DEFENSIVE EVASION: HOW APT ADVERSARIES BYPASS SECURITY CONTROLS presented at First 2017

by Aaron Shelmire,

Summary : Counter Threat Unit researcher Phil Burdette showcases the top 5 ways targeted threat actors dodge, dip, duck, dive, and dodge traditional security controls. Participants are exposed to real world examples from incident response engagements where adversaries explicitly try to avoid and hide from network defenders during actions on objective. They do this by “living off the land” using native Windows tools like PowerShell and WMI to move laterally and launch in memory only implants. Threat actors will also operate in blind spots by deploying virtual machines that lack security controls or collection instrumentation. To cover their tracks, adversaries will delete forensic artifacts from the registry and clear web or event logs from the system. Would you detect these defensive evasion and forensic countermeasure tactics in your environment?