Enabling All-In-Memory Operations

With the rise of advanced Endpoint Detection and Response capabilities, offensive operations are challenged at every phase of execution. Touching disk means death for your C2 implants, common injection techniques are hooked, and scanners hunt for evidence of artifacts in memory. To survive in highly-instrumented environments, offensive tool developers and technique researchers must carefully consider how they execute code on-target.

In this talk, we will propose a methodology for designing tools and TTPs that enable operations in memory. To put the operators in control, we will focus on designing modular toolsets that expose design decisions to the users at runtime. Furthermore we will discuss how to get into memory initially, stay in memory, and eventually move laterally into local processes or even remote machines. Discussion of all topics will include examples based on new or existing publicly available code.