AppSec Village will take place at Savoy, 3rd Floor, Flamingo Corporate Convention Center, Las Vegas.
Deepfactor will have four 2-hour POD (Practical-on-Demand) Challenge sessions during AppSec Village:
– August 11: 3:00-5:00pm
– August 12: 12:00-2:00pm and 3:00-5:00pm
– August 13: 12:00-2:00pm
The Challenge: How to Hide Behavior from Security Tools
Detecting application behavior by monitoring library and system calls is a popular technique employed by AppSec tools. These tools can monitor and log activity, block API requests, and so on. In this workshop, you will learn some techniques to keep your activities hidden from these types of tools, using uncommon / unmonitored APIs, using unmonitored processes as confused deputies, and other approaches. You will learn how popular monitoring frameworks like eBPF work and how to circumvent their monitoring capabilities.
Challenge Outline
- Overview of monitoring by API interception
- How tools categorize behavior
- Static rules vs behavior catalogs
- Lab setup
- Where to get the exercises, where to run them, etc.
- Simple Exercises
- Evade libc detection through static compilation
- Evade detection by changing process name
- Difficult Exercises
- Evade detection by making use of confused deputy
- File based operations
- Network based operations
- Evade detection by not using system calls
- io-uring
- Evade detection by using uncommon syscalls to do things you want
- prctl, fnctl, sendfile, others
- write/read variants
- Evade detection by making use of confused deputy