BC-SECURITY/DEFCON27 BC-SECURITY/DEFCON27

  • Stars
    star
    128
  • Rank 281,044 (Top 6 %)
  • Language
  • Created over 5 years ago
  • Updated over 4 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
BC-SECURITY/DEFCON27
github

BC-SECURITY

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

DEFCON 27 slides and workshop materials.

DEFCON27

alt text alt text

Keep up-to-date on our blog at https://www.bc-security.org/blog

Hack to Basics โ€“ Adapting Exploit Frameworks to Evade Microsoft ATP

When: August 10, 2019 1000-1050
Where: Recon Village

Many pentesters are avoiding existing frameworks due to security improvements from Microsoft and smarter practices by network Admins. Red teams donโ€™t have to throw away existing tools because their attacks are being thwarted and contrary to belief, Powershell is not dead. We updated existing tools and demonstrated that they can still be used to launch successful attacks. We would want to get back to the basics and demonstrate that successful attacks are still possible by modifying tools like Empire.

Our pentest used open-source intelligence (OSINT) to learn a ridiculous amount about our targets to launch spearphishing attacks. We used a targeted macro enabled doc to launch our Powershell code, which we developed from a complex academic process (failures, more obfuscation, more failures, success, ????, and Profit).

We will go over the methods employed by Microsoft Advanced Threat Protections (ATP) in both their antivirus and their sandbox environment, how we enumerated, and characterized their system to avoid detection. In addition, we avoided detection from Darktrace on a commercial network by masking our JA3 signature and weaponized Microsoft Azure for our covert C2 channel. In the end, we were able to launch a successful attack again a large company using Empire and our wits.

Introduction to Sandbox Evasion and AMSI Bypasses

When: August 9, 2019 1430-1830
Where: Flamingo, Red Rock IV

Microsoft is constantly adapting their security to counter new threats. Specifically, the introduction of the Microsoft Antimalware Scan Interface (AMSI) and its integration with Windows Defender has significantly raised the bar. In this hands-on class, we will learn the methodology behind obfuscating malware and avoiding detection. Students will explore the inner workings of Windows Defender and learn to employ AMSI bypass techniques and obfuscate malware using Visual Basic (VB) and Powershell. Then identify and evade sandbox environments to ensure the payloads are masked when arriving at the intended target. The final capstone will be tying all the concepts together.

In this workshop we will:

  1. Introduce AMSI and explain its importance
  2. Learn to analyze malware scripts before and after execution
  3. Understand how obfuscate code to avoid AMSI and Windows Defender
  4. Detect and avoid sandbox environments

Workshop Resources

More Repositories

1

Starkiller

Starkiller is a Frontend for PowerShell Empire.
Vue
1,356
star
2

Beginners-Guide-to-Obfuscation

PowerShell
1,009
star
3

Moriarty

Moriarty is designed to enumerate missing KBs, detect various vulnerabilities, and suggest potential exploits for Privilege Escalation in Windows environments.
C#
467
star
4

Malleable-C2-Profiles

Malleable C2 Profiles. A collection of profiles used in different projects using Cobalt Strike & Empire.
333
star
5

Invoke-ZeroLogon

Invoke-ZeroLogon allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.
PowerShell
215
star
6

Invoke-PrintDemon

This is a PowerShell Empire launcher PoC using PrintDemon and Faxhell.
PowerShell
197
star
7

Offensive-VBA-and-XLS-Entanglement

VBA
124
star
8

IronSharpPack

IronSharpPack is a repo of popular C# projects that have been embedded into IronPython scripts that execute an AMSI bypass and then reflective load the C# project.
Python
104
star
9

Long-Live-The-Empire

A comprehensive workshop aimed to equip participants with an in-depth understanding of modern Command and Control (C2) concepts, focusing on the open-source Empire C2 framework.
97
star
10

ScriptBlock-Smuggling

Example code samples from our ScriptBlock Smuggling Blog post
C#
82
star
11

Empire-Cli

CLI Frontend for PowerShell Empire.
Python
44
star
12

Taming-Offensive-IronPython

This workshop is designed to provide you with a solid understanding of IronPython, its integration with the .NET framework, and how it can be used to interact with other .NET languages.
Python
31
star
13

Red-Team-Village-CTF-2023

Secure Terminal CTF Challenge for DC31 Red Team Village
Python
19
star
14

SocksProxyServer-Plugin

Socks Proxy Server Plugin for Invoke-SocksProxy
17
star
15

DeathStarPlugin

Deathstar is an Empire plugin that automates gaining Domain and/or Enterprise Admin rights in Active Directory environments using common offensive tactics, techniques, and procedures (TTPs).
Python
15
star
16

empire-docs

https://bc-security.gitbook.io/empire-wiki/
12
star
17

DEFCONSafeMode

DEFCON Safe Mode Slides
8
star
18

ChiselServer-Plugin

5
star
19

DEFCON24

DEFCON 24 slides and materials.
4
star
20

intro-ctf

Dockerfile
4
star
21

Empire-Compiler

C#
3
star
22

Twilio-Plugin

Python
2
star
23

Empire-Launcher

Python
1
star
24

denylist-plugin

1
star
25

Report-Generation-Plugin

Plugin for replacing the original reporting functionality in Empire with customizable PDFs.
Python
1
star
26

AutoRun-Plugin

Plugin to automatically execute an agent tasking on checkin
1
star