The vast majority of threat hunting takes place on easily visible and accessible system artifacts. These include log entries, network data, command line histories, persistence locations, and many other locations on a system or in the environment. Thanks to rule-based approaches and more advanced data analytics, it is relatively easy to detect outliers, surface suspicious artifacts, and discover anomalies on and across endpoints. Current hunt methodologies do a good job finding intrusions and reducing dwell times in many cases, but it still isn’t good enough. Traditional hunting methods don’t address one essential area: in memory-only attacks.
Today’s sophisticated adversaries are well aware of challenges in-memory only methods pose for defensive tools and methods (including threat hunting) and thus increasingly avoid disk during operations. It is generally not possible with today’s tools to perform signature-less analysis of memory at the large scale necessary for effective hunting. Current memory analysis methods usually require collection of very large amounts of data and entail intensive analysis. Memory is largely a place for forensics as opposed to a datasource for real threat hunting at the speed and scale necessary for effective detection. We can do better. In this talk, Jared Atkinson and Joe Desimone will describe both common and advanced stealth malware techniques which evade today’s hunt tools and methodologies. Attendees will learn about adversary stealth and understand ways to detect some of these methods. Then, they will demonstrate and release a Powershell tool which will allow a hunter to automatically analyze memory across systems and rapidly highlight injected in-memory-only attacks across systems at scale. This will help move memory analysis from the domain of forensics to the domain of detection and hunting, allowing hunters to close the detection gap against in-memory threats, all without relying on without signatures.