Hunting payloads in Linux extended file attributes

Автор: SANS Digital Forensics and Incident Response

Загружено: 2025-12-10

Просмотров: 384

Описание: Hunting payloads in Linux extended file attributes

Xavier Mertens, Freelance Cybersecurity Consultant - Xameco SRL
DFIR Prague 2025

Linux Extended File Attributes provide functionality similar to NTFS Alternate Data Streams (ADS). While often used for legitimate purposes, they can also be abused to conceal malicious content. Attackers may hide payloads, encrypted data, or other artifacts within these attributes —making detection and forensic analysis more challenging. This session will demonstrate both sides of the equation: How adversaries can hide a simple payload in extended attributes and how defenders can detect and investigate such misuse. Gain practical insights into the offensive and defensive techniques surrounding Linux extended attributes, to help you strengthen your hunting and incident response capabilities.

#cybercrime | #dfir

Не удается загрузить Youtube-плеер. Проверьте блокировку Youtube в вашей сети.
Повторяем попытку...

Hunting payloads in Linux extended file attributes

Доступные форматы для скачивания:

Скачать видео

Информация по загрузке:

Скачать аудио

Похожие видео

The art of concealment: How cybercriminals are becoming and remaining anonymous

The art of concealment: How cybercriminals are becoming and remaining anonymous

Extracting the unseen: Real-world RAM acquisition and analysis from Android devices

Extracting the unseen: Real-world RAM acquisition and analysis from Android devices

Building the PERFECT Linux PC with Linus Torvalds

Building the PERFECT Linux PC with Linus Torvalds

When the threat group doesn’t leave: Incident response under fire

When the threat group doesn’t leave: Incident response under fire

Правительство США запретит устройства TP-Link: взлом китайского Wi-Fi-роутера в режиме реального ...

Правительство США запретит устройства TP-Link: взлом китайского Wi-Fi-роутера в режиме реального ...

Scammer Panics so Fast over Russian Virus

Scammer Panics so Fast over Russian Virus

PDF forensics and authenticity detection

PDF forensics and authenticity detection

Mobile device hardening: A forensic comparison of advanced protection programmes in IOS and Android

Mobile device hardening: A forensic comparison of advanced protection programmes in IOS and Android

Как сжимаются изображения? [46 МБ ↘↘ 4,07 МБ] JPEG в деталях

Как сжимаются изображения? [46 МБ ↘↘ 4,07 МБ] JPEG в деталях

MacOS telemetry vs EDR telemetry - Which is better?

MacOS telemetry vs EDR telemetry - Which is better?

Digital forensics and security: Automate audits, investigations and response with AWX and Ansible

Digital forensics and security: Automate audits, investigations and response with AWX and Ansible

СЫРЫЕ видео от НАСТОЯЩИХ хакеров

СЫРЫЕ видео от НАСТОЯЩИХ хакеров

Как использовать команду Stat в Linux (полное руководство)

Как использовать команду Stat в Linux (полное руководство)

The Original Sin of Computing...that no one can fix

The Original Sin of Computing...that no one can fix

Dark Web РАСКРЫТ (БЕСПЛАТНО + Инструмент с открытым исходным кодом)

Dark Web РАСКРЫТ (БЕСПЛАТНО + Инструмент с открытым исходным кодом)

I FINALLY listened to you and tried Linux... Why did I wait so long?

I FINALLY listened to you and tried Linux... Why did I wait so long?

Cybersecurity Architecture: Networks

Cybersecurity Architecture: Networks

Linux Says “Goodbye, Russia

Linux Says “Goodbye, Russia"

how to get remote access to your hacking targets // reverse shells with netcat (Windows and Linux!!)

how to get remote access to your hacking targets // reverse shells with netcat (Windows and Linux!!)

Почему спагетти-код лучше чистой архитектуры

Почему спагетти-код лучше чистой архитектуры