Reverse Engineering for Persistence - How APTs find new hidden ways to hide on your systems, forever.

Presented at THOTCON 0xB (2021) Rescheduled, Oct. 8, 2021, noon (50 minutes).

Persistence is a technique used by threat actors to keep access to systems across reboots, credential changes, and other miscellaneous disruptions. Establishing persistence on a target system is a key goal for any APT group looking to conduct long term operations. It's also a key goal for smaller stakes malware creators who target average users. When you suspect you are infected with malware, the first step is to find where it first gains execution when your system starts up. How can we make sure something unknown or malicious isn't running every time our computer or device turns on? Can modern Antivirus or Endpoint Detection Software save us? In short, when it comes to APTs, probably not. This talk will discuss the approach APT groups take to find new hidden ways to silently persist on a system. It will discuss how popular endpoint persistence scanners fall short and how APTs evade them. I will walk through an example, tasking myself with finding a novel persistence technique on a machine running Windows. This will include demonstrating reverse engineering on a system binary to discover the technique. This talk is targeted at those interested in reverse engineering and operating systems. It's intended to give a big picture discussion on how to identify specific OS components for binary analysis and have success in finding something interesting.


Presenters:

  • Valentina Palmiotti as Valentina Palmiotti (@chompie1337)
    The Lead Security Researcher st Grapl Security, former Vulnerability Researcher at Point3 Security. "Hacker" hobbyist, for research purposes only.

Similar Presentations: