MalOpSec → EDR: The Great Escape

VIRTUAL 16 CPE HOURS TRAINING: FEBRUARY 2023

Dr Silvio La Porta and Dr Antonio Villani

Abstract

MalOpSec → EDR: The Great Escape will present an in-depth description of the techniques implemented in modern malware to evade mainly EDR and their internal AV systems. The course will also cover real-world scenarios that impair (effectively slow-down or dissuade) reverse engineering efforts and make the job of first responders tougher.

The techniques will be demonstrated in two ways: first, by reversing real malware samples, and then by re-implementing an improved version of the malware code.

The training is designed from an attacker's point of view, teaching red-teams how to make their implants stealthier, but it will also teach defenders how to deal with the anti-reversing and the OPSEC techniques demonstrated in class. We focus on Windows malware and on the analysis, tweaking and re-purposing of real malware samples. Participants will be provided with plenty of custom code to facilitate the understanding of complex malware techniques.

As part of the course, theory sessions will be followed by exercises where participants will reverse and re-implement specific parts of real malware in order to fully understand the hidden corners of all the techniques involved. About 50% of the course will be dedicated to hands-on labs that will show how to translate the theory principles into practice.

The labs are designed to provide flexibility in terms of complexity and include bonus tracks to ensure that you always feel engaged and have something interesting to explore and learn.

Agenda

Module 1

  • The shortest intro
  • All your malware gets detected, and the magic of Memory (EDR anatomy)
  • Smashing file signature
  • Unhooking the watchers in various ways
  • Self-protecting implant memory code

Module 2

  • Mastering ETW and get the forbidden feed
  • Using ROP to do good or better bad things...
  • Break and harden publicly available obfuscator
  • Obfuscate and make hard to reverse your C# stage0

Key Learning Objectives

  • Recognize, implement, and deal with stealthy malware/backdoors evasion techniques and tradecrafts
  • Modify malware components to protect them against reversing efforts
  • Be familiar with the .NET advanced obfuscation system
  • Build custom obfuscators and recognize some pattern left by some obfuscation transforms
  • Learn tradecrafts used by attackers to prevent and effectively impair defensive incident responders from analyzing their tools, payloads, and backdoors

Intended Audience

  • Developers and Reverse engineers who want to understand the tradecraft from a different point of view
  • Red-team members who want to go beyond using third-party implants
  • Researchers who want to develop anti-detection techniques of real malware/APT

Knowledge Prerequisites

  • Programming experience (C, C++, Python, .NET, and PowerShell)
  • Be familiar with assembly language and Debuggers (IDA pro, WinDBG)

Hardware Requirements

  • Virtualization capable CPU(s)
  • Minimum 8GB of RAM (for running one guest VM)
  • Minimum 80 GB free disk space

Software Requirements

  • Host OS Windows 10 64-bit
  • Debugging Tools for Windows (Ida Pro, WinDBG) (Decompiler recommended)
  • SysInternals Tools
  • Virtualization Software (VMWare, VirtualBox)
  • Guest OS Windows 10 64-bit Version 20H2
  • System Administrator access required on both host and guest OSs