BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.recon.cx//recon-2026//talk//GG7SEM
BEGIN:VTIMEZONE
TZID:EST
BEGIN:STANDARD
DTSTART:20001029T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20061029T070000Z
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
END:STANDARD
BEGIN:STANDARD
DTSTART:20071104T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000402T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060402T080000Z
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20070311T030000
RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-recon-2026-GG7SEM@cfp.recon.cx
DTSTART;TZID=EST:20260621T110000
DTEND;TZID=EST:20260621T120000
DESCRIPTION:Endpoint Detection and Response (EDR) solutions are widely cons
 idered a cornerstone of modern enterprise defense. However\, recent malwar
 e campaigns show adversaries increasingly focus on actively disabling secu
 rity controls. Disabling EDR systems is not a trivial task\, as adversarie
 s must bypass and evade multiple detection and protection layers before th
 ey can successfully neutralize them.\n\nThis talk examines a recent intrus
 ion chain associated with the Qilin ransomware ecosystem\, where a dedicat
 ed EDR killer is deployed early in the attack lifecycle. The analyzed malw
 are is able to identify and disable hundreds of EDR drivers from multiple 
 vendors\, effectively removing visibility and response capabilities from t
 he target environment. The initial execution relies on DLL sideloading of 
 a trojanized msimg32.dll\, which acts as a PE loader for the EDR killer pa
 yload. The execution flow is deliberately convoluted using SEH/VEH-based c
 ontrol flow manipulation\, effectively breaking linear disassembly and com
 plicating static analysis. The sample further minimizes its user-mode foot
 print by dynamically resolving APIs and selectively switching to direct an
 d indirect syscalls to evade userland hooks commonly used by EDR solutions
 . In parallel\, it tampers with ETW providers to degrade telemetry visibil
 ity.\n\nAttendees will gain a deep understanding of how modern EDR killers
  are engineered\, including their use of undocumented APIs\, kernel object
  manipulation\, and advanced obfuscation strategies. The talk will bridge 
 low-level reverse engineering insights with practical detection opportunit
 ies\, highlighting weaknesses in current defensive models and offering con
 crete ideas for improving resilience against malware that targets the defe
 nders themselves. The race is on.
DTSTAMP:20260612T171735Z
LOCATION:Grand Salon Opera
SUMMARY:How real-world malware disables EDR systems - Holger Unterbrink
URL:https://cfp.recon.cx/recon-2026/talk/GG7SEM/
END:VEVENT
END:VCALENDAR