Defending off the land: Agentless defenses available today

No cover

Jacob Torrey, Marco Slaviero: Defending off the land: Agentless defenses available today (2024, Black Hat Europe 2024)

Published Dec. 12, 2024 by Black Hat Europe 2024.

No rating (0 reviews)

Defending-off-the-land will show novel, open-source techniques to use existing Windows OS capabilities to detect and alert on attackers–without needing to deploy yet another agent. Attackers use "living-off-the-land" techniques to prevent detection–using existing OS capabilities to further their offensive goals. Defenders have traditionally relied upon vendor products to keep attackers at bay: EDR, IPS, XDR, etc. These products augment endpoints and networks with 3rd party agents and appliances to detect and evict would-be attackers. In this talk we show nine capabilities from a spectrum of options to improve endpoint instrumentation and defense using in-built OS capabilities.

From a registry configuration that has Windows alert when certain commands are run, adding fake credentials to the OS store that alert on use, to a way to set up a honeypot-like RDP service, to powershell scripts that create fake security Services that alert on stopping, there is a lot of defensive capability waiting to …

2 editions