SlideShare a Scribd company logo

DEFCON 21: EDS: Exploitation Detection System Slides

Download as PPTX, PDF
Amr Thabet
Amr Thabet

This is my presentation at Defcon 21 about a new concept named Exploitation Detection System (EDS) and about my tool EDS.

TechnologyBusiness
1 of 75
EDS: Exploitation Detection System By Amr Thabet Q-CERT
About The Author Amr Thabet (@Amr_Thabet) Malware Researcher at Q-CERT The Author of:  Security Research and Development Framework (SRDF)  Pokas x86 Emulator Wrote a Malware Analysis Paper for Stuxnet Company Logo
Introduction Now the APT Attack become the major threat Bypasses all defenses Standards and Policies doesn’t work Bypasses IDS, IPS, Firewalls .. etc Company Logo
Introduction The Attacker uses:  Client-side attacks and exploits  Spear-phishing attacks Uses undetectable malwares Uses HTTP and HTTPs Attack the servers from the infected clients Company Logo
Introduction The Next Security Technology is the : “Exploitation Detection Systems” EDS is only way to stop Attacks from behind Stop Attacks from Client-Side Stop successful exploitation for a 0-day Company Logo
Company Logo Improvements in Defense Security Technology Improvements EDS IDS Firewall Antivirus
Introduction The Talk today is about:  EDS as a concept and next technology  EDS: the new tool that I created  The Development of EDS  SRDF Framework (adv  ) I will try to explain everything for who don’t know about Exploits … etc Company Logo
Company Logo Contents Development and Future work Monitoring System Mitigations in Depth The Design of EDS Motivation and Goals
Goals Stop Exploitation for new 0-days Works with Memory Corruption Exploits Detect Compromised Processes Prevent and/or Alert of Exploited Processes Company Logo
Memory Corruption Vulnerabilities Simply write data in places you are not intended to write on it Like:  Pointers  Return addresses Change how the application behave Check: www.corelan.be Company Logo
Antivirus vs EDS EDS is not signature based EDS doesn’t detect malware EDS main goal to stop exploitation EDS is memory based EDS searches for evidence of Memory corruption and indication of compromise Company Logo
Previous Work Compile-Time Solutions:  Takes Long time to affect  Always there’s exceptions Current Run-time Solutions:  Only One Layer of Defense  On-Off Mitigations  No detection of this layer was bypassed or not  A fight between false positives and false negatives Company Logo
What’s New? Co-operative Mitigations Based on Scoring System Prevention and Alerting Infected processes Additional layer with Monitoring System Company Logo
Design of EDS Company Logo
Design of EDS Payload Detection:  Shellcode Detection  ROP Chain Detection Security Mitigations For Stack:  ROP Detection Security Mitigation For Heap:  Heap Overflow  Heap Spray  Use After Free Company Logo
Design of EDS Scoring System:  Based On Payload Detection and Security Mitigations  Scoring Based on Payload, Attack Vector and The Process abnormal behavior Company Logo
Design of EDS Monitoring System:  Searches for Evidence of Exploitation  Detect bypassed Mitigations  Alert the Administrators to Take Action  Looking at the previous EDS reports for this process Company Logo
Mitigation In Depth: Payload Increase the score of suspiciously Detect suspicious inputs and tries for exploitation. Divided Into:  Shellcode Detection  ROP Chain Detection Company Logo
What’s Shellcode? It is simply a portable native code Sent as a bunch of bytes in a user input Do a specific action when the processor executes it The attacker modify the return address to point to it. Company Logo
What’s Shellcode? It gets its place in memory Then it gets the kernel32 DLL place in memory Get windows functions (APIs) from it And then … ATTACK Check: http://www.codeproject.com/Articles/32 5776/The-Art-of-Win32-Shellcoding Company Logo
What’s Shellcode Some shellcodes shouldn’t have null bytes (sent as string) Some are encrypted There’s a loop to decrypt it Some are in ascii Some doesn’t include loop but many pushes (to be in ascii) Company Logo
Shellcode Detection Goals:  Very fast shellcode detector  Very hard to bypass … min false negative  Low false positive Company Logo
Shellcode Detector Static Shellcode Detector Divided into 3 phases:  Indication of Possible Shellcode (GetPC … etc)  Filter by invalid or privileged Instructions  Filter by Flow Analysis Company Logo
Indication of Possible Shellcode Search for Loops  Jump to previous  Call to previous (Call Delta)  Loop Instruction Company Logo
Indication of Possible Shellcode High rate of pushes end with flow redirection Search for fstenv followed with at least 5 valid instructions after it Company Logo
Skip Invalid Instructions We skip all invalid instructions. We skip all privileged instructions like: IN, OUT, INT, INTO, IRETD, WAIT, LO CK, HLT … etc  Skip Instructions with unknown Behavior like: JP, AAM, AAD, AAA, DAA, SALC, XLAT, SAHF, LAHF, LES, DES, Company Logo
Flow Analysis Check on ESP Modifications through loops  If there’s many pushes with no pops in loops Check on Compares and Jccs in th code  Search for Jcc without compare or similar before it. Check on % of Nulls and Null-Free Company Logo
Shellcode Statistics Company Logo Scan per page False Positives in range 4% Infected Pages All of these samples are legitimate File Type Total No of Pages Infected Pages Presentage Pcap 381 40 2% Pcap 11120 543 4% Wmv 104444 4463 4%
Shellcode Statistics It detects all Metasploit Shellcodes Detects all working shellcodes in Shellstorm (win32 – ASLR Bypass) Detected Encoded Shellcodes by metasploit Encoders Manual Evasion is possible Company Logo
What’s ROP Chain Very small code in a legitimate dll End with “ret” instruction Attackers uses a series of it All of them together = a working shellcode Used to bypass DEP Company Logo
ROP Chain Detection It’s a very simple ROP Detection Search for Return with these criteria:  the address is inside an executable page in a module  the return address not following a call  Followed by ret or equivalent instructions in the next 16 bytes  Not Following series of (0xCC) Company Logo
Stack Mitigations We detect ROP Attacks The Mitigation is named “Wrong Module Switching” We detect SEH Overwrite We scan for Leaked ROP chains (which not overwritten) Company Logo
ROP Attack Vector ROP are used to bypass DEP They mostly ret to VirtualProtect API Make the shellcode’s memory executable Or calls to another windows APIs Company Logo
Wrong Module Switching Detect ROP Attacks Based on Stack Back-tracing Company Logo
Wrong Module Switching Hooks in Kernel-Mode on win32 Uses SSDT Hooking Hooking on WOW64 for win64 Hook Specific APIs Hooks:  VirtualProtect and similar functions  CreateProcess and similar  Network and Socket APIs  And more Company Logo
Wrong Module Switching Using Stack Backtracing to Return to The API Caller Checks the API Call are:  Check The Call to this API or not  Check The Parameters  Check the next Call Stack if it calls to the function that calls to the API  Check The SEH if it’s in the same module  Check if there’s null parameters  Near return address after the call  And more Gives a score to API call Company Logo
Wrong Module Switching Check on Different Calls like:  Call dword ptr [<kernel32.API>]  Lea eax, <kernel32.API> call eax  Call API API:Jmp dword ptr [<kernel32.API>] Company Logo
Wrong Module Switching Category Parameters based on:  CONST: push xxxxxxxxh OR lea eax, [xxxxxxxh] push eax  STACK: lea eax, [ebp +/- xxxxh] push eax  REGISTER: push exx  UNKNOWN: push any Company Logo
Wrong Module Switching Demo on ShellExecute Company Logo
Demo: Hooking Firefox with EDS Company Logo
Demo: Force Firefox to create Process Company Logo
Demo: The call stack to ShellExecute Company Logo
Demo: The ShellExecute Params Company Logo
Demo: The Action Scoring Company Logo
Demo: a Vulnerable application Company Logo
Demo: Running and Hooking it Company Logo
Demo: The Action Scoring and Detection Company Logo
SEH Mitigation SEH is a linked list of pointers to functions handle an error Very basic Mitigation Saves the SEH Linked List Check if it ends differently Company Logo
Mitigations For Heap We mitigate these attack vectors:  Heap Overflow  Heap Spray  Heap Use After Free Hooks GlobalAlloc and jemalloc Create a new Header for memory allocations Company Logo
New Header Design It’s Divided Into 2 Headers Company Logo
Design of Buffer Header This is a Header in a separate Buffer It points to the buffer It get the Caller Module and the allocation Time It checks for vtable inside the buffer and Mark it as Important It reset everything in ~ 2 secs Company Logo
Overflow Mitigation It checks for:  Nulls: to stop the string overwrite  Cookie: to stop managed overwrite It’s used mainly against jemalloc Company Logo
HeapSpray Mitigation It searches for Allocations:  Many Allocations from the same Module  Large Memory Usage  In very small time Take 2 random buffers Scan for shellcode and ROP chains Company Logo
Use-After-Free Mitigation Scans for vtable inside buffers Delay the free for these buffers Wipe them with 0xBB Free them at the end of the slot ~ 2 secs Detect Attacks when access 0xBB in Heap Company Logo
Put All together It does 2 type of scanning:  Critical Scanning: when calls to an API to check ROP Attack or detect HeapSpray .. etc  Periodical Scanning: That’s the monitoring system Company Logo
Scoring System It’s based on the Mitigation It stop the known Attacks and terminate the Process Alert for suspicious Inputs Take Dump of the Process Company Logo
Monitoring System It scans Periodically Checks for possible Attacks Like:  Check Executable Places in Stack  Check Executable Places in Memory Mapped Files  Search for ROP Chains and Shellcode in Stack and Heap  Check Threads running in place outside memory  And many more Company Logo
Future Work We are planning to create a central Server Receives Alerts and warning Monitoring Exploitations on client machine With a graphical Dashboard Company Logo
Future Work: Dashboard The Dashboard includes Suspicious Processes in all Machines Includes the files loaded inside the suspicious processes (PDF, DOC … etc) Includes IPs of these processes connect to (after review the Privacy policy) Company Logo
Future Work: Dashboard EDS will become your Memory and Exploitation Monitor. Will correlate with your network tools Will be your defense inside the client More Intelligent than Antivirus Better Response Company Logo
Dashboard: What you can Detect Using this Dashboard you can detect:  Suspicious PDF or Word File many people opened it: it could be an email sent to many people in the company Company Logo
Dashboard: What you can Detect Using this Dashboard you can detect:  In small time … IE for many employees become suspicious with similar shellcode: could be a suspicious URL visited by a phishing mail Company Logo
Dashboard: What you can Detect Using this Dashboard you can detect:  You can detect suspicious IPs did a scanning over your network and now suspicious processes connect to it Company Logo
Development The EDS is based on SRDF “Security Research and Development Framework” Created by Amr Thabet Includes 3 main contributors Company Logo
SRDF development framework Support writing security tools Anti-Malware and Network Tools Mainly in windows and C++ Now creating linux SRDF and implementation on python Company Logo
SRDF Features Parsers:  PE and ELF Parsers  PDF Parser  Andoid (APK or/and DEX) Parser Static Analysis:  Include wildcard like YARA  x86 Assembler and Disassembler  Android Delivk Java Disassembler Company Logo
SRDF Features Dynamic Analysis:  Full Process Analyzer  Win32 Debugger  x86 Emulator for apps and shellcodes Behavior Analysis:  API Hooker  SSDT Hooker (for win32)  And others Company Logo
SRDF Features Network Analysis  Packet Capturing using WinPcap  Pcap File Analyzer  Flow Analysis and Session Separation  Protocol Analysis: tcp, udp, icmp and arp  App Layer Analysis: http and dns  Very Object Oriented design  Very scalable Company Logo
SRDF Very growing community I will present it in Become a part of this growing community Company Logo
SRDF Reach it at:  Website: www.security-framework.com  Source: https://github.com/AmrThabet/winSRDF  Twitter: @winSRDF Join us Company Logo
What we reach in EDS We developed the Mitigations separately We tested the Shellcode Scanner on real shellcodes Still testing on real world scenarios Join us and help us. Company Logo
Reach Us Still there’s no website for EDS You can reach us at SRDF Website: www.security-framework.com And my Twitter: @Amr_Thabet Just mail me if you have any feedback  Amr.thabet[@#!*^]owasp.org Company Logo
Conclusion EDS is the new security tool for this Era The Last line to defend against APT Attacks Still we are in the middle of the Development SRDF is the main backbone for it Join Us Company Logo
Big Thanks to Jonas Lekyygaurd Anwar Mohamed Corlan Team All Defcon Team Big thanks for YOU Company Logo
DEFCON 21: EDS: Exploitation Detection System Slides

Recommended

DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPAmr Thabet
 
Continuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma ScanContinuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma ScanCypress Data Defense
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2securityxploded
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
 
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...securityxploded
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonMandeep Jadon
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackTechSecIT
 
.NET for hackers
.NET for hackers.NET for hackers
.NET for hackersAntonio Parata
 

Recommended

DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPAmr Thabet
 
Continuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma ScanContinuous Integration: Live Static Analysis with Puma Scan
Continuous Integration: Live Static Analysis with Puma ScanCypress Data Defense
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2securityxploded
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
 
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...securityxploded
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonMandeep Jadon
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackTechSecIT
 
.NET for hackers
.NET for hackers.NET for hackers
.NET for hackersAntonio Parata
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Advanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automationAdvanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automationCysinfo Cyber Security Community
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoorsn|u - The Open Security Community
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksKapil Nagrale
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данныхPositive Hack Days
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysissecurityxploded
 
Reversing malware analysis training part6 practical reversing
Reversing malware analysis training part6 practical reversingReversing malware analysis training part6 practical reversing
Reversing malware analysis training part6 practical reversingCysinfo Cyber Security Community
 
Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)securityxploded
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guidesecurityxploded
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Cysinfo Cyber Security Community
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerJoxean Koret
 
Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Joxean Koret
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av softwareThomas Pollet
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
Seh based exploitation
Seh based exploitationSeh based exploitation
Seh based exploitationRaghunath G
 
Application Virtualization
Application VirtualizationApplication Virtualization
Application Virtualizationsecurityxploded
 
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...Zhen Huang
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwaressecurityxploded
 
Reversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basicsReversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basicsAbdulrahman Bassam
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 

More Related Content

What's hot

Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Advanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automationAdvanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automationCysinfo Cyber Security Community
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksKapil Nagrale
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данныхPositive Hack Days
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysissecurityxploded
 
Reversing malware analysis training part6 practical reversing
Reversing malware analysis training part6 practical reversingReversing malware analysis training part6 practical reversing
Reversing malware analysis training part6 practical reversingCysinfo Cyber Security Community
 
Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)securityxploded
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guidesecurityxploded
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Cysinfo Cyber Security Community
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerJoxean Koret
 
Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Joxean Koret
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av softwareThomas Pollet
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
Seh based exploitation
Seh based exploitationSeh based exploitation
Seh based exploitationRaghunath G
 
Application Virtualization
Application VirtualizationApplication Virtualization
Application Virtualizationsecurityxploded
 
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...Zhen Huang
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwaressecurityxploded
 

What's hot (20)

Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Advanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automationAdvanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automation
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполнения
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoors
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данных
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
 
Reversing malware analysis training part6 practical reversing
Reversing malware analysis training part6 practical reversingReversing malware analysis training part6 practical reversing
Reversing malware analysis training part6 practical reversing
 
Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
 
Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av software
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
Seh based exploitation
Seh based exploitationSeh based exploitation
Seh based exploitation
 
Application Virtualization
Application VirtualizationApplication Virtualization
Application Virtualization
 
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
 

Similar to DEFCON 21: EDS: Exploitation Detection System Slides

Reversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basicsReversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basicsAbdulrahman Bassam
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Code Review Looking for a vulnerable code. Vlad Savitsky.
Code Review Looking for a vulnerable code. Vlad Savitsky.Code Review Looking for a vulnerable code. Vlad Savitsky.
Code Review Looking for a vulnerable code. Vlad Savitsky.DrupalCampDN
 
Reversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basicsReversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basicsCysinfo Cyber Security Community
 
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Benelux
 
This is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XThis is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XSophos Benelux
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
Cloudreach Voices - Stay Ahead of the Hackers; a Guide to Offensive Security
Cloudreach Voices - Stay Ahead of the Hackers; a Guide to Offensive SecurityCloudreach Voices - Stay Ahead of the Hackers; a Guide to Offensive Security
Cloudreach Voices - Stay Ahead of the Hackers; a Guide to Offensive SecurityCloudreach
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsRon Munitz
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009ClubHack
 
Legacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris ApplicationsLegacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris ApplicationsAppZero
 
So You Just Inherited a $Legacy Application… NomadPHP July 2016
So You Just Inherited a $Legacy Application… NomadPHP July 2016So You Just Inherited a $Legacy Application… NomadPHP July 2016
So You Just Inherited a $Legacy Application… NomadPHP July 2016Joe Ferguson
 
Using PHPStan with Laravel App
Using PHPStan with Laravel AppUsing PHPStan with Laravel App
Using PHPStan with Laravel AppMuhammad Shehata
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryonePaul Melson
 
So You Just Inherited a $Legacy Application...
So You Just Inherited a $Legacy Application...So You Just Inherited a $Legacy Application...
So You Just Inherited a $Legacy Application...Joe Ferguson
 
Viruses and Anti-Viruses
Viruses and Anti-VirusesViruses and Anti-Viruses
Viruses and Anti-VirusesAyman Hussein
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactTom Eston
 

Similar to DEFCON 21: EDS: Exploitation Detection System Slides (20)

Reversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basicsReversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basics
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Code Review Looking for a vulnerable code. Vlad Savitsky.
Code Review Looking for a vulnerable code. Vlad Savitsky.Code Review Looking for a vulnerable code. Vlad Savitsky.
Code Review Looking for a vulnerable code. Vlad Savitsky.
 
Reversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basicsReversing malware analysis training part10 exploit development basics
Reversing malware analysis training part10 exploit development basics
 
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
Sophos Day Belgium - This is Next-Gen IT Security (Sophos Intercept X)
 
This is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XThis is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept X
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en Masse
 
Cloudreach Voices - Stay Ahead of the Hackers; a Guide to Offensive Security
Cloudreach Voices - Stay Ahead of the Hackers; a Guide to Offensive SecurityCloudreach Voices - Stay Ahead of the Hackers; a Guide to Offensive Security
Cloudreach Voices - Stay Ahead of the Hackers; a Guide to Offensive Security
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
Legacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris ApplicationsLegacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris Applications
 
So You Just Inherited a $Legacy Application… NomadPHP July 2016
So You Just Inherited a $Legacy Application… NomadPHP July 2016So You Just Inherited a $Legacy Application… NomadPHP July 2016
So You Just Inherited a $Legacy Application… NomadPHP July 2016
 
Using PHPStan with Laravel App
Using PHPStan with Laravel AppUsing PHPStan with Laravel App
Using PHPStan with Laravel App
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 
So You Just Inherited a $Legacy Application...
So You Just Inherited a $Legacy Application...So You Just Inherited a $Legacy Application...
So You Just Inherited a $Legacy Application...
 
Viruses and Anti-Viruses
Viruses and Anti-VirusesViruses and Anti-Viruses
Viruses and Anti-Viruses
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core Impact
 

Recently uploaded

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 

Recently uploaded (20)

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 

DEFCON 21: EDS: Exploitation Detection System Slides

  • 1. EDS: Exploitation Detection System By Amr Thabet Q-CERT
  • 2. About The Author Amr Thabet (@Amr_Thabet) Malware Researcher at Q-CERT The Author of:  Security Research and Development Framework (SRDF)  Pokas x86 Emulator Wrote a Malware Analysis Paper for Stuxnet Company Logo
  • 3. Introduction Now the APT Attack become the major threat Bypasses all defenses Standards and Policies doesn’t work Bypasses IDS, IPS, Firewalls .. etc Company Logo
  • 4. Introduction The Attacker uses:  Client-side attacks and exploits  Spear-phishing attacks Uses undetectable malwares Uses HTTP and HTTPs Attack the servers from the infected clients Company Logo
  • 5. Introduction The Next Security Technology is the : “Exploitation Detection Systems” EDS is only way to stop Attacks from behind Stop Attacks from Client-Side Stop successful exploitation for a 0-day Company Logo
  • 6. Company Logo Improvements in Defense Security Technology Improvements EDS IDS Firewall Antivirus
  • 7. Introduction The Talk today is about:  EDS as a concept and next technology  EDS: the new tool that I created  The Development of EDS  SRDF Framework (adv  ) I will try to explain everything for who don’t know about Exploits … etc Company Logo
  • 8. Company Logo Contents Development and Future work Monitoring System Mitigations in Depth The Design of EDS Motivation and Goals
  • 9. Goals Stop Exploitation for new 0-days Works with Memory Corruption Exploits Detect Compromised Processes Prevent and/or Alert of Exploited Processes Company Logo
  • 10. Memory Corruption Vulnerabilities Simply write data in places you are not intended to write on it Like:  Pointers  Return addresses Change how the application behave Check: www.corelan.be Company Logo
  • 11. Antivirus vs EDS EDS is not signature based EDS doesn’t detect malware EDS main goal to stop exploitation EDS is memory based EDS searches for evidence of Memory corruption and indication of compromise Company Logo
  • 12. Previous Work Compile-Time Solutions:  Takes Long time to affect  Always there’s exceptions Current Run-time Solutions:  Only One Layer of Defense  On-Off Mitigations  No detection of this layer was bypassed or not  A fight between false positives and false negatives Company Logo
  • 13. What’s New? Co-operative Mitigations Based on Scoring System Prevention and Alerting Infected processes Additional layer with Monitoring System Company Logo
  • 15. Design of EDS Payload Detection:  Shellcode Detection  ROP Chain Detection Security Mitigations For Stack:  ROP Detection Security Mitigation For Heap:  Heap Overflow  Heap Spray  Use After Free Company Logo
  • 16. Design of EDS Scoring System:  Based On Payload Detection and Security Mitigations  Scoring Based on Payload, Attack Vector and The Process abnormal behavior Company Logo
  • 17. Design of EDS Monitoring System:  Searches for Evidence of Exploitation  Detect bypassed Mitigations  Alert the Administrators to Take Action  Looking at the previous EDS reports for this process Company Logo
  • 18. Mitigation In Depth: Payload Increase the score of suspiciously Detect suspicious inputs and tries for exploitation. Divided Into:  Shellcode Detection  ROP Chain Detection Company Logo
  • 19. What’s Shellcode? It is simply a portable native code Sent as a bunch of bytes in a user input Do a specific action when the processor executes it The attacker modify the return address to point to it. Company Logo
  • 20. What’s Shellcode? It gets its place in memory Then it gets the kernel32 DLL place in memory Get windows functions (APIs) from it And then … ATTACK Check: http://www.codeproject.com/Articles/32 5776/The-Art-of-Win32-Shellcoding Company Logo
  • 21. What’s Shellcode Some shellcodes shouldn’t have null bytes (sent as string) Some are encrypted There’s a loop to decrypt it Some are in ascii Some doesn’t include loop but many pushes (to be in ascii) Company Logo
  • 22. Shellcode Detection Goals:  Very fast shellcode detector  Very hard to bypass … min false negative  Low false positive Company Logo
  • 23. Shellcode Detector Static Shellcode Detector Divided into 3 phases:  Indication of Possible Shellcode (GetPC … etc)  Filter by invalid or privileged Instructions  Filter by Flow Analysis Company Logo
  • 24. Indication of Possible Shellcode Search for Loops  Jump to previous  Call to previous (Call Delta)  Loop Instruction Company Logo
  • 25. Indication of Possible Shellcode High rate of pushes end with flow redirection Search for fstenv followed with at least 5 valid instructions after it Company Logo
  • 26. Skip Invalid Instructions We skip all invalid instructions. We skip all privileged instructions like: IN, OUT, INT, INTO, IRETD, WAIT, LO CK, HLT … etc  Skip Instructions with unknown Behavior like: JP, AAM, AAD, AAA, DAA, SALC, XLAT, SAHF, LAHF, LES, DES, Company Logo
  • 27. Flow Analysis Check on ESP Modifications through loops  If there’s many pushes with no pops in loops Check on Compares and Jccs in th code  Search for Jcc without compare or similar before it. Check on % of Nulls and Null-Free Company Logo
  • 28. Shellcode Statistics Company Logo Scan per page False Positives in range 4% Infected Pages All of these samples are legitimate File Type Total No of Pages Infected Pages Presentage Pcap 381 40 2% Pcap 11120 543 4% Wmv 104444 4463 4%
  • 29. Shellcode Statistics It detects all Metasploit Shellcodes Detects all working shellcodes in Shellstorm (win32 – ASLR Bypass) Detected Encoded Shellcodes by metasploit Encoders Manual Evasion is possible Company Logo
  • 30. What’s ROP Chain Very small code in a legitimate dll End with “ret” instruction Attackers uses a series of it All of them together = a working shellcode Used to bypass DEP Company Logo
  • 31. ROP Chain Detection It’s a very simple ROP Detection Search for Return with these criteria:  the address is inside an executable page in a module  the return address not following a call  Followed by ret or equivalent instructions in the next 16 bytes  Not Following series of (0xCC) Company Logo
  • 32. Stack Mitigations We detect ROP Attacks The Mitigation is named “Wrong Module Switching” We detect SEH Overwrite We scan for Leaked ROP chains (which not overwritten) Company Logo
  • 33. ROP Attack Vector ROP are used to bypass DEP They mostly ret to VirtualProtect API Make the shellcode’s memory executable Or calls to another windows APIs Company Logo
  • 34. Wrong Module Switching Detect ROP Attacks Based on Stack Back-tracing Company Logo
  • 35. Wrong Module Switching Hooks in Kernel-Mode on win32 Uses SSDT Hooking Hooking on WOW64 for win64 Hook Specific APIs Hooks:  VirtualProtect and similar functions  CreateProcess and similar  Network and Socket APIs  And more Company Logo
  • 36. Wrong Module Switching Using Stack Backtracing to Return to The API Caller Checks the API Call are:  Check The Call to this API or not  Check The Parameters  Check the next Call Stack if it calls to the function that calls to the API  Check The SEH if it’s in the same module  Check if there’s null parameters  Near return address after the call  And more Gives a score to API call Company Logo
  • 37. Wrong Module Switching Check on Different Calls like:  Call dword ptr [<kernel32.API>]  Lea eax, <kernel32.API> call eax  Call API API:Jmp dword ptr [<kernel32.API>] Company Logo
  • 38. Wrong Module Switching Category Parameters based on:  CONST: push xxxxxxxxh OR lea eax, [xxxxxxxh] push eax  STACK: lea eax, [ebp +/- xxxxh] push eax  REGISTER: push exx  UNKNOWN: push any Company Logo
  • 39. Wrong Module Switching Demo on ShellExecute Company Logo
  • 40. Demo: Hooking Firefox with EDS Company Logo
  • 41. Demo: Force Firefox to create Process Company Logo
  • 42. Demo: The call stack to ShellExecute Company Logo
  • 43. Demo: The ShellExecute Params Company Logo
  • 44. Demo: The Action Scoring Company Logo
  • 45. Demo: a Vulnerable application Company Logo
  • 46. Demo: Running and Hooking it Company Logo
  • 47. Demo: The Action Scoring and Detection Company Logo
  • 48. SEH Mitigation SEH is a linked list of pointers to functions handle an error Very basic Mitigation Saves the SEH Linked List Check if it ends differently Company Logo
  • 49. Mitigations For Heap We mitigate these attack vectors:  Heap Overflow  Heap Spray  Heap Use After Free Hooks GlobalAlloc and jemalloc Create a new Header for memory allocations Company Logo
  • 50. New Header Design It’s Divided Into 2 Headers Company Logo
  • 51. Design of Buffer Header This is a Header in a separate Buffer It points to the buffer It get the Caller Module and the allocation Time It checks for vtable inside the buffer and Mark it as Important It reset everything in ~ 2 secs Company Logo
  • 52. Overflow Mitigation It checks for:  Nulls: to stop the string overwrite  Cookie: to stop managed overwrite It’s used mainly against jemalloc Company Logo
  • 53. HeapSpray Mitigation It searches for Allocations:  Many Allocations from the same Module  Large Memory Usage  In very small time Take 2 random buffers Scan for shellcode and ROP chains Company Logo
  • 54. Use-After-Free Mitigation Scans for vtable inside buffers Delay the free for these buffers Wipe them with 0xBB Free them at the end of the slot ~ 2 secs Detect Attacks when access 0xBB in Heap Company Logo
  • 55. Put All together It does 2 type of scanning:  Critical Scanning: when calls to an API to check ROP Attack or detect HeapSpray .. etc  Periodical Scanning: That’s the monitoring system Company Logo
  • 56. Scoring System It’s based on the Mitigation It stop the known Attacks and terminate the Process Alert for suspicious Inputs Take Dump of the Process Company Logo
  • 57. Monitoring System It scans Periodically Checks for possible Attacks Like:  Check Executable Places in Stack  Check Executable Places in Memory Mapped Files  Search for ROP Chains and Shellcode in Stack and Heap  Check Threads running in place outside memory  And many more Company Logo
  • 58. Future Work We are planning to create a central Server Receives Alerts and warning Monitoring Exploitations on client machine With a graphical Dashboard Company Logo
  • 59. Future Work: Dashboard The Dashboard includes Suspicious Processes in all Machines Includes the files loaded inside the suspicious processes (PDF, DOC … etc) Includes IPs of these processes connect to (after review the Privacy policy) Company Logo
  • 60. Future Work: Dashboard EDS will become your Memory and Exploitation Monitor. Will correlate with your network tools Will be your defense inside the client More Intelligent than Antivirus Better Response Company Logo
  • 61. Dashboard: What you can Detect Using this Dashboard you can detect:  Suspicious PDF or Word File many people opened it: it could be an email sent to many people in the company Company Logo
  • 62. Dashboard: What you can Detect Using this Dashboard you can detect:  In small time … IE for many employees become suspicious with similar shellcode: could be a suspicious URL visited by a phishing mail Company Logo
  • 63. Dashboard: What you can Detect Using this Dashboard you can detect:  You can detect suspicious IPs did a scanning over your network and now suspicious processes connect to it Company Logo
  • 64. Development The EDS is based on SRDF “Security Research and Development Framework” Created by Amr Thabet Includes 3 main contributors Company Logo
  • 65. SRDF development framework Support writing security tools Anti-Malware and Network Tools Mainly in windows and C++ Now creating linux SRDF and implementation on python Company Logo
  • 66. SRDF Features Parsers:  PE and ELF Parsers  PDF Parser  Andoid (APK or/and DEX) Parser Static Analysis:  Include wildcard like YARA  x86 Assembler and Disassembler  Android Delivk Java Disassembler Company Logo
  • 67. SRDF Features Dynamic Analysis:  Full Process Analyzer  Win32 Debugger  x86 Emulator for apps and shellcodes Behavior Analysis:  API Hooker  SSDT Hooker (for win32)  And others Company Logo
  • 68. SRDF Features Network Analysis  Packet Capturing using WinPcap  Pcap File Analyzer  Flow Analysis and Session Separation  Protocol Analysis: tcp, udp, icmp and arp  App Layer Analysis: http and dns  Very Object Oriented design  Very scalable Company Logo
  • 69. SRDF Very growing community I will present it in Become a part of this growing community Company Logo
  • 70. SRDF Reach it at:  Website: www.security-framework.com  Source: https://github.com/AmrThabet/winSRDF  Twitter: @winSRDF Join us Company Logo
  • 71. What we reach in EDS We developed the Mitigations separately We tested the Shellcode Scanner on real shellcodes Still testing on real world scenarios Join us and help us. Company Logo
  • 72. Reach Us Still there’s no website for EDS You can reach us at SRDF Website: www.security-framework.com And my Twitter: @Amr_Thabet Just mail me if you have any feedback  Amr.thabet[@#!*^]owasp.org Company Logo
  • 73. Conclusion EDS is the new security tool for this Era The Last line to defend against APT Attacks Still we are in the middle of the Development SRDF is the main backbone for it Join Us Company Logo
  • 74. Big Thanks to Jonas Lekyygaurd Anwar Mohamed Corlan Team All Defcon Team Big thanks for YOU Company Logo