Taking Hunting to the Next Level: Hunting in Memory - SANS Threat Hunting Summit 2017
The vast majority of threat hunting takes place on easily visible and accessible system artifacts. These include log entries, network data, command line histories, persistence locations, and many other locations on a system or in the environment. Thanks to rule-based approaches and more advanced data analytics, it is relatively easy to detect outliers, surface suspicious artifacts, and discover anomalies on and across endpoints. Current hunt methodologies do a good job finding intrusions and reducing dwell times in many cases, but it still isn’t good enough. Traditional hunting methods don’t address one essential area: in memory-only attacks. Today’s sophisticated adversaries are well aware of challenges in-memory only methods pose for defensive tools and methods (including threat hunting) and thus increasingly avoid disk during operations. It is generally not possible with today’s tools to perform signature-less analysis of memory at the large scale necessary for effective hunting. Current memory analysis methods usually require collection of very large amounts of data and entail intensive analysis. Memory is largely a place for forensics as opposed to a datasource for real threat hunting at the speed and scale necessary for effective detection. We can do better. In this talk, we will describe both common and advanced stealth malware techniques which evade today’s hunt tools and methodologies. Attendees will learn about adversary stealth and understand ways to detect some of these methods. Then, we will demonstrate and release a Powershell tool which will allow a hunter to automatically analyze memory across systems and rapidly highlight injected in-memory-only attacks across systems at scale. This will help move memory analysis from the domain of forensics to the domain of detection and hunting, allowing hunters to close the detection gap against in-memory threats, all without relying on without signatures. Jared Atkinson (@jaredcatkinson), Defensive Services Technical Lead, Veris Group Joe Desimone (@dez_), Malware Researcher, Endgame
Backend web development - a complete overview
![Best of Deep House [2026] | Melodic House & Progressive Flow](https://i.ytimg.com/vi/Il-ZpBuC8tA/hqdefault.jpg?v=69905cf3&sqp=-oaymwEjCNACELwBSFryq4qpAxUIARUAAAAAGAElAADIQj0AgKJDeAE=&rs=AOn4CLD98tp8MTbT485EHZMDT_XMVi93ow)
Best of Deep House [2026] | Melodic House & Progressive Flow
Real-Time Threat Hunting - SANS Threat Hunting & Incident Response Summit 2017
Framing Threat Hunting in the Enterprise - SANS Threat Hunting Summit 2017
Investigating Malware Using Memory Forensics - A Practical Approach
Threat Hunting: Memory Analysis with Volatility
Threat Hunting with Network Flow - SANS Threat Hunting Summit 2017
BREAKING: Trump’s Epstein problem returns with blockbuster testimony
Windows Memory Forensics
Incident Response in the Cloud (AWS) - SANS Digital Forensics & Incident Response Summit 2017
Something is jamming GPS over Europe. Here's what we found
Trump Gets Booed & Falls Asleep During NBA Finals, Claims War is Almost Over & Goodbye Spencer Pratt
Keynote: Cobalt Strike Threat Hunting | Chad Tilbury
Introduction to Windows Forensics
How to Build Threat Hunting into Your Security Operations | Red Canary
An Introduction to Threat Hunting With Zeek (Bro)
The Most Mysterious File On The Internet
DEF CON 33 - Kill List: Hacking an Assassination Site on the Dark Web - Carl Miller, Chris Monteiro
Tracking Threat Actors through YARA Rules and Virus Total - SANS DFIR Summit 2016
