Kyle Avery - Avoiding Memory Scanners: Customizing Malware to Evade YARA, PE-sieve, and More


Kyle Avery, Hacker, He/Him

Presentation Title:Avoiding Memory Scanners: Customizing Malware to Evade YARA, PE-sieve, and More

Length of presentation: 45 minutes

Tired of obfuscating strings and recompiling to break signatures? Wish you could keep PE-sieve from ripping your malware out of memory? Interested in learning how to do all of this with your existing COTS or private toolsets?

For years, reverse engineers and endpoint security software have used memory scanning to locate shellcode and malware implants in Windows memory. These tools rely on IOCs such as signatures and unbacked executable memory. This talk will dive into the various methods in which memory scanners search for these indicators and demonstrate a stable evasion technique for each method. A new position-independent reflective DLL loader, AceLdr, will be released alongside the presentation and features the demonstrated techniques to evade all of the previously described memory scanners. The presenter and their colleagues have used AceLdr on red team operations against mature security programs to avoid detection successfully.

This talk will focus on the internals of PE-sieve, MalMemDetect, Moneta, Volatility malfind, and YARA to understand how they find malware in memory and how malware can be modified to fly under their radar consistently.

SPEAKER BIO(S):
Kyle Avery has been interested in computers for his entire life. Growing up, he and his dad self-hosted game servers and ran their own websites. He focused on offensive security in university and has spent the last few years learning about malware and post-exploitation. Kyle previously worked at Black Hills Information Security as a red teamer, specializing in .NET development. He has since moved to lead an internal red team at H-E-B, where he works to improve the organization's security posture through continuous testing of configurations and processes. Before this talk, Kyle hosted BHIS and WWHF webcasts on Covert .NET Tradecraft, Abusing Microsoft Office, and Modern C2 Communications.

https://twitter.com/kyleavery_
https://github.com/kyleavery
https://kyleavery.com

REFERENCES:
Evasion POCs and Blogs:
https://github.com/SecIdiot/FOLIAGE
https://github.com/JLospinoso/gargoyle
https://github.com/thefLink/DeepSleep
https://github.com/SecIdiot/TitanLdr
https://www.unknowncheats.me/forum/a...planation.html
https://www.arashparsa.com/hook-heaps-and-live-free/
https://www.arashparsa.com/bypassing...-i-could-find/
https://www.forrest-orr.net/post/mas...ts-from-moneta

Memory Scanners and Blogs:
https://github.com/hasherezade/pe-sieve
https://github.com/forrest-orr/moneta
https://github.com/waldo-irc/MalMemDetect
https://github.com/CCob/BeaconEye
https://github.com/thefLink/Hunt-Sleeping-Beacons
https://github.com/VirusTotal/yara
https://github.com/countercept/volat...er/gargoyle.py
https://github.com/volatilityfoundat...are/malfind.py
https://blog.f-secure.com/hunting-fo...nning-evasion/
https://www.elastic.co/blog/detectin...ory-signatures

[]