BruCON 0x0A

WARNING: Heavy obfuscation, evasion and general offensive techniques will be demonstrated to challenge and improve attendees’ defensive thinking and detection approaches!

Offensive tradecraft and "living off the land" techniques are discovered, developed and released to the public at breakneck speeds. Attackers begin using these techniques within hours of their release. However, defenders often spend days, weeks or months identifying and reactively creating signatures for these techniques. Often these reactive signatures are overly rigid; therefore, they are easily bypassed by simple modifications to the command or technique.

In this workshop we will:
    * Develop multiple layers of resilient host-based and network-based detections for several relevant "living off the land" attack techniques
    * Introduce incremental layers of obfuscation and evasion techniques to the attacker commands and payloads to iteratively evade and harden our detection approach
    * Learn about numerous host-based artifacts we can use for detection purposes (process arguments, common persistence locations, image load events, prefetch files, Shimcache, Amcache, SRUM - System Resource Usage Monitor, etc.)
    * Implement detection logic in numerous formats including IOCs (Indicators of Compromise), YARA rules, and Snort signatures

The author has several years of real-world experience creating, tuning and enriching real-time detections that run on 10+ million endpoints in 100's of environments around the world. This firsthand experience will help facilitate conversations around false positives, detection performance and signal-to-noise ratios – concepts that are often overlooked (and sometimes less relevant) when dealing only with smaller environments.