Effectively Detecting Modern Code Injection Techniques with Volatility 3 | Andrew Case

🔗 Join us in-person and virtually at our Wild West Hackin' Fest: information security conferences — https://wildwesthackinfest.com/

🔗 Register for Infosec Webcasts, Anti-casts & Summits. – https://poweredbybhis.com

In this talk, attendees will be shown how to use Volatility 3, the latest version of the most widely used open-source memory forensics framework, to detect methods that modern, stealthy malware uses to inject code such as process hollowing, process ghosting, module stomping, and their many variants that are used to bypass scanners that rely on outdated detections.

00:00 - Welcome, intro
00:50 - Brand new Plug-Ins!
01:06 - Volatility 3 Overview
02:39 - Volatility 2 will be phased out in April, 2025
03:15 - Why memory forensics?
05:46 - CISA Emergency Directive demands it
07:23 - VAD and tracking malware in memory
08:01 - vadinfo plugin results
10:34 - DLLs
11:29 - DLL load times
12:35 - LSASS DLLS after mimikatz
13:37 - Timeline examination of DLL loading
15:38 - Traditional Injection Techniques artifacts
16:50 - malfind Detecting Shellcode
17:22 - Reflective DLL injection
19:30 - Process hollowing
22:07 - Filtering in volatility 3!
24:05 - hollowprocesses plugin
27:01 - Detecting malware with no executable memory allocation
30:57 - Summary, so far…
34:16 - Overwritten PE Headers thwarted by examining threads
36:12 - Suspicious threads plugin
39:38 - Process Ghosting and Transaction Tampering
42:51 - Transacted hollowing
45:02 - Conclusions
45:55 - Q&A - Does unmapping LSASS make the OS unstable?
47:25 - A - Volatility 3 looks for violations of system state

///Black Hills Infosec Socials
Twitter:   / bhinfosecurity  
Mastodon: https://infosec.exchange/@blackhillsi...
LinkedIn:   / antisyphon-training  
Discord:   / discord  

///Black Hills Infosec Shirts & Hoodies
https://spearphish-general-store.mysh...

///Black Hills Infosec Services
Active SOC: https://www.blackhillsinfosec.com/ser...
Penetration Testing: https://www.blackhillsinfosec.com/ser...
Incident Response: https://www.blackhillsinfosec.com/ser...

///Backdoors & Breaches - Incident Response Card Game
Backdoors & Breaches: https://www.backdoorsandbreaches.com/
Play B&B Online: https://play.backdoorsandbreaches.com/

///Antisyphon Training
Pay What You Can: https://www.antisyphontraining.com/pa...
Live Training: https://www.antisyphontraining.com/co...
On Demand Training: https://www.antisyphontraining.com/on...
Antisyphon Discord:   / discord  
Antisyphon Mastodon: https://infosec.exchange/@Antisy_Trai...

///Educational Infosec Content
Black Hills Infosec Blogs: https://www.blackhillsinfosec.com/blog/
Wild West Hackin' Fest YouTube:    / wildwesthackinfest  
Antisyphon Training YouTube:    / antisyphontraining  
Active Countermeasures YouTube:    / activecountermeasures  
Threat Hunter Community Discord:   / discord  

Join us at the annual information security conference in Deadwood, SD (in-person and virtually) — Wild West Hackin' Fest: https://wildwesthackinfest.com/