Zombie Ant Farm: Practical Tips for Playing Hide and Seek with Linux EDRs

The presentation discusses practical tips and techniques for Red Team operators to evade Linux EDRs and expand post-exploitation capabilities. The focus is on the challenges faced by Red Team operators in evading EDRs on Linux, and the technology and practical tools that can be used to overcome these challenges.

• Linux is widely used in data centers and Red Team operators need to be able to evade EDRs on Linux to access data
• Endpoint action and response technology has resurged in Linux operating systems
• Red Team operators need to respond to the challenge of EDRs on Linux
• The presentation provides practical tips and techniques for Red Team operators to evade Linux EDRs and expand post-exploitation capabilities
• The presentation will release a toolkit to help Red Team operators overcome EDRs on Linux

The speaker highlights the scenario of a Red Team operator dropping onto a Linux machine and finding that their payload doesn't work after 15 minutes, leading to their evacuation and being booted out of the system. This anecdote illustrates the challenges faced by Red Team operators in evading EDRs on Linux and the need for practical tools and techniques to overcome these challenges.

EDR solutions have landed in Linux. With the ever increasing footprint of Linux machines deployed in data centers, offensive operators have to answer the call. In the first part of the talk we will share practical tips and techniques hackers can use to slide under the EDR radar, and expand post-exploitation capabilities. We will see how approved executables could be used as decoys to execute foreign functionality. We will walk through the process of using well known capabilities of the dynamic loader. We will take lessons from user-land root-kits in evasion choices. Part two will focus on weaponizing the capabilities. We will show how to create custom preloaders, and use mimicry to hide modular malware in memory. We will create a "Preloader-as-a-Service" capability of sorts by abstracting storage of modular malware from its executing cradles. This PaaS is free to you though! We fully believe the ability to retool in the field matters, so we have packaged the techniques into reusable code patterns in a toolkit you will be able to use (or base your own code on) after it is released. This talk is for hackers, offensive operators, malware analysts and system defenders. We sincerely hope defensive hackers can attend and also have fun.