Emerging Red Team Tactics
This presentation will cover some of the latest techniques used in operations. We will have some discussions about infrastructure, serverless deployments, phishing, obfuscation, malware development, and more specifically EDR evasion in enterprise and OT environments. Code samples are provided in the slides, and there are many links that inspired parts of this talk. This talk is pretty straight forward. Due to not being able to release custom code due to my employer, I cover known techniques used by red teams and adversaries, and give them minor tweaks or bring awareness to the existence. The talk starts with a typical infrastructure talk, and then covers some serverless (Lambda) deployment options, and a known tool Red Warden while suggesting that a more mature team implement individual tooling that equates to something like Red Warden. Next it goes in to phishing and how there needs to be a shift in mindset from the classic phish and get a callback to a slower more methodical example using either a streamed DLL hijack or sideload of common applications. A large library of different loaders is supplied and some extra references on how to get started with that portion of coding. Entropy is covered and visualized to give more context on to how EDR or AV can scan for that, then we cover how to minimize that being flagged. Also, a quick little bit on time stamp authority signing and how that can help legitimize malware on delivery. There is a large portion on EDR evasion that needs some updates, so the one I am sending is a bit behind, and is the next part to be reworked before my next presentations.
About the Speaker
Sean Hopkins is a DefCon black badge winner for social engineering, and he is currently a lead red team engineer for a Fortune 30 company, and formerly of a red team engineer at a NSA accredited DoD agency. He has experience testing OT systems, large enterprises, CICD pipelines, and many other types of systems.