1. InfoconDB
  2. DEF CON
  3. DEF CON 32 (2024)
  4. Dodging the EDR Bullet: A Workshop on Malware Stealth Tactics

Dodging the EDR Bullet: A Workshop on Malware Stealth Tactics

Presented at DEF CON 32 (2024), Aug. 8, 2024, 2 p.m. (240 minutes).

The workshop will walk through a number of state of the art techniques used for detection and will show the process of thinking used to research and develop cutting-edge evasion techniques. We will dive deep into interesting aspects of Windows and AV internals with respect to malware development. The focus will be on the mindset used to defeat security products starting with the analysis of a variety of detection mechanisms and ending with the final development of countermeasures. Moreover, the training will contain a number of live demonstrations to practically show how to apply those concepts and how to integrate them, showing how to develop evasive implants and post-exploitation tools. By altering the fundamental rules of engagement, we can confound EDR systems and reshape their perception of the digital environment. The workshop will dig deep into the internals of certain aspects of AV/EDRs and the Windows operating system to identify the area to exploit to lower the detection rate, it will involve the usage of Visual Studio and debuggers.

Presenters:

  • Dimitri Di Cristofaro - Senior Security Consultant and Researcher at SECFORCE LTD
    Dimitri "GlenX" Di Cristofaro is a senior security consultant and researcher at the London office of SECFORCE LTD where he performs Red Teams on a daily basis. The main focus of his research activities is about Red Teaming and in particular on identifying new ways of attacking operating systems and looking for cutting edge techniques to increase stealthiness in strictly monitored environments. He enjoys malware writing and offensive tools development as well as producing electronic music in his free time.
  • Giorgio "gbyolo" Bernardinetti - Lead Researcher, System Securitiy Division at CNIT
    Giorgio "gbyolo" Bernardinetti is lead researcher at the System Securitiy division of CNIT. His research activities are geared towards Red Teaming support activities, in particular design and development of advanced evasion techniques in strictly monitored environments, with emphasis on (but not limited to) the Windows OS, both in user-space and kernel-space. He is certified OSCP and OSCE, and enjoys playing electric guitar in his free time.

Similar Presentations: