Zombie Ant Farm: Practical Tips for Playing Hide and Seek with Linux EDRs

Presented at DEF CON 27 (2019), Aug. 10, 2019, noon (45 minutes)

EDR solutions have landed in Linux. With the ever increasing footprint of Linux machines deployed in data centers, offensive operators have to answer the call. In the first part of the talk we will share practical tips and techniques hackers can use to slide under the EDR radar, and expand post-exploitation capabilities. We will see how approved executables could be used as decoys to execute foreign functionality. We will walk through the process of using well known capabilities of the dynamic loader. We will take lessons from user-land root-kits in evasion choices. Part two will focus on weaponizing the capabilities. We will show how to create custom preloaders, and use mimicry to hide modular malware in memory. We will create a "Preloader-as-a-Service" capability of sorts by abstracting storage of modular malware from its executing cradles. This PaaS is free to you though! We fully believe the ability to retool in the field matters, so we have packaged the techniques into reusable code patterns in a toolkit you will be able to use (or base your own code on) after it is released. This talk is for hackers, offensive operators, malware analysts and system defenders. We sincerely hope defensive hackers can attend and also have fun.

Presenters:

  • Dimitry Snezhkov / Op_Nomad - Sr. Security Consultant, X-Force Red   as Dimitry Snezhkov
    Dimitry Snezhkov is a Sr. Security Consultant for X-Force Red. In this role he hacks code, tools, networks, apps and sometimes subverts human behavior too. Dimitry has spoken at DEF CON, THOTCON, DerbyCon, CircleCityCon, NorthSec, and presented tools at BlackHat Arsenal. Twitter: @Op_Nomad

Links:

Similar Presentations: