Jargon & Jigsaw: Shellcode Obfuscation | Mike Saunders

Описание: 🔗 Join us in-person and virtually at our Wild West Hackin' Fest: information security conferences — https://wildwesthackinfest.com/

🔗 Register for Infosec Webcasts, Anti-casts & Summits. – https://poweredbybhis.com

In this talk, Mike will cover two highly effective techniques for obfuscating shellcode in your payloads.

Jargon is a shellcode obfuscation method that substitutes dictionary words in place of shellcode bytes. This provides two benefits - your loader doesn't have any shellcode, and the use of dictionary words reduces the entropy of your loader, sidestepping entropy detections built into some AV & EDR.

Jigsaw is a shellcode obfuscation routine designed to hide your shellcode without requiring encryption. This eliminates possible signatures related to including encryption libraries in your payload while also avoiding significant increases in entropy.

00:00 - Intro
00:54 - Slide deck location
01:13 - whoami
01:48 - The importance of entropy
02:33 - Entropy and compressibility
04:23 - Entropy of languages
06:22 - Crowdstrike detection
06:56 - Anti-entropy tactics
08:14 - Adding language makes file highly compressible
08:45 - Jargon creates a shellcode loader that does not contain shellcode
09:22 - Any printable character set may be used
10:33 - 256 - word translation table
12:24 - Decoding at runtime
14:24 - Defender and other agents detected the decoding - countermeasures
15:56 - DEMO: Jargon getting past Crowdstrike
17:09 - Try It Yourself
17:22 - Apologies to defenders - no detection for this (maybe frequency analysis?)
18:10 - Q&A - Can you use languages other than English?
20:45 - Q&A - Entropy
22:01 - Q&A - What is the level of entropy that would be detected?
23:04 - Q&A - Is entropy checked across the entire file, or just a section?
24:58 - JIGSAW PRESENTATION
26:30 - Jigsaw - How does it work?
29:10 - Putting the puzzle back together
33:18 - Try JIGSAW
35:33 - Q&A - Are there any default signatures in the code that could be used for detection if unaltered?
37:03 - Q&A - Staged vs stageless payloads
38:11 - Q&A - Use these obfuscation tools to evade DLP?
39:20 - Q&A - Merging Jargon and Jigsaw? (no)

///Black Hills Infosec Socials
Twitter:   / bhinfosecurity  
Mastodon: https://infosec.exchange/@blackhillsi...
LinkedIn:   / antisyphon-training  
Discord:   / discord  

///Black Hills Infosec Shirts & Hoodies
https://spearphish-general-store.mysh...

///Black Hills Infosec Services
Active SOC: https://www.blackhillsinfosec.com/ser...
Penetration Testing: https://www.blackhillsinfosec.com/ser...
Incident Response: https://www.blackhillsinfosec.com/ser...

///Backdoors & Breaches - Incident Response Card Game
Backdoors & Breaches: https://www.backdoorsandbreaches.com/
Play B&B Online: https://play.backdoorsandbreaches.com/

///Antisyphon Training
Pay What You Can: https://www.antisyphontraining.com/pa...
Live Training: https://www.antisyphontraining.com/co...
On Demand Training: https://www.antisyphontraining.com/on...
Antisyphon Discord:   / discord  
Antisyphon Mastodon: https://infosec.exchange/@Antisy_Trai...

///Educational Infosec Content
Black Hills Infosec Blogs: https://www.blackhillsinfosec.com/blog/
Wild West Hackin' Fest YouTube:    / wildwesthackinfest  
Antisyphon Training YouTube:    / antisyphontraining  
Active Countermeasures YouTube:    / activecountermeasures  
Threat Hunter Community Discord:   / discord  

Join us at the annual information security conference in Deadwood, SD (in-person and virtually) — Wild West Hackin' Fest: https://wildwesthackinfest.com/