As seen at AppSec Village @ DEF CON 31
The Challenge: How to Hide Behavior from Security Tools
Detecting application behavior by monitoring library and system calls is a popular technique employed by AppSec tools. These tools can monitor and log activity, block API requests, and so on. In this on-demand workshop, you will learn some techniques to keep your activities hidden from these types of tools, using uncommon / unmonitored APIs, unmonitored processes as confused deputies, and other approaches. You will also learn how popular monitoring frameworks like eBPF work and how to circumvent their monitoring capabilities.
Take the challenge at your convenience: https://github.com/deepfactor-io/appsec-village-pod-dc31
Challenge Outline
- Overview of monitoring by API interception
- How tools categorize behavior
- Static rules vs behavior catalogs
- Lab setup
- Where to get the exercises, where to run them, etc.
- Simple Exercises
- Evade libc detection through static compilation
- Evade detection by changing process name
- Difficult Exercises
- Evade detection by making use of confused deputy
- File based operations
- Network based operations
- Evade detection by not using system calls
- io-uring
- Evade detection by using uncommon syscalls to do things you want
- prctl, fnctl, sendfile, others
- write/read variants
- Evade detection by making use of confused deputy
Take the challenge at your convenience: https://github.com/deepfactor-io/appsec-village-pod-dc31