GetInjectedThreadEx - improved heuristics for suspicious thread creations, John Uhlmann, BSidesCbr

Since its debut in 2017, has been a blue team staple for identifying suspicious threads via their start addresses. However, red teams have subsequently identified low-cost evasion techniques to counteract this - obfuscating their shellcode threads with start addresses within legitimate modules. This talk will outline the memory artifacts that each evasion leaves behind and the development of an updated script which may be used to detect them. John Uhlmann John (he/him) is a Security Research Engineer at Elastic, where he focuses on scalable Windows in-memory malware detection. Prior to this he did similar work at the Australian Cyber Security Centre.