APTs Way - Evading Your EBNIDS

Explore advanced techniques for evading Emulation Based Network Intrusion Detection Systems (EBNIDS) in this Black Hat conference talk by Ali Abbasi and Jos Wetzels. Delve into the limitations of signature-based intrusion detection systems against sophisticated attackers and learn how EBNIDSes aim to address these shortcomings. Discover novel evasion methods targeting the pre-processing, emulation, and heuristic detection stages of EBNIDSes. Examine intrinsic and implementation limitations, including context-keyed payload encoding, random decryption algorithms, and fragmentation techniques. Gain insights into kernel32.dll resolution heuristic evasion, stack constructing shellcode, and anti-disassembly methods. Witness demonstrations of heuristics evasion and emulator detection, and understand the challenges posed by unsupported instructions in the context of advanced persistent threats (APTs) and government-sponsored attackers.

Intro
Signature Based IDS
Limitations of Signature based NIDS Anachers change a byte of the payload and evade detection
Emulation-Based NIDS, a Giant Leap
How Emulation Based NIDS Works?
Pre-Processing
Basic Heuristics Detection
Additional Heuristics
Syscall Process Memory Scanning
Evasions
Intrinsic Limitations
Unavailable Context Data
Context Keyed Payload Encoding
Execution Threshold Random Decryption Algorithm (RDA)
Fragmentation
Implementation Limitations
Kernel32.dll Resolution Heuristic Evasion
Evading Kernel32.dll Heuristic using SEH Chain
Kernel32.dll Heuristic Evasion using Stack Frame Walking
Stack Constructing Shellcode GetPC+PRT evasion
Egg Hunt (Using API)
Heuristics Evasion Demo
Timing
Emulator Detection Demo
Anti-Disassembly
Unsupported Instructions
Question?