Connor Morley is a senior security researcher at WithSecure. A keen investigator of malicious TTP’s, he enjoys experimenting and dissecting malicious tools to determine functionality and developing detection methodology. As a researcher and part time threat hunter he is experienced with traditional and ‘in the wild’ malicious actors’ behaviour.
Malicious actors are always trying to find new ways to avoid detection by evermore vigilant EDR systems and deploy their payloads. Over the years, the scope of techniques used has branched from relatively simplistic hash comparison and sandbox avoidance to low level log dodging and even direct circumvention of EDR telemetry acquisition. By examining some of the techniques used on Windows systems this talk will highlight will highlight the range of capabilities defensive operators are dealing with, how some can be detected and, in rare cases, the performance and false-positive obstacles in designing detection capability.