Developing Resilient Detections (with Obfuscation & Evasion in Mind)

Presented at BruCON 0x0A (2018), Oct. 4, 2018, 1:30 p.m. (240 minutes)

WARNING: Heavy obfuscation, evasion and general offensive techniques will be demonstrated to challenge and improve attendees’ defensive thinking and detection approaches! Offensive tradecraft and "living off the land" techniques are discovered, developed and released to the public at breakneck speeds. Attackers begin using these techniques within hours of their release. However, defenders often spend days, weeks or months identifying and reactively creating signatures for these techniques. Often these reactive signatures are overly rigid; therefore, they are easily bypassed by simple modifications to the command or technique. In this workshop we will: * Develop multiple layers of resilient host-based and network-based detections for several relevant "living off the land" attack techniques * Introduce incremental layers of obfuscation and evasion techniques to the attacker commands and payloads to iteratively evade and harden our detection approach * Learn about numerous host-based artifacts we can use for detection purposes (process arguments, common persistence locations, image load events, prefetch files, Shimcache, Amcache, SRUM - System Resource Usage Monitor, etc.) * Implement detection logic in numerous formats including IOCs (Indicators of Compromise), YARA rules, and Snort signatures The author has several years of real-world experience creating, tuning and enriching real-time detections that run on 10+ million endpoints in 100's of environments around the world. This firsthand experience will help facilitate conversations around false positives, detection performance and signal-to-noise ratios – concepts that are often overlooked (and sometimes less relevant) when dealing only with smaller environments.

Presenters:

• Daniel Bohannon / DBO   as Daniel Bohannon
  Matthew Dunwoody (@matthewdunwoody) and Daniel Bohannon (@danielhbohannon) are Applied Security Researchers with FireEye’s Advanced Practices Team, where they research attacker activity and developing effective detection signatures and processes (among other things). Matthew previously worked as an Incident Response consultant with FireEye’s Mandiant consulting group, where he supported and led IR engagements and high-tech crime investigations. Daniel’s areas of expertise include IR investigations, host- and network-based detection research and development, and obfuscation and detection evasion research and tradecraft development. He is the author of the Invoke-Obfuscation, Invoke-CradleCrafter and Invoke-DOSfuscation obfuscation frameworks and the co-author of the Revoke-Obfuscation PowerShell obfuscation detection framework.

Links:

• https://brucon0x0a.sched.com/event/FXIJ/developing-resilient-detections-with-obfuscation-evasion-in-mind

Similar Presentations:

• BruCON 0x0A (2018) / $SignaturesAreDead = “Long Live RESILIENT Signatures” wide ascii nocase
• BSidesDC 2017 / Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science
• DEF CON 25 (2017) / Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science