Our talk introduces a comprehensive and novel perspective on the offensive use of Blue Team and forensic tools — an area that has seen limited but growing interest among threat actors and red teams. While a handful of drivers and utilities have been publicly identified for such purposes, our research expands the known toolkit by presenting a systematic review of underexplored DFIR tools that can be repurposed to access system memory or protected files. We analyze how these tools operate under the hood and demonstrate real-world scenarios where they can bypass security tools.

In addition to cataloguing and evaluating these capabilities, we introduce original research on the offensive use of pre-installed or commonly deployed forensic software for data extraction and covert exfiltration. We also provide actionable guidance on detection and defence strategies, addressing a blind spot in current security literature and detection frameworks. This talk bridges the gap between DFIR tooling and offensive tradecraft, challenging defenders to reassess their trust assumptions and tool visibility.

As a company which specializes both in red teaming and incident response, Synacktiv thrives on pushing the boundaries in offensive and defensive security. As such, this joint talk will use the personal experience of both speakers to explore a fun new technique in red teaming.

Whether using pure collection tools such as DFIR-ORC or KAPE, or (ab)using the client/server architecture of Velociraptor live-forensics tool, LOLBlue offers interesting alternatives in the late stages of a red team engagement.