Published Dec. 12, 2024 by Black Hat Europe 2024.
Defending off the land: Agentless defenses available today
Defending-off-the-land will show novel, open-source techniques to use existing Windows OS capabilities to detect and alert on attackers–without needing to deploy yet another agent. Attackers use "living-off-the-land" techniques to prevent detection–using existing OS capabilities to further their offensive goals. Defenders have traditionally relied upon vendor products to keep attackers at bay: EDR, IPS, XDR, etc. These products augment endpoints and networks with 3rd party agents and appliances to detect and evict would-be attackers. In this talk we show nine capabilities from a spectrum of options to improve endpoint instrumentation and defense using in-built OS capabilities.
From a registry configuration that has Windows alert when certain commands are run, adding fake credentials to the OS store that alert on use, to a way to set up a honeypot-like RDP service, to powershell scripts that create fake security Services that alert on stopping, there is a lot of defensive capability waiting to …
Defending-off-the-land will show novel, open-source techniques to use existing Windows OS capabilities to detect and alert on attackers–without needing to deploy yet another agent. Attackers use "living-off-the-land" techniques to prevent detection–using existing OS capabilities to further their offensive goals. Defenders have traditionally relied upon vendor products to keep attackers at bay: EDR, IPS, XDR, etc. These products augment endpoints and networks with 3rd party agents and appliances to detect and evict would-be attackers. In this talk we show nine capabilities from a spectrum of options to improve endpoint instrumentation and defense using in-built OS capabilities.
From a registry configuration that has Windows alert when certain commands are run, adding fake credentials to the OS store that alert on use, to a way to set up a honeypot-like RDP service, to powershell scripts that create fake security Services that alert on stopping, there is a lot of defensive capability waiting to be unleashed on would-be attackers. These agentless, configuration-based defenses allow for improved hardening and observability into vendor appliances and legacy systems where modern EDR solutions cannot be installed–improving overall network instrumentation. Walk away from this talk with a new appreciation of, and excitement for, ways to use existing OS functionality to catch and frustrate attackers.