<!-- .slide: class="content" --> ## Review And Summary * Many modern attacks are only present in memory * Velociraptor is able to gather volatile machine state * We learned sophisticated process visibility plugins: * Process tokens * Analyzing PE files from memory * Dumping memory resident injected binaries --- <!-- .slide: class="content" --> ## Review And Summary * Other sources of machine state include: * Event Tracing for Windows * Event driven framework for being notified about changes in system state. * Practical example: MSBuild based attacks.