Paul Rascagneres · @r00tbsd
1252 followers · 281 posts · Server infosec.exchange
I spent few times working on #AVBurner, a post exploitation tools used by #SnakeCharmer (aka "Earth Longzhi" by #trendmicro). This tool disables kernel callbacks. With my colleagues from @volexity, we wrote a small blog post explaining how it works. But also how to detect kernel callbacks manipulation by using #volatility. As #volshell supports MS symbols we are able to parse in memory kernel objects. More details here: https://www.volexity.com/blog/2023/03/07/using-memory-analysis-to-detect-edr-nullifying-malware/
#avburner #snakecharmer #trendmicro #volatility #volshell
volexity · @volexity
283 followers · 17 posts · Server infosec.exchange
@volexity details how to use #memoryanalysis to detect EDR-nullifying malware. This latest blog post uses the #AVBurner malware, first documented by @TrendMicro, as an example. Read more here: https://www.volexity.com/blog/2023/03/07/using-memory-analysis-to-detect-edr-nullifying-malware/
#memoryanalysis #avburner #dfir #threatintel