Advanced Threat Emulation: Evasion by BC Security

Date: April 13 & 14 2023

On-Site (In Person)

2 Day

This class will explore the theory behind malware obfuscation, starting with the Theory of Code
Obfuscation and how it applies to Tactics, Techniques, and Procedures (TTPs) implemented by
modern Advanced Persistent Threats (APTs). We will examine everything from standard
variable obfuscation to control flow manipulation to data procedurization. Throughout the
course, students will apply obfuscation theory to practical applications in hands-on labs.
Windows presents a vast attack surface and provides the Blue Team with many detection
opportunities. Students will learn about evading Blue Team hunters by first learning how to build
detections and then masking their signatures and exploiting indicators to decrease their
detection probability. By the end of the course, students will be equipped with the knowledge to
obfuscate open-source tools without necessitating custom tooling for use across a diverse and
dynamic operations environment.

Outline

Introduction to Evasion
Origin of Obfuscation
Detection Methodologies (AV 101)
Network vs Host indicators
Human vs Machine Analytics
Threat Specific Evasion TTPs
Windows Attack Surfaces
Event Tracing for Windows (ETW)
Script Block & Module Logging
Offensive .NET (PowerShell, C#, DLR)
Implementing Windows Antimalware Scan Interface (AMSI) Bypasses
Evading Event Tracing for Windows (ETW) and Logging
Theory of Obfuscation
Layout Modification
Control Flow Manipulation
Data Masking and Transformation
Method Scattering and Proxying
Code Translation and Diversification
Practical Implementations of Obfuscation
Universal Evasion Methods
.NET Obfuscation
Automated Obfuscation Tooling
Indicators of Compromise (IOC) Analysis
Evading Blue Team Hunt
Masking Network Traffic
Out-of-Band Communications
Leveraging Trust and Reputation
Prepping your Panic Button
Distributive Architecture

Who Should Attend

Anyone who has a desire to understand the principles behind code obfuscation. Either Red or
Blue team members who are interested in advancing their threat emulation capabilities or
understanding of obfuscation indicators and theory.

What Students Will Be Provided

30-day access to the comprehensive course range
- A copy of all course material
- Course Swag &; Coin

Anthony "Coin" Rose

PhD Student at the Air Force Institute of Technology and Lead Security Researcher at BC Security

Speaker Bio:

Anthony "Coin" Rose, CISSP, is a PhD Student at the Air Force Institute of Technology and Lead Security Researcher at BC Security, where he specializes in adversary tactic emulation planning, Red and Blue Team operations, and embedded systems security. He has presented at numerous security conferences,including Black Hat, DEF CON, HackMiami, and RSA conferences. Anthony is the author of various offensive security tools, including Empire and Starkiller, which he actively develops and maintains. He is recognized for his work, revealing wide-spread vulnerabilities in Bluetooth devices and is the co-author of a cybersecurity blog at https://www.bc-security.org/blog/.

Jake "Hubble" Krasnov

Red Team Operations Lead and Chief Executive Officer of BC Security

Speaker Bio:

Jake "Hubble" Krasnov is the Red Team Operations Lead and Chief Executive Officer of BC Security. He
has spent the first half of his career as an Astronautical Engineer overseeing rocket modifications for the Air Force. He then moved into offensive security, running operational cyber testing for fighter aircraft and operating on a red team. Jake has presented at DEF CON, where he taught courses on offensive PowerShell and has been recognized by Microsoft for his discovery of a vulnerability in AMSI. Jake has authored numerous tools, including Invoke-PrintDemon and Invoke-ZeroLogon, and is the co-author of a cybersecurity blog at https://www.bc-security.org/blog/.