6. Sebastian Feldmann and Philipp Schmied: Busting Redteam Trends with Style - Lessons Learned
HTML-код
- Опубликовано: 9 сен 2024
- We built a custom Sysmon replacement from scratch using ETW used to fingerprint state of the art threat actors and red team trends, such as (in)direct syscalls, various sleepmasks, module proxying or callstack spoofing. Events are sysmon compatible but enriched, new events are introduced as well.
This talk describes a custom ETW based Sysmon replacement which we developed from scratch and use to fingerprint threat actors and popular Red Team techniques, such as (in)direct syscalls, various sleepmasks, module proxying or callstack spoofing.
With regards to threat hunting, we will discuss the limitations and blindspots of events emitted by Sysmon and see how our events maintain Sysmon compatibility while they are enriched with additional information, making an analysts life easier. Further telemetry relevant for hunting state of the art threat actors, such as RPC, callstack and syscall monitoring will be introduced and we will demonstrate how popular offensive tooling techniques generate new unexpected IOCs, visible in our telemetry and events.
Subsequently, the architecture, which we use to collect and correlate events from different ETW Providers at scale will be explained, challenges and solutions we faced during development will be discussed.
Awesome talk, any plans to make Weasel public?