Advanced Threat Emulation: Evasion

About the event

OVERVIEW

Course Objectives:

• Grasp the Evolution of Obfuscation: Gain an understanding of the technical development of obfuscation within cybersecurity.
• Master Detection Methodologies: Develop the ability to explore and analyze various antivirus detection methods, focusing on Network vs. Host indicators and the differences between Human and Machine analytics.
• Emulate Specific Threats: Learn to customize and apply evasion tactics effectively to emulate specific threats, including Advanced Persistent Threats (APTs).
• Evade Event Tracing and Logging: Acquire strategies to skillfully circumvent Event Tracing for Windows (ETW) and various logging mechanisms used in cybersecurity.
• Manipulate APIs for Evasion: Understand the techniques for unhooking and manipulating application programming interfaces to avoid detection.
• Obfuscate .NET Applications: Develop proficiency in obfuscating .NET framework-based applications to evade standard detection methods.
• Analyze Indicators of Compromise: Enhance skills in examining and understanding indicators of compromise (IOCs) to refine evasion tactics.
• Utilize Non-Traditional Communication Channels: Learn to use non-traditional communication channels effectively to evade network-based detection.
• Mask Malicious Network Traffic: Master techniques to conceal malicious network traffic, integrating it seamlessly with normal traffic patterns to avoid raising suspicion.
• Prepare for Evasion Detection: Equip yourself with strategies to prepare emergency responses for instances when evasion tactics are detected.

Course Overview:

Introduction to Evasion

• Origin of Obfuscation
• Detection Methodologies (AV 101)
• Network vs Host indicators
• Human vs Machine Analytics
• Threat Specific Evasion TTPs

Windows Attack Surfaces

• Event Tracing for Windows (ETW)
• Script Block & Module Logging
• Offensive .NET (PowerShell, C#, DLR)
• Implementing Windows Antimalware Scan Interface (AMSI) Bypasses
• Evading Event Tracing for Windows (ETW) and Logging
• API (Un)Hooking

Theory of Obfuscation

• Layout Modification
• Control Flow Manipulation
• Data Masking and Transformation
• Method Scattering and Proxying
• Code Translation and Diversification

Practical Implementations of Obfuscation

• Universal Evasion Methods
• .NET Obfuscation
• Automated Obfuscation Tooling
• Indicators of Compromise (IOC) Analysis
• The Magic of the DLR and it’s lack of instrumentation

Evading Blue Team Hunt

• Masking Network Traffic
• Out-of-Band Communications
• Leveraging Trust and Reputation
• Prepping your Panic Button
• Distributive Architecture

KEY TAKEAWAYS

• Grasp the fundamentals of how malware detection works, including various detection methodologies.
• Gain a thorough understanding of Windows attack surfaces and vulnerabilities.
• Learn and demonstrate obfuscation methodologies specifically for .NET payloads.

WHO SHOULD TAKE THIS COURSE

AUDIENCE SKILL LEVEL

STUDENT REQUIREMENTS

• Intermediate-level understanding and experience with offensive security tools and methodologies.
• A familiarity with .NET, including programming languages like C# and PowerShell, is expected.
• Bring a willingness to learn and adapt in a fast-paced, dynamic educational environment.

WHAT STUDENTS SHOULD BRING

• Laptop with 8GB of RAM
• Modern Web Browser (Chrome, Firefox, etc)

WHAT STUDENTS WILL BE PROVIDED WITH

• 30-day lab access on Immersive Labs
• A copy of all course material
• Course swag & coin