We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
SAINTCON 2023 - Trevor O'Donnal - Red vs Blue: The Eternal Arms Race
Explore the eternal arms race between red and blue teams in cybersecurity, where red teams use tactics like phishing and DLL sideloading to evade detection, and blue teams develop countermeasures like user-land hooking and AMSI bypasses to stay ahead.
- Red teaming involves testing the detection and response capabilities of a client, using tactics like phishing and social engineering to gain access to the network.
- The biggest problem for red teams is getting past antivirus and EDR systems, which are constantly evolving to detect and block attacks.
- The arms race between red and blue teams drives innovation, with red teams finding new ways to evade detection and blue teams developing new detection methods.
- One tactic used by red teams is DLL sideloading, which involves loading a malicious DLL into a trusted Windows binary.
- Another tactic is app domain injection, which allows red teams to load malicious code into an isolated app domain and execute it without detection.
- Blue teams have developed countermeasures like user-land hooking, which allows them to hook into process memory and detect malicious activity.
- Red teams have also developed countermeasures, such as AMSI bypasses, which allow them to evade detection by antivirus and EDR systems.
- Red teams often use custom malware and payloads to evade detection, and may use tactics like phishing and social engineering to gain initial access to the network.
- The use of ConfuserEx can make it difficult for blue teams to detect malware, as it can alter the binary code and make it look like random noise.
- Red teams often use benign-seeming files and applications to hide their malicious activity, such as an HTML application that looks like a document.
- Blue teams may use behavioral analysis to detect malicious activity, but it can be difficult to detect if the malware is not making any system calls to NTDLL.
- Red teams may use persistence mechanisms like launch agents to ensure their malware continues to run even after the initial infection.
- The use of.NET and Covenant C2 frameworks can make it easier for red teams to develop and deploy malware.
- Blue teams may use signature detection to identify malware, but red teams can evade detection by changing the binary code or using custom malware.
- The arms race between red and blue teams is ongoing, with each side constantly evolving to stay ahead of the other.