]link\, 2022.\n\n     46. тАЬDumping the VEH in Windows 1
 0\,тАЭ [45]link\, 2020.\n\n     47. тАЬDetecting anomalous Vectored Except
 ion Handlers on\n       Windows\,тАЭ [46]link\, 2022.\n\n     48. тАЬSetUn
 handledExceptionFilter\,тАЭ [47]link\, 2024.\n\n   Speakers:Andrew Case\,A
 ustin Sellers\,Golden Richard\,David\n   McDonald\,Gustavo Moreira\n\n   S
 peakerBio:  Andrew Case\, Director of Research at Volexity\n\n   Andrew Ca
 se is the Director of Research at Volexity and has\n   significant experie
 nce in incident response handling and malware\n   analysis. He has conduct
 ed numerous large-scale investigations that\n   span enterprises and indus
 tries. Case is a core developer of the\n   Volatility memory analysis fram
 ework\, and a co-author of the highly\n   popular and technical forensics 
 analysis book "The Art of Memory\n   Forensics: Detecting Malware and Thre
 ats in Windows\, Linux\, and Mac\n   Memory."\n\n   SpeakerBio:  Austin Se
 llers\, Detection Engineer at Volexity\n\n   Austin Sellers is a Detection
  Engineer at Volexity where he focuses on\n   automating large scale memor
 y analysis and threat detection\n   techniques. He has significant experie
 nce in developing memory\n   analysis datasets that allow for automated ve
 rification and testing of\n   kernel and userland memory forensics techniq
 ues.\n\n   SpeakerBio:  Golden Richard\, Professor of Computer Science and
 \n   Engineering and Associate Director for Cybersecurity at Center for\n 
   Computation and Technology (CCT) at LSU\n\n   Golden G. Richard III is a
  cybersecurity researcher and teacher and a\n   Fellow of the American Aca
 demy of Forensic Sciences. He has over 40\n   years of practical experienc
 e in computer systems and computer\n   security and is a devoted advocate 
 for applied cybersecurity\n   education. He is currently Professor of Comp
 uter Science and\n   Engineering and Associate Director for Cybersecurity 
 at the Center for\n   Computation and Technology (CCT) at LSU. He also sup
 ports NSA's CAE-CO\n   internship program\, teaching memory forensics\, vu
 lnerability analysis\,\n   and other topics to cleared interns. His primar
 y research interests\n   are memory forensics\, digital forensics\, malwar
 e analysis\, reverse\n   engineering\, and operating systems. Dr. Richard 
 earned his BS in\n   Computer Science from the University of New Orleans a
 nd MS and PhD in\n   Computer Science from The Ohio State University.\n\n 
   SpeakerBio:  David McDonald\, Volcano team at Volexity\n\n   David McDon
 ald is a researcher and software engineer with 3 years of\n   digital fore
 nsics R&D experience. His passion for this field began\n   with his involv
 ement in the University of New Orleans CTF team\, as\n   well as through h
 is time as a Systems Programming teaching assistant.\n   After over two ye
 ars of digital forensics research and development on\n   Cellebrite's comp
 uter forensics team\, he joined Volexity's Volcano\n   team\, where he now
  works to develop next-generation memory analysis\n   solutions.\n\n   Spe
 akerBio:  Gustavo Moreira\, Senior Security Engineer at Volexity\n\n   Gus
 tavo Moreira is a Senior Security Engineer at Volexity. He has\n   signifi
 cant experience in reverse engineering\, incident response\n   handling\, 
 embedded systems development and security\, Windows and Linux\n   internal
 s\, and automation of large scale malware analysis.\n\n   '\n\n   1. #LVCC
 W_Level1_Hall1\n   2. https://cymulate.com/threats/operation-dragon-castli
 ng-apt-group-targeting-betting-companies/\n   3. https://unit42.paloaltone
 tworks.com/guloader-variant-anti-analysis/\n   4. https://securityscorecar
 d.com/research/deep-dive-into-alphv-blackcat-ransomware/\n   5. https://cy
 craft.com/download/CyCraft-Whitepaper-Chimera%20V4.1.pdf\n   6. https://ww
 w.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-
 with-legitimate-vmware-utility/\n   7. https://go.recordedfuture.com/hubfs
 /reports/cta-2023-0127.pdf\n   8. https://blackhatmea.com/session/unmaskin
 g-dark-art-vectored-exception-handling-bypassing-xdr-and-edr-evolving-cybe
 r-threat\n   9. https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Niss
 an-DirtyVanity.pdf\n   10. https://www.volexity.com/products-overview/surg
 e/\n   11. https://www.capstone-engine.org/\n   12. https://www.mdsec.co.u
 k/2019/03/silencing-cylance-a-case-study-in-modern-edrs/\n   13. https://m
 edium.com/@0xHossam/unhooking-memory-object-hiding-3229b75618f7\n   14. ht
 tps://www.advania.co.uk/insights/blog/a-practical-guide-to-bypassing-userl
 and-api-hooking/\n   15. https://www.sciencedirect.com/science/article/pii
 /S2666281723000707\n   16. https://github.com/CCob/SylantStrike/tree/maste
 r\n   17. https://ethicalchaos.dev/2020/05/27/lets-create-an-edr-and-bypas
 s-it-part-1/\n   18. https://github.com/bytecode77/r77-rootkit/\n   19. ht
 tps://github.com/deepinstinct/Dirty-Vanity\n   20. https://github.com/plac
 kyhacker/Peruns-Fart/\n   21. https://www.hawk-eye.io/2023/06/freeze-a-pay
 load-toolkit-for-bypassing-edrs-using-suspended-processes/\n   22. https:/
 /github.com/huntandhackett/process-cloning\n   23. https://cycraft.com/dow
 nload/CyCraft-Whitepaper-Chimera%20V4.1.pdf\n   24. https://www.outflank.n
 l/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-
 to-bypass-av-edr/\n   25. https://github.com/am0nsec/HellsGate/blob/master
 /hells-gate.pdf\n   26. https://blog.sektor7.net/#!res/2021/halosgate.md\n
    27. https://trickster0.github.io/posts/HaloтАЩs-Gate-Evolves-to-Tartaru
 s-Gate/\n   28. https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-
 and-direct-invocation-of-system-calls-for-red-teams/\n   29. https://githu
 b.com/jthuraisamy/SysWhispers2\n   30. https://dtsec.us/2023-09-15-StackSp
 oofin/\n   31. https://klezvirus.github.io/RedTeaming/AV%20Evasion/StackSp
 oofing/\n   32. https://labs.withsecure.com/publications/spoofing-call-sta
 cks-to-confuse-edrs\n   33. https://www.cobaltstrike.com/blog/behind-the-m
 ask-spoofing-call-stacks-dynamically-with-timers\n   34. https://github.co
 m/Maldev-Academy/HellHall\n   35. http://phrack.org/issues/65/8.html#artic
 le\n   36. https://unit42.paloaltonetworks.com/guloader-variant-anti-analy
 sis/\n   37. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/guloader
 -campaigns-a-deep-dive-analysis-of-a-highly-evasive-shellcode-based-loader
 /\n   38. https://tccontre.blogspot.com/2021/02/gh0strat-anti-debugging-ne
 sted-seh-try.html\n   39. https://redops.at/en/blog/syscalls-via-vectored-
 exception-handling\n   40. https://cyberwarfare.live/bypassing-av-edr-hook
 s-via-vectored-syscall-poc/\n   41. https://github.com/senzee1984/Mutation
 Gate/tree/main\n   42. https://github.com/CymulateResearch/Blindside/blob/
 main/Blindside/Blindside.cpp#L31\n   43. https://ethicalchaos.dev/2022/04/
 17/in-process-patchless-amsi-bypass/\n   44. https://github.com/VoldeSec/P
 atchlessCLRLoader/tree/main\n   45. https://dimitrifourny.github.io/2020/0
 6/11/dumping-veh-win10.html\n   46. https://research.nccgroup.com/2022/03/
 01/detecting-anomalous-vectored-exception-handlers-on-windows/\n   47. htt
 ps://learn.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhand
 lingapi-setunhandledexceptionfilter\n\n\n
DTEND:20240809T204500Z
DTSTART:20240809T200000Z
LOCATION:DC - LVCC West/Floor 1/Hall 1/Track 4
SUMMARY:Defeating EDR Evading Malware with Memory Forensics
END:VEVENT
END:VCALENDAR