Firewall 0-day Investigations + Detecting and Triaging Modern Windows Rootkits


Details
This Meetup will feature two Volexity speakers: Tom Lancaster and Andrew Case. For the first session, Tom will be discussing a topic he presented at CyberThreat22 earlier this year, Firewall 0-day Investigations. For the second session, Andrew will present Detecting and Triaging Modern Windows Rootkits.
The Meetup will be hosted at Spaces Wiehle Metro, 1900 Reston Metro Plaza, Reston, VA. Doors will open at 6:30PM and first session will begin at 7:00PM. We have limited seating so be sure to reserve your spot!
ABSTRACTS
Session I: Firewall 0-day Investigations
This talk focuses on two real-world examples of Chinese nation-state attackers using 0-day exploits to compromise firewall devices. The story behind how these attacks were detected and the ensuing investigation process will be explained, giving unique insights into the actions the attackers performed after breaching the target network.
Session II: Detecting and Triaging Modern Windows Rootkits
Over the last several years, Microsoft has added many new security features aimed at disrupting kernel level malware. These include enabling Driver Signing Enforcement by default, greatly updating Patch Guard, and adding significant new logging capabilities related to kernel level code. As usual, rootkit developers adapted to these changes so that they could still load code into the kernel and maintain system control – all while evading the latest versions of Patch Guard. This talk walks through the mostly commonly observed examples of these techniques, including those used by a variety of APT groups. A mix of event log analysis and memory forensics will be used to showcase methods that automatically detect techniques deployed by modern rootkits.
SPEAKER BIOS
Tom Lancaster (Twitter: @tlansec) is the Threat Intelligence lead at Volexity, where he applies his 10 years of threat intelligence, malware detection, and incident response experience to help investigate and build knowledge repositories about sophisticated threats. He is a specialist in both investigating and tracking nation-state threat actors, as well as finding new ones.
Andrew Case (Twitter: @attrc) is the Director of Research at Volexity and a core developer of the Volatility memory analysis framework. His professional experience includes digital forensic investigations, incident response handling, malware analysis, penetration tests, and source code audits. Andrew is a co-author of the award-winning book “The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory”. Andrew also co-teaches the “Digital Forensics & Incident Response” class at Black Hat. Andrew’s primary research focus is physical memory analysis, and he has presented his research at conferences including Black Hat, RSA, SecTor, SOURCE, BSides, OMFW, GFirst, and DFRWS.

Firewall 0-day Investigations + Detecting and Triaging Modern Windows Rootkits