Reporting is, by nature, only the threat actors that have been caught. What about all the ones that didn’t get caught? There is no way to examine that and It comes down to the fact that we don’t know what they did and therein lies the problem for threat emulation.
This class will explore the theory behind malware obfuscation, starting with an overview of Tactics, Techniques, and Procedures (TTPs) and ending with practical implementations targeting evasion of Defender and its Anti-Scan Malware Interface (AMSI). We will examine everything from standard variable obfuscation to control flow manipulation to data procedurization. As part of the study, we will explore how different obfuscation methods affect various data collection components such as Event Tracing for Windows (ETW), Defender, and PowerShell logs. Students will learn to build AMSI bypass techniques, obfuscate payloads from dynamic and static signature detection methods, and learn about alternative network evasion methods.
check Understand the use and employment of evasion techniques
check Demonstrate the concept of least obfuscation
check Demonstrate obfuscation methodology for .NET payloads
