2024-10-05 –, Track 1
Obfuscated, fileless malware poses a significant challenge to automated detection systems and wastes valuable time during manual analysis. This challenge occurs as the many layers of obfuscation must be unraveled before the true malicious payload is revealed. In this talk, research will be presented that demonstrates how the tree-sitter parser generator library can be used to write scalable, accurate, and attributable detections for malicious PowerShell payloads, as well as tooling for deobfuscating these scripts. We will demonstrate the effectiveness of these tools across a number of obfuscated scripts, including ones seen in the wild during real-life incident response engagements.
David McDonald is a researcher and software engineer with 3 years of digital forensics R&D experience. His passion for this field began with his involvement in the University of New Orleans CTF team, as well as through his time as a Systems Programming teaching assistant. After over two years of digital forensics research and development on Cellebrite's computer forensics team, he joined Volexity's Volcano team, where he now works to develop next-generation memory analysis solutions.
He believes deeply in sharing knowledge and helping others discover their abilities and interests through their own journeys in cybersecurity, and strives to pay forward the benefits of the mentorship that has opened so many doors for him.