Evading Detection: A Beginner's Guide to Obfuscation

Presented at DEF CON 30 (2022), Aug. 13, 2022, 2 p.m. (240 minutes)

Defenders are constantly adapting their security to counter new threats. Our mission is to identify how they plan on securing their systems and avoid being identified as a threat. This is a hands-on class to learn the methodology behind malware delivery and avoiding detection. This workshop explores the inner workings of Microsoft's Antimalware Scan Interface (AMSI), Windows Defender, and Event Tracing for Windows (ETW). We will learn how to employ obfuscated malware using Visual Basic (VB), PowerShell, and C# to avoid Microsoft's defenses. Students will learn to build AMSI bypass techniques, obfuscate payloads from dynamic and static signature detection methods, and learn about alternative network evasion methods. In this workshop, we will: i. Understand the use and employment of obfuscation in red teaming. ii. Demonstrate the concept of least obfuscation. iii. Introduce Microsoft's Antimalware Scan Interface (AMSI) and explain its importance. iv. Demonstrate obfuscation methodology for .NET payloads. Materials: Laptop VMWare or Virtual Box Windows Dev machine or other Windows VM Kali Linux VM Prereq: Basic level of PowerShell or C# experience.

Presenters:

• Anthony Rose / Cx01N - Lead Security Researcher   as Anthony "Cx01N" Rose
  Anthony "Cx01N" Rose, CISSP, is a Security Researcher and Chief Operating Officer at BC Security, where he specializes in adversary tactic emulation planning, Red and Blue Team operations, and embedded systems security. He has presented at numerous security conferences, including Black Hat, DEF CON, and RSA conferences. Anthony is the author of various offensive security tools, including Empire and Starkiller, which he actively develops and maintains. He is recognized for his work, revealing widespread vulnerabilities in Bluetooth devices and is the co-author of a cybersecurity blog at https://www.bc-security.org/blog/.
• Jake "Hubbl3" Krasnov - Red Team Operations Lead and Chief Executive Officer
  Jake "Hubbl3" Krasnov is the Red Team Operations Lead and Chief Executive Officer of BC Security. He has spent the first half of his career as an Astronautical Engineer overseeing rocket modifications for the Air Force. He then moved into offensive security, running operational cyber testing for fighter aircraft and operating on a red team. Jake has presented at DEF CON, where he taught courses on offensive PowerShell and has been recognized by Microsoft for his discovery of a vulnerability in AMSI. Jake has authored numerous tools, including Invoke-PrintDemon and Invoke-ZeroLogon, and is the co-author of a cybersecurity blog at https://www.bc-security.org/blog/.
• Vincent "Vinnybod" Rose - Lead Tool Developer
  Vincent "Vinnybod" Rose is the lead developer for Empire and Starkiller. He is a software engineer with experience in cloud services, large-scale web applications, build pipeline automation, and big data ETL. Vinnybod has presented at Black Hat and has taught courses at DEF CON on Red Teaming and Offensive PowerShell. He currently maintains a cybersecurity blog focused on offensive security at https://www.bc-security.org/blog/.

Similar Presentations:

• DerbyCon 7.0 Legacy (2017) / PSAmsi - An offensive PowerShell module for interacting with the Anti-Malware Scan Interface in Windows 10
• DeepSec 2016 „Ten“ / AMSI: How Windows 10 Plans To Stop Script Based Attacks and How Good It Does That
• Black Hat Asia 2018 / Documenting the Undocumented: The Rise and Fall of AMSI