Attackers can do so much in memory these days and not touch the disk, especially with things like PowerShell to abuse. In walks a talk to help combat that: Taking Hunting to the Next Level Hunting in Memory by Jared Atkinson and Joe Desimone. And the code released to do it: Get-InjectedThread.ps1. Talk was also given in May at SANS Threat Hunting and Incident Response Summit 2017, and while I don’t have a video link for it, the PDF of the slides is available. If some of this sounds familiar, one of the presenters is from Endgame which is where I recently linked another similar blog post from.