BYOTB: Bring Your Own Trusted Binary - David Kennedy

Описание: Security professionals are locked in a constant cat-and-mouse game with attackers who continuously find creative ways to bypass modern defences. One such technique is Bring Your Own Trusted Binaries (BYOTB)©, where attackers use legitimate, signed or checksum verified binaries which may not be present on the host machine to achieve their aims. Since these binaries are oftentimes trusted by the OS and EDR solutions, they are less likely to raise red flags, providing attackers with a stealthy way to circumvent traditional security mechanisms.

This session will explore how the BYOTB technique works, some examples of trusted binaries and why they are so effective at bypassing EDR solutions.

I'll cover:
Understanding the BYOTB idea: I will explain which trusted binaries are used and how they can provide access to external adversaries and testers alike.
EDR and Firewall Evasion Tactics: I will demonstrate how adversaries leverage trusted binaries to exploit gaps in EDR detection as well as bypassing modern firewalls.
Detection and Mitigation Strategies: The concluding section of the talk will focus on defensive measures. I’ll discuss practical detection techniques, including monitoring the usage of known binaries, and implementing tighter security controls around execution policies for certain trusted binaries.

This talk is geared towards a technical audience, including Red Teamers and Pentesters looking to understand how to exploit these techniques as well as Blue Teamers interested in improving their detection and mitigation strategies. Attendees will leave with actionable insights into how they can detect BYOTB techniques in their environments, as well as best practices for preventing such attacks from slipping through the cracks.