Jargon & Jigsaw: Shellcode Obfuscation | Mike Saunders скачать в хорошем качестве

Jargon & Jigsaw: Shellcode Obfuscation | Mike Saunders

🔗 Join us in-person and virtually at our Wild West Hackin' Fest: information security conferences — https://wildwesthackinfest.com/ 🔗 Register for Infosec Webcasts, Anti-casts & Summits. – https://poweredbybhis.com In this talk, Mike will cover two highly effective techniques for obfuscating shellcode in your payloads. Jargon is a shellcode obfuscation method that substitutes dictionary words in place of shellcode bytes. This provides two benefits - your loader doesn't have any shellcode, and the use of dictionary words reduces the entropy of your loader, sidestepping entropy detections built into some AV & EDR. Jigsaw is a shellcode obfuscation routine designed to hide your shellcode without requiring encryption. This eliminates possible signatures related to including encryption libraries in your payload while also avoiding significant increases in entropy. 00:00 - Intro 00:54 - Slide deck location 01:13 - whoami 01:48 - The importance of entropy 02:33 - Entropy and compressibility 04:23 - Entropy of languages 06:22 - Crowdstrike detection 06:56 - Anti-entropy tactics 08:14 - Adding language makes file highly compressible 08:45 - Jargon creates a shellcode loader that does not contain shellcode 09:22 - Any printable character set may be used 10:33 - 256 - word translation table 12:24 - Decoding at runtime 14:24 - Defender and other agents detected the decoding - countermeasures 15:56 - DEMO: Jargon getting past Crowdstrike 17:09 - Try It Yourself 17:22 - Apologies to defenders - no detection for this (maybe frequency analysis?) 18:10 - Q&A - Can you use languages other than English? 20:45 - Q&A - Entropy 22:01 - Q&A - What is the level of entropy that would be detected? 23:04 - Q&A - Is entropy checked across the entire file, or just a section? 24:58 - JIGSAW PRESENTATION 26:30 - Jigsaw - How does it work? 29:10 - Putting the puzzle back together 33:18 - Try JIGSAW 35:33 - Q&A - Are there any default signatures in the code that could be used for detection if unaltered? 37:03 - Q&A - Staged vs stageless payloads 38:11 - Q&A - Use these obfuscation tools to evade DLP? 39:20 - Q&A - Merging Jargon and Jigsaw? (no) ///Black Hills Infosec Socials Twitter:   / bhinfosecurity   Mastodon: https://infosec.exchange/@blackhillsi... LinkedIn:   / antisyphon-training   Discord:   / discord   ///Black Hills Infosec Shirts & Hoodies https://spearphish-general-store.mysh... ///Black Hills Infosec Services Active SOC: https://www.blackhillsinfosec.com/ser... Penetration Testing: https://www.blackhillsinfosec.com/ser... Incident Response: https://www.blackhillsinfosec.com/ser... ///Backdoors & Breaches - Incident Response Card Game Backdoors & Breaches: https://www.backdoorsandbreaches.com/ Play B&B Online: https://play.backdoorsandbreaches.com/ ///Antisyphon Training Pay What You Can: https://www.antisyphontraining.com/pa... Live Training: https://www.antisyphontraining.com/co... On Demand Training: https://www.antisyphontraining.com/on... Antisyphon Discord:   / discord   Antisyphon Mastodon: https://infosec.exchange/@Antisy_Trai... ///Educational Infosec Content Black Hills Infosec Blogs: https://www.blackhillsinfosec.com/blog/ Wild West Hackin' Fest YouTube:    / wildwesthackinfest   Antisyphon Training YouTube:    / antisyphontraining   Active Countermeasures YouTube:    / activecountermeasures   Threat Hunter Community Discord:   / discord   Join us at the annual information security conference in Deadwood, SD (in-person and virtually) — Wild West Hackin' Fest: https://wildwesthackinfest.com/