ShellCon Schedule Registration Venue Workshops Talks Villages Veterans Sponsor Events
RaiseMe Career Hall Talks Sponsorships Salute! Testimonials Job Board
About Photo Policy Code of Conduct Who We Are Contact Archives
Twitter Facebook LinkedIn Instagram
YouTube Twitch Discord

All times are in Pacific Daylight Time (UTC-0700).

EDR Evasion with D/Invoke
  • Track: Main Channel: Saturday 10/09 @ 1000-1055 PDT

With the advent of detections for PowerShell and script-based attacks, threat actors have shifted to .NET as a preferred method to perform post-exploitation tradecraft. As .NET framework is available by default on all Windows-based environments, the success rate of executing .NET assemblies is very high. .NET allows to interact with the Win32 APIs which are abused by attackers in various ways such as load assemblies directly into memory and inject into processes using a ton of process injection techniques. However, EDR vendors have upped their game to look or hook into how the unmanaged code is invoked from managed code. An attacker may get caught upon execution of suspicious Win32 APIs. Hence in this talk, we will explore tradecraft that would help evade detections that depend on such mechanisms.

Suraj Khetani

An Offensive Security Specialist currently focusing on performing Adversary Simulations and Purple team assessments. He has previously spoken at HITB - Abu Dhabi in 2019 and is also an active member presenting at NullDubai. He has also discovered multiple vulnerabilities on products such as Oracle, Netgear, EdgeCore, and Pulse Secure.

Read More

twitter @r00treaver
Abhineeti Singh

Abhineeti Singh is a security researcher working with one of the leading security companies in UAE. Her expertise lies in application security, software development & source code reviews.

She is acknowledged by Oracle, Microsoft, Intel, Honeywell, Shopclues, Netherlands CERT etc. for reporting security vulnerabilities in their applications.

Read More

© 2023 ShellCon