A full description of the Workshop:

This workshop is all about sharing the experience with all, how we can make use of advanced evasion techniques in order to Bypass different Endpoint Detection and Response (EDR) systems. First we will start with the basics of Windows Internals (PEB, TEB, Winapi, etc) with process injection examples.

Next, participants will receive a primer on Endpoint Detection and Response systems and how they perform User-Mode hookings. Then we would start focusing on how Ntapis work and then delve down to syscall concepts. From here, we would start creating Implants based on syscalls and move down to advanced forms of malware development techniques, like thread stack spoofing and shellcode start address spoofing. We would also be showing how to detect those types of implants. This workshop would help individuals to up-skill their Malware development as well as defensive skills altogether.

Topics that will be Covered

  1. Introduction
  2. Windows Internals
  3. Process Injection
  4. EDR Bypass Techniques
  5. System Call Introduction
  6. Direct Static System Call (Offensive and defensive side)
  7. Direct Dynamic Systemcall with API Hashing (Offensive and defensive side)
  8. Indirect Dynamic SystemCall with API Hashing (Offensive and defensive side)
  9. Call Stack Monitoring Evasion (Offensive and defensive side)
  10. Newly Created Thread Start Address spoofing.

Participant requirement ?

  • A laptop with at least 8 GB RAM having VirtualBox.
  • A kali VM running inside VirtualBox with Havoc ( 0.7 version) installed.

Who should attend ?

  • Red Team/Purple Team
  • Malware Developers
  • Threat Hunters

Prerequisites:

  • Comfortable with C and C++.
  • Basic understanding of windows environment.

Workshop Trainer

vulncon
Soumyanil Biswas
Security Researcher

Currently into Security Research. Though he has an electronics background, he has an immense interest in information security. Black Hat Asia 2024 Presenter. Former Speaker at BSides Singapore 2023. Also got an invitation as a speaker from BSides St. Pete (Florida) 2023, BSides Prishtina (Kosovo) 2023/2024 and Hackmiami Conference XI 2024.

He is learning new stuff day in and day out. He is passionate about offensive security more than defensive. He has played CTFs, solved 100+ rooms in TryHackMe till now. He has CRTP. Nowadays, he spends most of the time building scripts/open source malware dev evasion based projects, digging deep into windows system internals, building scripts on On-prem and Cloud-based (like, AWS) Attack Vectors.

vulncon
Faran Siddiqui
Security Researcher

Faran is a security researcher with a deep interest in understanding the workings of malware and Windows Internals. Aside from that he's always curious to learn more about adversaries, ransomware, malware analysis and also about detections. As a security researcher, Faran's day job in @Firecompass is more towards emulating and automating adversary simulation, cloud and active directory attacks and keeping an eye on the latest threats and vulnerabilities. Faran's also got an invitation from BSides Prishtina (Kosovo) and 2024 Hackmiami Conference XI 2024 as a speaker.