Windows Defence Evasion and Fortification Primitives

Presented at DEF CON 30 (2022), Aug. 13, 2022, 9 a.m. (240 minutes).

The Windows Defence Evasion and Fortification Primitives workshop will walk candidates through adapting initial access, code execution, credential access and lateral movement TTPs against commonly encountered defences (such as Anti-Virus, Endpoint Detection Tooling and Windows Credential Guard). Candidates will be challenged to think critically and expand their classroom knowledge of vulnerabilities against limitations in defensive technologies on Windows 10, 11, Server 2016 and Server 2019 systems. Agenda: - Connectivity and Setup Tests - Initial Endpoint Compromise and Code Execution - Discussing common defensive challenges - AV - Application control - Process relationship - Process flow using Attack Surface Reduction Rules - AMSI - Initial Access - DLL Hijacking/Proxying - Identifying common issues - Creating DLLs - Living out-of-land - SOCKS Proxy - Unmanaged code - Managed code - In-process/In-memory unmanaged code execution - Leveraging C2 capabilities - Injection - Credential Access - Interrogating Browsers - Information gathering - Extracting secrets - LSA - Running Mimikatz/Kekeo - What's a protected process? - In-memory patching using - Discussing other methods - Credential Guard - Remote Desktop Credential Guard - Effects of EDR - Kerberos - Session 0 - Code Injection - TGS Exports - Lateral Movement - SMB - Artefacts - Customisation - Service - Named pipe - Alternatives (WinRM/RDP) - Artefacts - SOCKS Proxy Materials: Laptop capable of outbound SSH/RDP to our labs. Prereq: Workshop candidates should familiarise themself with common tooling (such as a C2, PowerShell, MS Build, Rubeus and Kekeo) and have experience using common Windows protocols (such as SMB and RDP). Suggested exercises and labs for this will be sent to registered candidates prior to the workshop.

Presenters:

  • Paul Laîné - Senior Security Consultant
    Paul L. (@am0nsec) is a Senior Consultant at Mandiant. Paul works in R&D to improve Simulated Attack (SA) capabilities. With a strong interest in Microsoft Windows system and low-level programming, and x86 Instruction Set Architecture (ISA). Paul specialises in the development of malware and tools for SA operations. Some of his work is publicly available on GitHub and discussed on his Twitter profile.
  • Rohan Durve - Senior Security Consultant
    Rohan (@Decode141) is a Senior Consultant at Mandiant with a primary interest in attack simulation. Rohan is most interested Windows and Active Directory assessments but is also involved delivering offensive security training and capability development. Rohan's presented at conferences such BlackHat, BSides London and BSides LV in the past.