├── .github
    └── FUNDING.yml
├── Hack_to_Basics_Adapting_Exploit_Frameworks_to_Evade_Microsoft_ATP.pdf
├── Introduction_to_AMSI_Bypasses_and_Sandbox_Evasion.pdf
├── README.md
└── workshop
    ├── samples
        └── Samples.zip
    └── workshop.md


/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | # These are supported funding model platforms
2 | 
3 | github: [bc-security]
4 | 


--------------------------------------------------------------------------------
/Hack_to_Basics_Adapting_Exploit_Frameworks_to_Evade_Microsoft_ATP.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/DEFCON27/6384e1f3eb38cfcfd11e7a74d095b73f992e6147/Hack_to_Basics_Adapting_Exploit_Frameworks_to_Evade_Microsoft_ATP.pdf


--------------------------------------------------------------------------------
/Introduction_to_AMSI_Bypasses_and_Sandbox_Evasion.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/DEFCON27/6384e1f3eb38cfcfd11e7a74d095b73f992e6147/Introduction_to_AMSI_Bypasses_and_Sandbox_Evasion.pdf


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | [1.1]: http://i.imgur.com/tXSoThF.png (twitter icon with padding)
 2 | [2.1]: http://i.imgur.com/P3YfQoD.png (facebook icon with padding)
 3 | [3.1]: http://i.imgur.com/yCsTjba.png (google plus icon with padding)
 4 | [4.1]: http://i.imgur.com/YckIOms.png (tumblr icon with padding)
 5 | [5.1]: http://i.imgur.com/1AGmwO3.png (dribbble icon with padding)
 6 | [6.1]: http://i.imgur.com/0o48UoR.png (github icon with padding)
 7 | 
 8 | [1]: https://twitter.com/bcsecurity1
 9 | [2]: http://www.facebook.com/XXXXXXX
10 | [3]: https://plus.google.com/XXXXXXX
11 | [4]: http://XXXXXXX.tumblr.com
12 | [5]: http://dribbble.com/XXXXXXX
13 | [6]: http://www.github.com/BC-SECURITY
14 | [7]: https://www.bc-security.org/blog
15 | 
16 |  # DEFCON27
17 | [![alt text][1.1]][1]
18 | [![alt text][6.1]][6]
19 | 
20 | Keep up-to-date on our blog at [https://www.bc-security.org/blog][7]
21 | 
22 | ## Hack to Basics – Adapting Exploit Frameworks to Evade Microsoft ATP
23 | When: August 10, 2019 1000-1050  
24 | Where: Recon Village
25 | 
26 | Many pentesters are avoiding existing frameworks due to security improvements from Microsoft and smarter practices by network Admins. Red teams don’t have to throw away existing tools because their attacks are being thwarted and contrary to belief, Powershell is not dead. We updated existing tools and demonstrated that they can still be used to launch successful attacks. We would want to get back to the basics and demonstrate that successful attacks are still possible by modifying tools like Empire.
27 | 
28 | Our pentest used open-source intelligence (OSINT) to learn a ridiculous amount about our targets to launch spearphishing attacks. We used a targeted macro enabled doc to launch our Powershell code, which we developed from a complex academic process (failures, more obfuscation, more failures, success, ????, and Profit). 
29 | 
30 | We will go over the methods employed by Microsoft Advanced Threat Protections (ATP) in both their antivirus and their sandbox environment, how we enumerated, and characterized their system to avoid detection. In addition, we avoided detection from Darktrace on a commercial network by masking our JA3 signature and weaponized Microsoft Azure for our covert C2 channel. In the end, we were able to launch a successful attack again a large company using Empire and our wits.
31 | 
32 | * [Slides](./Hack_to_Basics_Adapting_Exploit_Frameworks_to_Evade_Microsoft_ATP.pdf)
33 | 
34 | ## Introduction to Sandbox Evasion and AMSI Bypasses
35 | When: August 9, 2019 1430-1830  
36 | Where: Flamingo, Red Rock IV
37 | 
38 | Microsoft is constantly adapting their security to counter new threats. Specifically, the introduction of the Microsoft Antimalware Scan Interface (AMSI) and its integration with Windows Defender has significantly raised the bar. In this hands-on class, we will learn the methodology behind obfuscating malware and avoiding detection. Students will explore the inner workings of Windows Defender and learn to employ AMSI bypass techniques and obfuscate malware using Visual Basic (VB) and Powershell. Then identify and evade sandbox environments to ensure the payloads are masked when arriving at the intended target. The final capstone will be tying all the concepts together.
39 | 
40 | In this workshop we will:
41 | 1. Introduce AMSI and explain its importance
42 | 2. Learn to analyze malware scripts before and after execution
43 | 3. Understand how obfuscate code to avoid AMSI and Windows Defender
44 | 4. Detect and avoid sandbox environments
45 | 
46 | ### Workshop Resources
47 | * [Workshop Resources](./workshop/workshop.md)
48 | * [Slides](./Introduction_to_AMSI_Bypasses_and_Sandbox_Evasion.pdf)


--------------------------------------------------------------------------------
/workshop/samples/Samples.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BC-SECURITY/DEFCON27/6384e1f3eb38cfcfd11e7a74d095b73f992e6147/workshop/samples/Samples.zip


--------------------------------------------------------------------------------
/workshop/workshop.md:
--------------------------------------------------------------------------------
 1 | # Introduction to Sandbox Evasion and AMSI Bypasses
 2 | 
 3 | Here you will find all of the resources and setup. Please have these things ready at the start of the workshop.
 4 | 
 5 | ## Kali VM Setup
 6 | 1. Download **Kali VM** from [offensive-security.com](https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/)
 7 | 
 8 | 2. Download **Empire** from the dev branch of [BC-Security's fork](https://github.com/BC-SECURITY/Empire). We've [made modifications](https://github.com/BC-SECURITY/Empire/pull/1/files) required for the course.
 9 | ```sh
10 | git clone https://github.com/BC-SECURITY/Empire.git
11 | cd Empire
12 | git checkout dev
13 | sudo ./setup/install.sh
14 | sudo ./setup/reset.sh
15 | 
16 | ```
17 | ## Windows 10 VM Setup
18 | 1. Download **Windows 10 VM** from [microsoft.com](https://developer.microsoft.com/en-us/windows/downloads/virtual-machines)
19 | 
20 | 2. Download our sample scripts from the [samples directory](./samples). These will be used throughout the workshop. Don't extract until after creating an exclusion in the next step.
21 | 
22 | 3. Create a "defcon" directory on your desktop, then add an exclusion to Windows Defender to the directory. [Steps on microsoft.com](https://support.microsoft.com/en-us/help/4028485/windows-10-add-an-exclusion-to-windows-security)
23 | 
24 | 4. Extract the samples zip to the excluded directory. The .zip is password protected to bypass Windows Defender. The password is `defcon`.
25 | 
26 | 5. We included a copy of [Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation) in the samples.zip.
27 | 
28 | In PowerShell as an admin:
29 | ```ps
30 | cd ~/Desktop/defcon/Samples/Samples/Invoke-Obfuscation-master
31 | ./start-up.ps1
32 | Import-Module ./Invoke-Obfuscation.psd1
33 | Invoke-Obfuscation
34 | 
35 | ```
36 | 
37 | 6. Install office 365 from [office.com](https://www.office.com)
38 | 


--------------------------------------------------------------------------------