NorthSec 2024

Simplified Malware Evasion - Entropy and other Techniques
2024-05-17 , Ville-Marie

Malware development and evasion techniques are becoming more difficult each day. EDRs are implementing signature-based detection, behaviour-based detection, as well as entropy-based detection techniques. Shellcode is often encoded/encrypted which can cause payloads to have high entropy (randomness), therefore being detected and blocked by EDRs.

This presentation is the journey of a red teamer - improving their tools with simple techniques and learning about evasion and Windows internals along the way.

Through this talk, we will review the high-level theory behind evasion and present unique approaches to evasion techniques, including entropy reduction and shellcode callbacks. We will present a novel tool to reduce entropy via dictionary word shellcode encoding, and use Windows callback functions to launch our shellcode.

Furthermore, an overview of detecting these novel techniques will be discussed to help blue teamers in their jobs. Detection methods discussed include using YARA rules, ETW, and PE file memory scanners.

Participants will benefit from this talk in many ways. Red teamers can now immediately benefit from the tool, which is publicly released, along with C#/C++ Code samples. And Blue teamers can learn how to better detect these advanced techniques.


What is the language of your talk/workshop?

English

Will Summerhill is a senior security consultant with Mandiant Canada on the Proactive team performing red teams, purple teams, and penetration testing assessments. He has been in offensive security consulting for over 7 years and has 10 years of information security experience combined. He teaches red teaming classes to clients and taught a penetration testing course at the post-grad college level.

This speaker also appears in: