Wild West Hackin' Fest - Deadwood 2024

The perpetual race to safeguard and secure our infrastructures have given birth to robust defensive mechanisms, such as antiviruses (AV), Endpoint Detection and Response (EDRs), and Extended detection and response (XDR) just to name a few. Over the years the detection methodologies employed by them have evolved. From the very basic string and hash matching techniques, defensive mechanisms have enhanced their capabilities by employing machine learning, in memory scanning and other sophisticated techniques. From the perspective of a maldev, developing a malware is considerably easier as compared to evading it.
In this talk we will discuss various techniques employed by maldevs to circumvent detection measure implemented by modern day AVs and EDRs. This talk will solely focus on the Windows ecosystem. We will discuss the nitty gritties of the Windows OS, followed by various detection techniques implemented by AVs and EDRs. After understanding the detection methods we will shift our focus on various techniques that can be implemented to bypass aforementioned detection techniques. Some techniques included are Unhooking, BlockDLL, Repatching, API Hashing, ETW and AMSI patching etc.
In order to better understand the concepts discussed, we present real life PoCs. These PoCs will showcase the discussed evasion techniques on a popular red teaming tool (Juicy Potato). Furthermore these PoCs will showcase the exact detection methods and how we were able to bypass them to gain access.