Malware development on secured environment - Write, adapt, overcome

Presented at DEF CON 31 (2023), Aug. 11, 2023, 2 p.m. (240 minutes)

This workshop will give an initiation to offensive malware development in C/C++ and how it is possible to adapt the approach depending on the security solution that must be tackled down. Different methods such as ModuleStomping, DLL Injection, Threadless Injection and Hardware Breakpoint for dehooking will be seen. The idea is to start with a basic malware performing process injection and apply additional techniques to start evading EDR. At each step, some analysis on the malware will be performed to understand the differences at the system level and the IOC detected by the EDR. At the end of this workshop, you will have all the knowledge needed to develop your own malware and adapt it to the targeted environment to escape from the basic pattern and spawn your beacons as if EDR didn't exist. Skill Level: Intermediate Prerequisites for students: - Some basic C/C++ knowledge and an entry level skills on Windows OS. Materials or Equipment students will need to bring to participate: - A Computer with VisualStudio Community or an equivalent compiler, WinDBG and a Windows System (Virtual machine might be better)

Presenters:

• Yoann Dequeker - Red Team Operator at Wavestone
  Yoann Dequeker is a red team operator at Wavestone for 4 years entitled with OSCP certification and several HTB RedTeam Prolabs. Aside from his different RedTeam operations against CAC40 companies leading him to develop several custom malware to evade EDR to ease C2 beacon deployment or phishing campaigns, he speaks at conferences such as LeHack as a Malware Development speaker and is actively sharing his knowledge on social media under the OtterHacker pseudonym. Beside his contribution to opensource project such as the implementation of TDO secret extraction on Impacket, he spends time playing with several EDR to understand the pros and cons of the different malware development techniques in order to craft and use the payload the most adapted to the targeted environment.

Similar Presentations:

• DEF CON 31 (2023) / Digital Forensics and Incident Response Against the Digital Darkness: An Intro to Forensicating Evil Workshop
• DEF CON 31 (2023) / Applied Emulation - A Practical Approach to Emulating Malware Workshop
• BruCON 0x09 (2017) / Windows malware development: A JMP in the dark Workshop