Your friendly neighbourhood penguin: Using Linux and WSL to stay under the radar
12-09, 10:00–10:45 (Europe/London), Track 3

Special offer, Two for one! This talk will be composed of two research topics that Mandiant conducted recently regarding evasion of EDR's. In the first talk we will go over how to bypass Linux EDRs and lessons learned during. In the second part we will discuss how Windows EDR could be bypassed using WSL.

Talk #1 - bypassing Linux EDRs

Everyone is talking about Windows EDR’s bypasses, but no one is talking about Linux EDR bypasses. In this talk, we will discuss the approach Mandiant took to bypass two Linux EDRs and we look into how they work, how we could identify them and tricks and tips on how to bypass them.

Talk #2 -Leveraging Linux and Windows Subsystem for Linux (WSL) to avoid detection when operating in modern environments.

Knowing how to use commonly available tools and platforms to avoid detection is a core skill for Red Teamers and Blue Teamers alike. This talk will focus on how to use Linux to evade detection on both Windows and Linux hosts, and will demonstrate some of the areas in which modern EDR platforms are (currently) poorly equipped to deal with this.

Idan Ron is a Senior Red Team Consultant in Mandiant’s U.K. office. As part of the Red Team team (also known as APT66), Idan specialises in adversary simulation, red and purple team assessments, and cloud assessments. Idan delivers proactive red team assessments to Mandiant’s clients across all industries.

Max is a security consultant within Mandiant's Red Team, regularly conducting a wide variety of Red and Purple Team operations.