Loading…
BruCON 0x0D has ended
Back To Schedule
Thursday, October 7 • 14:30 - 15:30
PIC Your Malware!

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
For red teamers and real threat actors, operational security is a key  skill to achieve the goals of an operation. While evading security products and fooling analysts has been a trivial task for years, it has become more difficult to stay under the radar of the blue team. Exhaustive logging, automated triaging of suspicious processes and scanning for malicious memory artefacts are powerful techniques allowing defenders to easily spot attackers. Therefore, adapting, customizing and implementing new offensive tools is an important task for attackers to be ahead of the defenders.

This talk outlines our approaches to build customized tools and hiding them from analysts and security products on the endpoint. It will be explained how popular PE loading techniques, such as Reflective DLLs or Donut/sRDI can be spotted by artefacts they leave in memory and how position independent code (PIC) can be leveraged to avoid these artefacts. Nevertheless utilizing these techniques allows rapidly building and deploying payloads. It will be demonstrated how we build and protect our payloads with an automated build server supporting multiple file formats and environmental crypting.

Information will be shared on how defenders use exhaustive logging and correlation of windows events to identify malicious processes and how we use concepts such as handle duplication and custom PE loaders to avoid certain Sysmon events.

Speakers
avatar for Ben Heimerdinger

Ben Heimerdinger

We are members of the Code White Red Team and have over five / seven years of experience in offensive security.At Code White we are part of the offensive tooling team where we develop offensive tools allowing the operators to achieve the goals of the engagement while trying to stay... Read More →
avatar for Sebastian Feldmann

Sebastian Feldmann

We are members of the Code White Red Team and have over five / seven years of experience in offensive security.At Code White we are part of the offensive tooling team where we develop offensive tools allowing the operators to achieve the goals of the engagement while trying to stay... Read More →


Thursday October 7, 2021 14:30 - 15:30 CEST
01. Westvleteren University