EDR solutions have landed in Linux. With the ever increasing footprint of Linux machines deployed in data centers, offensive operators have to answer the call.
In the first part of the talk we will share practical tips and code techniques the offense can use to slide under the EDR radar, and to expand its post-exploitation capabilities.
We will walk through examples and see how approved executables could be used as decoys to cleanly execute foreign code. We will review the primitives and building blocks of Linux malware that can be invoked by the dynamic ELF loader and the process bootstrap routines. Actionable and battle tested practical tips to assist Red Teams with evasion will be shown.
Part two will focus on expanding and weaponizing the capabilities. We will show how to create feature rich chained preloaders, and use mimicry to hide modular malware during execution. To support the discussion, we will demo a memory-assisted "Preloader-as-a-Service" capability by abstracting storage of malware from its executing cradles. We will talk about operationalizing Linux memory-based implants. Finally, we will show techniques for evading EDRs with cross memory attach injection in deliberately ASLR weakened executables.
We fully believe the ability to retool in the field matters more than standalone tools, so we have packaged the techniques into reusable code patterns in a toolkit you will be able to use or take inspiration from after the talk.
The talk will conclude with pointers for Defense to mitigate the techniques we have shown. And most importantly, we will reveal what Zombies have to do with Ants :)
Dimitry Snezhkov is a Red Team Operator at X-Force Red at IBM Corporation. He is focused on adversarial simulation, offensive security testing, code hacking, and tool building.