CheckPlease - Payload-Agnostic Sandbox Detection

Explore payload-agnostic sandbox detection techniques in this 40-minute conference talk from BSidesLV 2017. Delve into topics such as implant security, sandbox evasion strategies, and encryption methods like Ebola and Hyperion. Learn about foot delay analysis, process profiling, and various detection methods including registry size checks, user activity monitoring, and mouse position tracking. Discover practical implementations in Python, PowerShell, and Ruby, and examine tools like Veil for creating undetectable payloads. Gain insights into flat payload structures, user prompts, and source code analysis techniques to enhance your understanding of sandbox detection and evasion.

Intro
Sandbox Detection
Implant Security Repository
Sleeping
Sandbox evasion 101
Encryption
Ebola
Hyperion
Foot Delay Analysis
Running the Code
How it Works
Demo
Example
Building a profile
Process names
PowerShell example
Windows Updates
Registry Size
User Activity
Maskless
Python
PowerShell
Mouse Position
Lazy dll
Popup box
Popup box Ruby
Message box Ruby
Veil
Pull Request
Demo God
Flat payloads
User prompt
Check source code
Run code