Will It Run? Fooling EDRs With Command Lines Using Empirical Data | Wietze Beukema

Описание: 🔗 Join us in-person and virtually at our Wild West Hackin' Fest: information security conferences — https://wildwesthackinfest.com/

🔗 Register for Infosec Webcasts, Anti-casts & Summits. – https://poweredbybhis.com

There is a wealth of system-native programs, particularly on Windows operating systems, that happily accept ‘unexpected’ command-line transformations, such as character substitutions, deletions or insertions. An implication of this is that command-line-based detections can be bypassed with minimal effort, and unlike command-line spoofing, without the need for special system calls. Tools vulnerable to this include those often leveraged in attacks that ‘live off the land’ (also known as LOLBins or LOLBAS).

This talk will show, based on empirical analysis of the 60 most commonly used LOLBins, how many detections can bypassed making minimal tweaks to how a LOLBins are called. Furthermore, we will introduce a new web-based tool that not only documents the results for all these executables, it allows everyone to generate obfuscated command lines themselves with the click of a button.

///Black Hills Infosec Socials
Twitter:   / bhinfosecurity  
Mastodon: https://infosec.exchange/@blackhillsi...
LinkedIn:   / antisyphon-training  
Discord:   / discord  

///Black Hills Infosec Shirts & Hoodies
https://spearphish-general-store.mysh...

///Black Hills Infosec Services
Active SOC: https://www.blackhillsinfosec.com/ser...
Penetration Testing: https://www.blackhillsinfosec.com/ser...
Incident Response: https://www.blackhillsinfosec.com/ser...

///Backdoors & Breaches - Incident Response Card Game
Backdoors & Breaches: https://www.backdoorsandbreaches.com/
Play B&B Online: https://play.backdoorsandbreaches.com/

///Antisyphon Training
Pay What You Can: https://www.antisyphontraining.com/pa...
Live Training: https://www.antisyphontraining.com/co...
On Demand Training: https://www.antisyphontraining.com/on...
Antisyphon Discord:   / discord  
Antisyphon Mastodon: https://infosec.exchange/@Antisy_Trai...

///Educational Infosec Content
Black Hills Infosec Blogs: https://www.blackhillsinfosec.com/blog/
Wild West Hackin' Fest YouTube:    / wildwesthackinfest  
Antisyphon Training YouTube:    / antisyphontraining  
Active Countermeasures YouTube:    / activecountermeasures  
Threat Hunter Community Discord:   / discord  

Join us at the annual information security conference in Deadwood, SD (in-person and virtually) — Wild West Hackin' Fest: https://wildwesthackinfest.com/