BruCON 0x0D

For red teamers and real threat actors, operational security is a key  skill to achieve the goals of an operation. While evading security products and fooling analysts has been a trivial task for years, it has become more difficult to stay under the radar of the blue team. Exhaustive logging, automated triaging of suspicious processes and scanning for malicious memory artefacts are powerful techniques allowing defenders to easily spot attackers. Therefore, adapting, customizing and implementing new offensive tools is an important task for attackers to be ahead of the defenders.

This talk outlines our approaches to build customized tools and hiding them from analysts and security products on the endpoint. It will be explained how popular PE loading techniques, such as Reflective DLLs or Donut/sRDI can be spotted by artefacts they leave in memory and how position independent code (PIC) can be leveraged to avoid these artefacts. Nevertheless utilizing these techniques allows rapidly building and deploying payloads. It will be demonstrated how we build and protect our payloads with an automated build server supporting multiple file formats and environmental crypting.

Information will be shared on how defenders use exhaustive logging and correlation of windows events to identify malicious processes and how we use concepts such as handle duplication and custom PE loaders to avoid certain Sysmon events.