Hybrid Phishing Payloads: From Threat-actors to You

Presented at DEF CON 30 (2022), Aug. 13, 2022, 2 p.m. (240 minutes)

The hard outer shell of cyber defenses often give way to a soft, gooey and easy-to-exploit centre, but all the lateral movement and escalation techniques in the world, isn’t going to be worth anything if initial access cannot be secured. For threat actors and Red Teamer’s alike, getting over that initial hurdle can be a long, arduous task with little hope of success and phishing in particular is often the bane of any aspiring attacker. Between EDRs, email scanner solutions, payload fingerprinting… what do you do? This workshop has been developed with the aim of giving participants hands-on experience working with sophisticated payloads and techniques used by nation-state threat actors. Armed with payload automation tools, participants will learn to implement novel bypass techniques to circumvent state of the art anti-malware security products, both network-based and host-based technical controls, and iteratively improve their payloads throughout. Topics will include: * Multiple payload formats, the advantages and disadvantages * Combining phishing techniques * Automation, obfuscation and creation of payloads for quick turn around * How to Improve payloads based on information gathered from earlier attacks * Extracting technical information from threat actor intelligence breakdowns Materials: Just the laptop Prereq: Laptop with ability to connect to local network and run 1 VM requiring 4GB of memory Some understanding of phishing and what a payload is also a good idea Experience with creating / modifying tools from source code will also help

Presenters:

• Magnus Stubman - Red Team
  Magnus is part of the European Red Team at Mandiant and the APT66 project. He currently resides within the groups Malware team where he specializes in research and application of offensive techniques in both overt and covert engagements, discovering zero days and custom C2 techniques for the team. His other focuses is on adversarial simulation of FIN & APT groups via enactment of known (and not so known) TTPs, incorporating the known bad into something that can be used as a force of good.
• Jon Christiansen - Red Team Lead
  Jon is the Red Team lead for Mandiant Europe. After spending a decade as a hands-on keyboard Red Teamer and malware dev, he recently took a step back to focus more on capability development and team expansion. He founded the APT66 research project team at Mandiant and currently focuses research interest in the latest bypass techniques, threat actor malware and in finding new ways to jump the IT/OT barrier.

Similar Presentations:

• NolaCon 2017 / Phishing for Shellz: Setting up a Phishing Campaign
• Kernelcon 2023 / Developing Highly Effective Payloads
• DerbyCon 9.0 Finish Line (2019) / Improving CACTUSTORCH payloads