2024-11-02 –, Conference
The infosec ecosystem revolves around the perpetual process of detection and evasion. AV and endpoint protection products employ multitudes of detection techniques to thwart malware execution. For once, let’s step into the shoes of a malware developer and let’s understand why certain detection techniques work and how they can be evaded. For by learning the offensive can one effectively defend. This talk focuses on the various techniques employed by malware developers to evade modern day AV and EDRs. Participants will learn about various techniques employed by AV and EDRs and the techniques by which a malware developer evades those detections.
The perpetual race to safeguard and secure our infrastructures have given birth to robust defensive mechanisms, such as antiviruses (AV), Endpoint Detection and Response (EDRs), and Extended detection and response (XDR) just to name a few. Over the years the detection methodologies employed by them have evolved. From the very basic string and hash matching techniques, defensive mechanisms have enhanced their capabilities by employing machine learning, in memory scanning and other sophisticated techniques. From the perspective of a malware developer, developing malware is considerably easier as compared to evading it.
In this talk we will discuss various techniques employed by malware developers to circumvent detection measures implemented by modern day AVs and EDRs. This talk will solely focus on the Windows ecosystem. We will discuss the nitty gritties of the Windows OS, followed by various detection techniques implemented by AVs and EDRs. After understanding the detection methods we will shift our focus on various techniques that can be implemented to bypass aforementioned detection techniques. Some techniques included are Unhooking, BlockDLL, Repatching, API Hashing, ETW and AMSI patching etc.
In order to better understand the concepts discussed, we present real life PoCs. These PoCs will showcase the discussed evasion techniques on a popular red teaming tool (Juicy Potato). The implemented techniques will be tested against ‘Windows Defender’, a popular and widely used inbuilt AV solution by Microsoft. Furthermore these PoCs will showcase the exact detection methods and how we were able to bypass them to gain access.
Chetanya Kunndra is a security researcher with over 3+ years of experience. His major area of expertise lies within the domain of pentesting and red teaming. Apart from red teaming, he has a knack for developing automation toolkits. He often dabbles with malware development and reverse engineering. With this knowledge he has been successfully able to evade sophisticated defenses in numerous red teaming exercises. He has published several researches in the domain of application of artificial intelligence in cyber security. He has received his Masters of Technology in the domain of Cyber Security and also holds the CRTO certification.
Aryan is a security researcher with over 3+ years of experience. He’s a full time malware developer and loves to evade AV and EDRs. His research interests are not just limited to Windows, but he even develops low level code for *nix systems. Even though his expertise lies in the domain of malware developer and reversing, he also dabbles in the domain of red teaming. With his experience in low level programming, he also curates and develops toolkits extensively used for red team engagements. With his CRTO certification in tow, he has led and participated in numerous red team engagements with strong defense mechanisms.