Defeating Next-Gen AV and EDR: Using Old (And New) Tricks on New Dogs

Presented at DerbyCon 9.0 Finish Line (2019), Sept. 6, 2019, 3 p.m. (45 minutes)

Next-Gen AV and EDR are the new hotness on the scene this year. They promise to put the bad guys and the red team in their place through increased endpoint detection and response. What they don't do that even traditional AV has had issues with is self-protection. This talk will go into the ways in which next-gen AV and EDR (Cylance, Crowdstrike, Carbon Black, Defender ATP) can be defeated using simple tricks that have worked against AV for decades. Rather than attempt to hide from them, attacking them head on through gaps in self-protection mechanisms seems to be the best bang for the buck.

Presenters:

• Nick Lehman (Graph-X)
  Nick is an offensive security professional working for <insert company here>. In his spare time he is a casual CS:GO try-hard. Turn ons include: RCE, LFI, TLAs and over-privileged accounts.Turnoffs include:feet, undocumented APIs, and NDAs.
• Steve Eisen (Rum Twinkies)
  Steve is an IR and threat hunting specialist, working for <insert company here>. His turn ons include IOCs, fileless malware samples, C++ and gandalf sax guy 10 hour Youtube jams.His turn offs: People who don't hold doors, lactose, and Perl.

Links:

• https://infocon.org/cons/DerbyCon/DerbyCon 9 2019/Defeating Next Gen AV and EDR Using Old And New Tricks on New Dogs Nick Lehman Graph X Steve Ei.mp4
• https://infocon.org/cons/DerbyCon/DerbyCon 9 2019/Defeating Next Gen AV and EDR Using Old And New Tricks on New Dogs Nick Lehman Graph X Steve Ei.eng.srt (subtitles)
• https://www.youtube.com/watch?v=7peKbZM2Mw8

Similar Presentations:

• THOTCON 0xA (2019) / Defeating Next-Gen AV and EDR Using Old Tricks On New Dogs
• DerbyCon 9.0 Finish Line (2019) / Testing Endpoint Protection: How Anyone Can Bypass Next Gen AV
• Kiwicon 8: It's always 1989 in Computer Security (2014) / Breaking AV software