Detect Me If You Can – Defense Evasion 101 (Linux)

5th Oct 10:00 to 13:00

​​

​

Pre-requisites for workshop

​

For the workshop, the attendees will need the following: 

1. OS: Ubuntu 24.04 LTS with all the latest updates applied.
   CPU: 4 cores
   RAM: 16GB
   Storage: 40GB
   Architecture: x86_64 (Intel 64 bit) / aarch64 (ARM 64 bit)
   Whether it is installed in a VM, or on host; the minimum requirements will remain same.

2. Internet: attendees should have wireless hotspot with internet connectivity if needed.

3. The following packages should be installed: bpftrace, make, cmake, g++, gcc, gdb, libbpf-tools. For one liner command, use the following:
   sudo apt install bpftrace make cmake g++ gcc gdb libbpf-tools

Please note that, although attendees can install some other Linux distro (or different version of Ubuntu), training content will be prepared with Ubuntu 24.04 LTS in mind (the steps, code, expected outputs etc.). If attendees deviate from the recommended configuration outlined above, they will have to figure out how to deal with differences in steps / codes / outputs etc. on their own. A reasonable effort can be put by trainer to help them, but absolutely no guanratees.

​​

Training level: Intermediate

Training Outline 

Monitoring file I/O
Evading file I/O monitoring
Using symbolic links
Creating new symbolic links

Using pre-existing symbolic links

Using mounts
Duplicate mounts

Bind mounts

Closing notes
 

Workshop Prerequisites

Knowledge of Linux
Bash shell and basic shell scripting
C++ programming​​