Evading Detection: A Beginner's Guide to Obfuscation

Defenders are constantly adapting their security to counter new threats. Our mission is to identify how they plan on securing their systems and avoid being identified as a threat. This is a hands-on class to learn the methodology behind malware delivery and avoiding detection. This workshop explores the inner workings of Microsoft's Antimalware Scan Interface (AMSI), Windows Defender, and Event Tracing for Windows (ETW). We will learn how to employ obfuscated malware using Visual Basic (VB), PowerShell, and C# to avoid Microsoft's defenses. Students will learn to build AMSI bypass techniques, obfuscate payloads from dynamic and static signature detection methods, and learn about alternative network evasion methods.

Objectives

  • Understand the use and employment of obfuscation in red teaming.
  • Demonstrate the concept of least obfuscation.
  • Introduce Microsoft's Antimalware Scan Interface (AMSI) and explain its importance.
  • Demonstrate obfuscation methodology for .NET payloads.