It is a well-known story that hackers are moving laterally inside organizations through Mimikatz for password theft and Credential Dumping in large cyber-army APT operations across countries.

The specifics of this technique entail a variety of high-risk behaviors, including privilege escation, accessing LSASS, and memory dumping, and so on. The major endpoint security products will undoubtedly claim that they can detect and prevent such attacks, but this is not the case.

In this session, we will focus on the tactics of password theft and take an overview of the security solutions used by modern enterprises. And to demonstrate the attacker's point of view with the Project Zero attack practice How to break each one. The end of the session will provide multiple Proof of Concept, suggestions of mitigation, and advice on selecting protection solutions. 

Obfuscated File Extension (OFE) is a classic Web exploit technique. Hackers simply upload a JPG file to the server with arbitrary upload vulnerabilities, then use the contents of the image file as a PHP WebShell to execute. Boom! Take down the entire server.

However, in today's world of cyber attacks, has this technique never been used to attack non-Web enterprises and home computers? The answer is absolutely yes!

In this session, we will talk from the modern malware analyzer to the defense design of today's security solutions and their 1% defense blind spot. Then use several PoCs to explain how the attacker was able to increase the 1% to 100% blind spot for spoofing and winning the trust by security products by OFE tricks.

Real-Time Protection is an essential design for all modern anti-virus and endpoint protection, which scans the executed binaries, detects and blocks the malware immediately. To achieve this protection, the security vendors have used APIs provided by Microsoft to embed their hooks at the Ring0 kernel level. However, is that game of cat and mouse over? ;)

In this session, we will reverse engineer the Windows OS. To understand the Process Creation, Userland IRP, and Kernel Driver design for learning the modern attacker's strategies to escape virus-scan.At the end of the session, we will use several PoC as examples used in the wild to demonstrate how attackers can abuse the issue of scanning timeline, to launch temporal pincher move to avoid anti-virus scan, and we will provide suggestions on mitigation measures and suggestions on select security products for users .

In the era of endless new exploits, Active Defense of Antivirus have already collapsed. Also, the efficient Static Scan is the most important feature of modern antivirus against malware, designed to provide AV/EDR with the ability to detect immediately when it discovers an unknown file that is or is not a known threat, so as to avoid infection.

This technique has evolved from the originally file hash fingerprint, to the now well-known pattern matching (YARA), and even the heuristic-based ML methods to produce patterns automatically against high variant samples as much as possible.

As a result, hackers have advanced their pattern-bypassing tactics to identify and remove anti-virus signature in no time. This allows variant-enhanced malware in the wild to increase rather than decrease even against state-of-the-art AI based detections. However, do we want such detection techniques that chase behind attackers? The blame goes to the fact that classic pattern matching design never considers semantics of execution behavior, making it easy for hackers to bypass.

In this session, we will talk about how the latest variant samples can beat the major pattern matching techniques heavily with simple tricks such as obfuscation, FLA (OLLVM) and RC4 encryption.

To fight against this, we will present a next-generation static scanning idea. Instead of optical scanning of files, a full set of decompilers will be built in to analyze all the static functions in a program file and use symbolic definition of malicious functions to achieve a semantic-aware malware detection engine. Researchers can elastically define malware templates and use this engine to perform excellent detection results on multiple heavily obfuscated samples.