06-29, 11:00–12:30 (US/Eastern), Soprano B
This workshop explores adversary emulation activities, focusing on creating false flags to mimic real attacks. Using Microsoft Defender as a case study, we analyze signature formats to create samples that trigger specific detections. Participants will learn how to generate working samples which triggers specific detection gaining insights into Windows Defender's signature mechanisms.
Full write up: https://retooling.io/blog
Prerequisites:
A Windows virtual machine and download the following material
https://github.com/t0-retooling/defender-recon24/
.
Adversary emulation activities are becoming increasingly common, aiming to closely mimic real attacks. However, the levels of similarity vary significantly depending on the tools used and the TTPs implemented by the red team.
In this workshop, we will explore various degrees of similarity, leading up to the so-called false flag. Using Defender as a case study, we will analyze the signature format used by a specific threat actor. Our goal is to create sample parts that match certain signatures, ultimately resulting in fully functioning samples that match groups of signatures.
Defender employs various types of signatures, and in our analysis, approximately a quarter of them, totaling around 294,000 signatures, can trigger specific detections.
Furthermore, we'll demonstrate how to automatically generate fake PE files that mimic real threats, utilizing selected detection rules derived from the original signature bytes and we will end up having a working implant that triggers specific detection. To achieve this, reverse engineering of the original implant is necessary.
Don't miss out on this opportunity to gain valuable insights into Windows Defender's signature detection mechanisms and to increase the world's entropy!
Dr. Silvio La Porta is CEO and Co-Founder at RETooling defining and developing Threat Actor emulation platform enabling red team to recreate a realist attack scenario. Previously he was a Senior Cyber Security Architect designing security products and researching advanced detection technology for complex malware/APT. Silvio previously was a lead research scientist with EMC Research Europe based in the Centre of Excellence in Cork, Ireland. His primary research focus areas were real-time network monitoring and data analysis in smart grids to detect malware activity in SCADA systems and corporate networks. He was also leading Security Service Level Agreement (Sec-SLA) and end user security/privacy protected data store projects for hybrid Cloud environment. He is a frequent speaker in professional and industry conferences. Before joining EMC, Silvio worked as a Malware Reverse Engineer in Symantec's Security Response team in Dublin, Ireland. Silvio holds a PhD in Computer Network Security from the University of Pisa, Italy.
Davide Fontana is a Master's degree student in Cybersecurity at the University of Sapienza in Rome, currently writing his final thesis, with a passion for reverse engineering and malware analysis. He holds a bachelor's degree in Information Technology from the University of L'Aquila, Italy.
Dr. Antonio Villani is the Co-Founder of RETooling. He is working full-time on the development of red-team and adversary emulation capabilities for his company. Previously he spent most of his time in the blueteam, reversing high level implants for top tier customers and providing detailed information to support cyber-defense and cyber threat intelligence teams. Now he analyzes complex implants to gain a deep understanding of the TTPs used by threat actors and to provide a high-quality reimplementation of them. As a researcher he published in top tier conferences and journals, and he participated in European research projects in the field of cyber resilience and data security. During his PhD he worked in the field of malware research and digital forensics.