Maxence Fossat

Working as a DFIR analyst in Synacktiv's CSIRT, Maxence Fossat is passionate about digital forensics, detection engineering and malware analysis. After working for a few years with different EDR/XDR solutions, he moved on from detection to response. With a keen interest in attacker tradecraft and reverse engineering, his goal is to make significant contributions to the cybersecurity ecosystem, with efficient detection rules and tools. He is first and foremost dedicated to sharing his findings via talks, classes and tools.


Session

10-21
11:45
30min
LOLBlue : Living Off the Land with Blue Team tools
Maxence Fossat, Antoine C

It is not unusual for CERT/CSIRT/SOC teams to use collection and live forensics tools in their incident response workflow. Programs such as Velociraptor, KAPE or DFIR-ORC can legitimately access low-level filesystem data and memory for the purposes of extracting forensic artifacts.

In this talk, we will show how these tools can be abused for credential access and why they might be overlooked by security teams. We will also discuss detection opportunities and what events to monitor in order to effectively counter these techniques.

topic: hack.lu
Europe