Skip to content

DISCOUNT PHISH BURN BETTER and USER MODE API HOOKS AND BYPASSES

Photo of Geoffrey Taylor
Hosted By
Geoffrey T.
DISCOUNT PHISH BURN BETTER and USER MODE API HOOKS AND BYPASSES

Details

Note: THIS IS AN ONLINE EVENT! Link to stream will be released here prior to the event.

THE SPEAKER

Magnus Stubman, Security Advisor at Improsec and former security consultant at F-Secure and Zacco.
https://www.linkedin.com/in/magnusstubman/

Magnus started his career as a software developer and later turned his attention to Cyber Security, specifically attack and penetration testing, both digital and physical. Today Magnus specialize in Red Teaming.

Magnus will do something we haven't facilited in OWASP CPH before - He will do a double-presentation - to take you on a technical security ride.. Keep reading to learn more...

THE TALKS

TALK 1 : DISCOUNT PHISH BURN BETTER

  • Did my e-mail provider detect my malicious intent?

  • Was there an e-mail gateway that saw my malware?

  • Did it land in the junk/spam folder?

  • Has the victim even seen it or read it yet?

  • Did he/she click the link or did it seem suspicious?

  • Did the malware download properly?

  • Was it analysed in a sandbox?

  • Did the Anti-Virus detect it? What about EDR?

  • Maybe the SOC is torturing my malware in a lab environment right now?

  • Maybe it executed fine, but just stopped working due to a bug?

  • Was the outbound C2 traffic blocked or even worse, detected?

Have you ever asked yourself one of the above questions, or just wonder how life is as an attacker seeking to conduct a successful (spear) phishing campaign? "Discount Phish Burn Better" is a talk about how an attacker can improve his odds of successfully phishing a victim by reducing the cost of payload/malware development.

TALK 2 : USER MODE API HOOKS AND BYPASSES

  • Can I upload my tools to the compromised workstation without being detected or do I have to stay in-memory?

  • Will the EDR detect if I use process injection to migrate to e.g. explorer.exe?

  • Can I dump LSASS and steal NTLM hashes?

  • Can I backdoor an application, e.g. Citrix Receiver to escalate privileges when another user logs in?

On-host security products such as Anti-Virus (AV) and Endpoint Detection and Response (EDR) products aim to have sufficient surveillance of the host to ensure that attackers can't operate without being detected. One of the techniques such products use is known as Win32 API hooking in user mode. However, as the user-mode component of APIs are loaded and owned by the current process, the process itself can inspect, overwrite or simply just not use them and use its own implementation of the API functionality, to avoid messing with the hooks altogether. This talk will give an introduction to Win32 APIs, modules, API hooks and different bypass techniques that may be essential to avoiding detection.

WHO CAN PARTICIPATE?
The event is open for everyone - but it is highly technical.

Photo: Blake Connally, Unsplash.com

Events in
Photo of OWASP Copenhagen Chapter group
OWASP Copenhagen Chapter
See more events
OWASP Copenhagen Chapter
Photo of OWASP Copenhagen Chapter group
Online event
This event has passed
Photo of OWASP Copenhagen Chapter group
OWASP Copenhagen Chapter
public group