2024-12-14 –, Clappy Monkey Track
Ever tried to get a callback from a client device only to be continually thwarted by their EDR, so you then have to ask for an exclusion to be placed on a specific folder? Join Red Teamer David Kennedy as he walks you through a novel way of approaching this conundrum by (ab)using trusted binaries that EDR’s normally pay very little attention to.
This presentation will cover the execution of these trusted binaries on Windows as well as running them in ways that even the original developers haven’t advertised as being possible via ‘undocumented features’ within their code! With these techniques, struggling to get access to your client’s infrastructure should hopefully become a thing of the past or at least until these binaries are no longer trusted!
Security professionals are locked in a constant cat-and-mouse game with attackers who continuously find creative ways to bypass modern defences. One such technique is Bring Your Own Trusted Binaries (BYOTB)©, where attackers use legitimate, signed or checksum verified binaries which may not be present on the host machine to achieve their aims. Since these binaries are oftentimes trusted by the OS and EDR solutions, they are less likely to raise red flags, providing attackers with a stealthy way to circumvent traditional security mechanisms.
This session will explore how the BYOTB technique works, some examples of trusted binaries and why they are so effective at bypassing EDR solutions.
I'll cover:
- Understanding the BYOTB idea: I will explain which trusted binaries are used and how they can provide access to external adversaries and testers alike.
- EDR and Firewall Evasion Tactics: I will demonstrate how adversaries leverage trusted binaries to exploit gaps in EDR detection as well as bypassing modern firewalls.
- Detection and Mitigation Strategies: The concluding section of the talk will focus on defensive measures. I’ll discuss practical detection techniques, including monitoring the usage of known binaries, and implementing tighter security controls around execution policies for certain trusted binaries.
This talk is geared towards a technical audience, including Red Teamers and Pentesters looking to understand how to exploit these techniques as well as Blue Teamers interested in improving their detection and mitigation strategies. Attendees will leave with actionable insights into how they can detect BYOTB techniques in their environments, as well as best practices for preventing such attacks from slipping through the cracks.
David is a Red Teamer at JUMPSEC. Before working in Cyber Security he has worked for many years in financial services IT focusing on trading systems. These days he is passionate about all things Adversary Simulation, especially exploring and researching the latest techniques in regards to modern Red Teaming infrastructure.