YoVDO

APTs Way - Evading Your EBNIDS

Offered By: Black Hat via YouTube

Tags

Black Hat Courses Cybersecurity Courses Network Security Courses Advanced Persistent Threats (APTs) Courses

Course Description

Overview

Explore advanced techniques for evading Emulation Based Network Intrusion Detection Systems (EBNIDS) in this Black Hat conference talk by Ali Abbasi and Jos Wetzels. Delve into the limitations of signature-based intrusion detection systems against sophisticated attackers and learn how EBNIDSes aim to address these shortcomings. Discover novel evasion methods targeting the pre-processing, emulation, and heuristic detection stages of EBNIDSes. Examine intrinsic and implementation limitations, including context-keyed payload encoding, random decryption algorithms, and fragmentation techniques. Gain insights into kernel32.dll resolution heuristic evasion, stack constructing shellcode, and anti-disassembly methods. Witness demonstrations of heuristics evasion and emulator detection, and understand the challenges posed by unsupported instructions in the context of advanced persistent threats (APTs) and government-sponsored attackers.

Syllabus

Intro
Signature Based IDS
Limitations of Signature based NIDS Anachers change a byte of the payload and evade detection
Emulation-Based NIDS, a Giant Leap
How Emulation Based NIDS Works?
Pre-Processing
Basic Heuristics Detection
Additional Heuristics
Syscall Process Memory Scanning
Evasions
Intrinsic Limitations
Unavailable Context Data
Context Keyed Payload Encoding
Execution Threshold Random Decryption Algorithm (RDA)
Fragmentation
Implementation Limitations
Kernel32.dll Resolution Heuristic Evasion
Evading Kernel32.dll Heuristic using SEH Chain
Kernel32.dll Heuristic Evasion using Stack Frame Walking
Stack Constructing Shellcode GetPC+PRT evasion
Egg Hunt (Using API)
Heuristics Evasion Demo
Timing
Emulator Detection Demo
Anti-Disassembly
Unsupported Instructions
Question?


Taught by

Black Hat

Related Courses

Attack on Titan M, Reloaded - Vulnerability Research on a Modern Security Chip
Black Hat via YouTube
Attacks From a New Front Door in 4G & 5G Mobile Networks
Black Hat via YouTube
AAD Joined Machines - The New Lateral Movement
Black Hat via YouTube
Better Privacy Through Offense - How to Build a Privacy Red Team
Black Hat via YouTube
Whip the Whisperer - Simulating Side Channel Leakage
Black Hat via YouTube