Evading modern day security defenses in corporate environments

The aim of the talk is to explore various techniques for bypassing security measures implemented by modern antiviruses (AV), built-in Windows exploitation protection modules, EDRs, XDRs, and other security products commonly found in companies that take endpoint security seriously. The talk will begin with a discussion of the evolution of security products and how modern-day hackers and red teamers encounter such tools.

The talk will then delve into different types of detections, including static, behavioral, and heuristic-based tools. We will explain various static malware detection bypass techniques such as payload encryption, headerless payloads, signature-based bypasses, as well as dynamic bypass mechanisms used by malware developers and professional red teamers, such as using Direct Syscalls, AMSI bypass, ETW Bypass, and Heap Encryption.

The talk will contain real-life PoCs of how common C2 payloads, such as Meterpreter, Cobalt Strike Beacons, Covenant, etc., are easily detected by many proprietary malware detection products, such as CrowdStrike and Windows Defender, and will deep dive stage by stage into the exact methodology the product used to detect the said signature/behavior, along with modifications and techniques we used to evade each of these detection mechanisms.