Join Chris Gerritz and Russ Morris—co-founders of Infocyte—for an in-depth presentation on cyber threat hunting in memory, at scale.
Overview:
- Background: Windows Internals
- Adversary Techniques: Hiding in Memory
- Memory Forensics (Threat Hunting in Live Memory)
- Live Memory Analysis at Scale
- Going Further Down the Rabbit Hole...
This presentation originally appeared at the Texas Cyber Summit in San Antonio. A full-length video of the presentation is available on YouTube, at: https://www.youtube.com/watch?v=5s4p1gz2Fho
5. Microsoft Windows Host
API / Functions
Firmware
Hardware
Application
User-mode
API
Volatile MemoryNon-Volatile
Storage
Disk
OS Kernel
Registry
Volatile
Memory
Drivers
Process 1
Process 2
Process 3
Process Memory (notepad.exe)
Modules Modules map to an
image on disk
C:windowssystem32
notepad.exe
C:windowssystem32
kernel32.dll
User32.dll
Main
Kernel32.dll
CPU Threads
Handles
Stack
Heap
Connections
C:asdf.txt
Handle 1
Data (RW)
Injected Module
(RWX or
RX)
Environment
API / Functions
Kernel-mode
API