Andrew and the whole Volexity crew are top tier. They've been first on the scene for many vulns and breaches and have helps tons of orgs behind the scenes. Respect!
A logical conclusion of this would be that suspended processes have no real world use-case which is obviously not correct... Pretty cool otherwise, and in the context of known/preclassified memory samples.
We tested across 1000s of samples from a diverse set of enterprise environments. There were no false positives related to reporting threads with a suspend count greater than 0 - all of these threads were malware/malicious. None of the techniques described rely on known sample sets.
So, what is malware going to do when it is undetected and executed in memory? Sit there and wait for tasty treats. :-) Saying that intrusion can only be detected by memory forensics is shortsighted and saying that basiclly all other security measures are obsolete.
Andrew and the whole Volexity crew are top tier. They've been first on the scene for many vulns and breaches and have helps tons of orgs behind the scenes. Respect!
while advanced kernel anti-cheats efficiently detect these malware methods💀
A logical conclusion of this would be that suspended processes have no real world use-case which is obviously not correct... Pretty cool otherwise, and in the context of known/preclassified memory samples.
We tested across 1000s of samples from a diverse set of enterprise environments. There were no false positives related to reporting threads with a suspend count greater than 0 - all of these threads were malware/malicious. None of the techniques described rely on known sample sets.
So, what is malware going to do when it is undetected and executed in memory? Sit there and wait for tasty treats. :-)
Saying that intrusion can only be detected by memory forensics is shortsighted and saying that basiclly all other security measures are obsolete.
Hey man I’ll get my “tasty treats” don’t you worry bout that.