LOLBlue : Living Off the Land with Blue Team tools
2025-10-21 , Europe

It is not unusual for CERT/CSIRT/SOC teams to use collection and live forensics tools in their incident response workflow. Programs such as Velociraptor, KAPE or DFIR-ORC can legitimately access low-level filesystem data and memory for the purposes of extracting forensic artifacts.

In this talk, we will show how these tools can be abused for credential access and why they might be overlooked by security teams. We will also discuss detection opportunities and what events to monitor in order to effectively counter these techniques.


Our talk introduces a comprehensive and novel perspective on the offensive use of Blue Team and forensic tools — an area that has seen limited but growing interest among threat actors and red teams. While a handful of drivers and utilities have been publicly identified for such purposes, our research expands the known toolkit by presenting a systematic review of underexplored DFIR tools that can be repurposed to access system memory or protected files. We analyze how these tools operate under the hood and demonstrate real-world scenarios where they can bypass security tools.

In addition to cataloguing and evaluating these capabilities, we introduce original research on the offensive use of pre-installed or commonly deployed forensic software for data extraction and covert exfiltration. We also provide actionable guidance on detection and defence strategies, addressing a blind spot in current security literature and detection frameworks. This talk bridges the gap between DFIR tooling and offensive tradecraft, challenging defenders to reassess their trust assumptions and tool visibility.

As a company which specializes both in red teaming and incident response, Synacktiv thrives on pushing the boundaries in offensive and defensive security. As such, this joint talk will use the personal experience of both speakers to explore a fun new technique in red teaming.

Whether using pure collection tools such as DFIR-ORC or KAPE, or (ab)using the client/server architecture of Velociraptor live-forensics tool, LOLBlue offers interesting alternatives in the late stages of a red team engagement.

Working as a DFIR analyst in Synacktiv's CSIRT, Maxence Fossat is passionate about digital forensics, detection engineering and malware analysis. After working for a few years with different EDR/XDR solutions, he moved on from detection to response. With a keen interest in attacker tradecraft and reverse engineering, his goal is to make significant contributions to the cybersecurity ecosystem, with efficient detection rules and tools. He is first and foremost dedicated to sharing his findings via talks, classes and tools.