In the current Cybersecurity world, both Anti-Virus (AV) and Endpoint Detection and Response (EDR) solutions are becoming more and more successful in blocking emerging threats. External attackers need to develop highly sophisticated payloads to circumvent all these security controls, raising the bar for defenders to detect them as well as for threat emulators to emulate them. Although useful, are these controls enough to block more complex malwares? This talk will go over the most successful techniques used to bypass AV and EDR controls, and the tradecraft theory used in malwares to evade EDRs and other endpoint controls. This will primarily focus on general techniques to ensure malwares and other payloads can evade signature-based detection, behavioural analysis, and user-land hooking. This talk will then present Inceptor, a recent AV and EDR bypass framework I’ve developed and open-sourced, highlighting some of its features, implemented to aid red teamers and Pentesters during operations. By the end of this talk, the audience should get a detailed overview about how to use Inceptor, along with other tricks and opsec considerations useful to develop payloads which can run undetected.
Defeating AV and EDR solutions in user-land by chaining well-known deception techniques
Alessandro Magnosi is a senior cyber security consultant with more than 10 years of experience in the IT field. Currently, Alessandro is part of the Security Testing Team at BSI, which is the UK national standards body, and a Global certification, training and cybersecurity firm.
On top of his normal work, Alessandro is an independent researcher for Synack RT, and a passionate offensive tradecraft developer.