Subverting Sysmon: Application of a Formalized Security Product Evasion Methodology

Presented at Black Hat USA 2018, Aug. 8, 2018, 2:40 p.m. (50 minutes)

While security products are a great supplement to the defensive posture of an enterprise, to well-funded nation-state actors, they are an impediment to achieving their objectives. As pentesters argue the efficacy of a product because it doesn't detect their specific offensive technique, mature actors recognize a need to holistically subvert the product at every step during the course their operation.

Sysmon - a security tool used widely by defenders as well as several security vendors makes it a great target in which to demonstrate a formalized approach to evasion and tampering. This talk will cover host footprint analysis, evasion, tampering, and rule auditing/bypass strategies. Specific strategies covered will include attack surface analysis, determining evasion "paths of least resistance", and identification of narrow, "exploitable" detections. By the end of the talk, it will become evident that the strategies applied to Sysmon can be easily applied to any security product.

Are security product vendors preparing themselves to be resilient against threats specifically targeting their product? Should they be? It is inevitable that capabilities will be developed against security products. Armed with that knowledge, how should vendors respond? You be the judge by applying a more systematic methodology to assessing security products.

Presenters:

• Lee Christensen - Senior Red Team Operator/Hunt Analyst, SpecterOps
  Lee Christensen is a senior red team operator, threat hunter, and capability engineer for SpecterOps. He has performed red team and hunt engagements against Fortune 500 companies for several years, and has trained at events throughout the world. Lee enjoys researching and building tools to support red team and hunt operations. He has contributed to several offensive/defensive tools and is the author of UnmanagedPowerShell (incorporated into the Metasploit, Empire, and Cobalt Strike toolsets) and KeeThief. He is also a veteran Black Hat trainer.
• Matt Graeber - Security Researcher, SpecterOps
  Matt Graeber is a security researcher and a veteran Black Hat trainer. He is a regular speaker at security conferences discussing topics such as post-exploitation tradecraft, application whitelisting, code signing, and PowerShell. He has made a reputation for himself demonstrating how otherwise trusted software and technology can be abused by attackers – referred to as the "living off the land" methodology. Matt is very much fascinated by the concept of trust, what it means to people, and how assumptions of trust can be subverted.

Links:

• https://www.blackhat.com/us-18/briefings/schedule/#subverting-sysmon-application-of-a-formalized-security-product-evasion-methodology-9982
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2018/Subverting Sysmon - Application of a Formalized Security Product Evasion Methodology.mp4
• https://www.youtube.com/watch?v=R5IEyoFpZq0

Similar Presentations:

• CarolinaCon Online 2 (2022) Virtual / Security is an Awesome Product Feature
• ShellCon 2018 / We detected a severe vulnerability, why is nobody listening?