Detection evasion in most enterprise networks is a problem that attackers have to deal with. In the modern enterprise network a number of defenses can intercept and block, detonate or analyze your malware/agent before it even achieves execution on a target. But what if an attacker could create malware that was supported by the target machine and not supported by the sandbox or other detection tools? The idea of keyed malware is not new; however, this talk looks at keying malware to leverage x86 Instruction Set Architecture (ISA) features supported by specific Intel and AMD CPUs, instead of from a higher-level abstraction as has been done previously with malware keyed to the operating system. In this talk, I will demonstrate and showcase how x86 instruction set architecture (ISA) specific features that allow for sandbox detection and bypass in instances where the x86 ISA version is mismatched between the target environment and the analysis environment. I will discuss and demonstrate methods for implementing ISA detection bypass techniques into the malware development lifecycle. Additionally, I will discuss the ramifications of an ever growing instruction set for the enterprise defender.
Chris Hernandez, Red Team Manager at Code42
Chris Hernandez (@piffd0s) is the red team manager at Code42, a former member of the Veris group adaptive threat division, and a former high performance computing (HPC) system administrator. From an early age Chris has been interested in the low level workings of computers. When not hacking, Chris would rather be outside on a mountain top.