Offensive TradeCraft: Syscalls to Custom/CleanCallStack

This workshop guarantees how to make usage of advanced evasion tactics to bypass different EDR systems and ways to detect those types of malware (Red+Blue). Starting with basics of Win Internals then a bit on EDR detection types. Then delve into the realm of maldev using syscalls and Stack spoofing.

This workshop is all about sharing the experience with all, that how we can make usage of advanced evasion techniques in order to Bypass different Endpoint Detection and Response (EDR) systems. First we will start with the basics of Windows Internals (PEB, TEB, Winapi, etc) with process injection examples.

Next, participants will receive a primer on Endpoint Detection and Response systems and how they perform User-Mode hookings. Then we would start focusing on how Ntapis work and then delve down to syscall internals. From here, we would start creating Implants based on syscalls, Direct static syscall implants and how to build those, and how those implants can be detected with tools, then moving on Direct dynamic syscall implants, and then how to build/ detect those implants, then up gradation to indirect syscall implant dev/detection techniques along with IAT obfuscation feature via API hashing techniques, finally advancing down to advanced form of maldev techniques, like Custom/Clean Call Stack Usage, etc. This workshop would help individuals to upskill not only their Maldev skills but also their defensive skills altogether.

We don’t have pdf/ppt currently created on this, but we do have a prepared github repo on malware dev/detection techniques that we gonna cover in this workshop (along with code snippets and explantions with .sln config files). If you share any github username with us, we can add that username to our private github repo (https://github.com/reveng007/MaldevWorkShop).

Technical Requirements:

1. We will provide a Win10 Maldev VM, so would be needing Oracle VM VirtualBox.

2. We will provide a free OpenSource EDR already being installed, named BestEDROfTheMarket.

3. Another Kali VM with Havoc C2 running would be better. If not, we can easily manage with popping calc, rather than opening a live session via havoc beacon.

4. A wifi connection is needed for server-implant connection.

I have been working on developing malware for almost 2 years now, I released a tool, named DarkWidow, on the month of august which successfully bypassed Sofos XDR easily. I also developed evasive tools in my current organization in which I am working now, targeting phishing engagements. I used to gather notes whenever I learned something new in offensive maldev domain and added to my private repo. Just like my previous talk about a LKM based rootkit (reveng_rtkit), I wasn’t supposed to reveal all my notes and insights on LKMs, but I decided to reveal that to public after I got some DMs from some guys regarding my rootkit tool. Then I thought besides making the tool public, I should reveal insights on that too. My talk got selected by various conferences like, BSides Florida, BSides Preshtina (Kosovo) and then finally in BSides Singapore. Singapore is where I finally gave my talk. Just like the previously mentioned case, this year also, I want to share all maldev techniques which are related to syscalls and stack (stack spoofing) that I can share with others, which would help them to build implants/malwares to evade potential Detection Services or would also help threat hunters/ analysts to detect these types of implants, which are currently used in the wild by APTs. So I think, me and my colleague will be apt to perform this workshop and help all the attendees to know more about windows malware World.