简化恶意软件规避——熵及其他技术.pdf

1、Simplified Malware EvasionEntropy&Other Techniques Will Summerhill who am i?will i am Will Summerhill Senior red team consultant Mandiant Canada(Google Cloud)Previously PwC,Security Compass.SOMETHING?Make malware SIMPLE again-WillEDR Evasion TheoryBlue Team Detections02Windows Callback FunctionsEntr

2、opy Evasion030401Overview 30,000 foot view of evasion EDR Evasion Theory01EDR Overview How do EDRs actually detect?SignaturesHeuristicsSandboxingEntropy:Detecting high entropy filesEtc Areas of evasion,as per Jackson T.EDR Evasion Theory1.Avoidance2.Blending In3.Blind Spots4.Tampering SensorsReferen

3、ce:https:/web.archive.org/web/20230802194854/https:/jackson_t.gitlab.io/edr-reversing-evading-01.html(http:/bit.ly/4a9HMDk)EDR Evasion Theory1.AvoidanceTarget systems without AV/EDR altogether-Running processes-Program Files folders-Etc“No EDR installed?Lets GO!”2.Blending InHide within expected pro

4、cesses and behaviour(context!)Poor injection:Better:EDR Evasion Theory3.Blind SpotsAbuse gaps in detections-Obfuscation-Encryption-Hiding Function Calls-Syscalls-.4.Tampering SensorsModifying detection software behaviour-Unhooking-Patching-Uninstalling/disabling software-Firewall telemetry dataRefer

5、ence:https:/ Evasion Theory1.Avoidance2.Blending In3.Blind Spots-Area of focus for this talk!4.Tampering Sensors Thats sooooo random Entropy Evasion02First off,what is ENTROPY?Entropy in Malware-Shellcode/encryption=high entropy(randomness)-EDRs can have detections for high entropy thresholds of fil

6、es-Further context/analysis/detections/machine learning is applied to high-entropy files-Determine if malicious vs benign What does this have to do with malware?Therefore,we can improve evasion by reducing entropy of our malware!More entropy=Random=BADLess entropy=Order=GOODLogarithmic algorithm use