DESCRIPTION

Malware development and evasion techniques are becoming more difficult each day. EDRs are implementing signature-based detection, behaviour-based detection, as well as entropy-based detection techniques. Shellcode is often encoded/encrypted which can cause payloads to have high entropy (randomness), therefore being detected and blocked by EDRs.

This presentation is the journey of a red teamer - improving their tools with simple techniques and learning about evasion and Windows internals along the way. Through this talk, we will review the high-level theory behind evasion and present unique approaches to evasion techniques, including entropy reduction and shellcode callbacks. We will present a novel tool to reduce entropy via dictionary word shellcode encoding, and use Windows callback functions to launch our shellcode.

Furthermore, an overview of detecting these novel techniques will be discussed to help blue teamers in their jobs. Detection methods discussed include using YARA rules, ETW, and PE file memory scanners.

Participants will benefit from this talk in many ways. Red teamers can now immediately benefit from the tool, which is publicly released, along with C#/C++ code samples. And Blue teamers can learn how to detect these advanced techniques.

WHY THE COMMITTEE CHOSE THIS TALK

Obfuscation is an ever changing field. We are excited to learn some new things, that will help us detecting the bad guys.

SPEAKER

Will Summerhill