Maxence Fossat
Working as a DFIR analyst in Synacktiv's CSIRT, Maxence Fossat is passionate about digital forensics, detection engineering and malware analysis. After working for a few years with different EDR/XDR solutions, he moved on from detection to response. With a keen interest in attacker tradecraft and reverse engineering, his goal is to make significant contributions to the cybersecurity ecosystem, with efficient detection rules and tools. He is first and foremost dedicated to sharing his findings via talks, classes and tools.
Session
It is not unusual for CERT/CSIRT/SOC teams to use collection and live forensics tools in their incident response workflow. Programs such as Velociraptor, KAPE or DFIR-ORC can legitimately access low-level filesystem data and memory for the purposes of extracting forensic artifacts.
In this talk, we will show how these tools can be abused for credential access and why they might be overlooked by security teams. We will also discuss detection opportunities and what events to monitor in order to effectively counter these techniques.