We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

EDR is Coming; Hide Yo Sh!t

12
 Cite
 Share
 Download
 Purchase
No logo availableDEF CON
 Leibowitz, Michael Timzen, Topher

Formal Metadata

Title
EDR is Coming; Hide Yo Sh!t
Title of Series
Number of Parts
335
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
There’s a new, largely unaddressed threat in the security industry today, Endpoint Detection and Response (EDR), which aims to stop threat actors in their tracks. The scenario plays out like this... At first your campaign is going well and your attacker objectives are being met. Then, your lovingly crafted payloads become analyst samples, you’re evicted from the environment and you lose your persistence. You and the analyst are now having a bad time. You may feel this is just fear mongering, but we assure you, the risk is real.Fortunately, we have a few new tricks up our sleeves to keep this nightmare scenario at bay. While many would have you believe that we live in a measured and signed boot Utopia on modern systems, we will show you the seedy underbelly of this Brave New World. By abusing early boot mechanisms and UEFI platform firmware, we are able to evade common detection. By showing up early to the fight, we sucker punch EDR, leaving it in a daze unable to see our malicious activities. We put a new twist on old code injection techniques and maintain persistence in UEFI firmware, making an effective invisibility cloak. By leveraging these two techniques, you and the analyst can have a happy and relaxing evening. From that point on - the good ol’ days are back again! Plunder away! Michael Leibowitz Michael has done hard-time in real-time. An old-school computer engineer by education, he spends his days hacking the mothership for a fortune 100 company. Previously, he developed and tested embedded hardware and software, fooled around with strap-on boot roms, mobile apps, office suites, and written some secure software. On nights and weekends he hacks on electronics, writes CFPs, and contributes to the NSA Playset. Topher Timzen Topher Timzen is currently a Principal Vulnerability Enthusiast and enjoys causing constructive mischief. Topher has spoken at conferences such as DEF CON, SecTor and BSidesPDX on offensive security research. Enjoying teaching, particularly about exploitation, he has been running the CTF at BSidesPDX for the past few years. Topher is located in the woods hiking or mountain biking when not computing. Collectively they have pretended to be bears, slayed a dragon or two, and have managed to not bring down a production server (for long). In reality, they just want to write malware.