BEGIN:VCALENDAR VERSION:2.0 PRODID:Data::ICal 0.24 BEGIN:VEVENT DESCRIPTION: 'Title: Defender-Pretender: When Windows Defender Updates Be come a\n Security Risk\n When: Friday\, Aug 11\, 12:30 - 13:15 PDT\n Where: Caesars Forum - Academy - 407-410 - Track 4 - [1]Map\n Speakers: Omer Attias\,Tomer Bar\n\n SpeakerBio:Omer Attias \, Security Researcher at SafeBreach Labs\n Omer Attias is an accomplished security researcher with over five\n years of experience in the field of cybersecurity. He currently works\n as a researcher at SafeBreach Labs.\n\n With a backg round in the Ministry of Defense and the Israeli Defense\n Forces (IDF)\ , Omer has honed his skills in network research\, including\n a deep und erstanding of Windows internals and Linux kernel components.\n\n In addi tion to his professional pursuits\, Omer is a passionate\n technology an d science enthusiast who is always eager to explore\n emerging trends an d innovations in these fields.\n\n Twitter: [2]@@omerat21\n\n SpeakerB io:Tomer Bar \, VP of Security Research at SafeBreach Labs\n Tomer Bar i s a hands-on security researcher with 20 years of unique\n experience in cyber security. He leads SafeBreach Labs as the VP of\n security resear ch. In the past\, he ran research groups for the Israeli\n government an d then led the endpoint malware research for Palo Alto\n Networks. His m ain interests are vulnerability research\, reverse\n engineering\, and A PT research.\n\n Among his recent discoveries are the PrintDemon vulnera bilities in the\n Windows Spooler mechanism which were a candidate in th e best privilege\n escalation of Pwnie awards and several research studi es on Iranian APT\n campaigns. He presented his research at DEF CON (28- 30)\, BlackHat USA\,\n ReCon\, Sector\, Confidence\, Security Fest and H ackCon conferences.\n\n\n Description:\n The signature update process is critical to EDR's effectiveness\n against emerging threats. The secur ity update process must be highly\n secured\, as demonstrated by the Fla me malware attack that leveraged a\n rogue certificate for lateral movem ent. Nation-state capabilities are\n typically required for such an atta ck\, given that signature update\n files are digitally signed by Microso ft.\n\n We wondered if we could achieve similar capabilities running as an\n unprivileged user without possessing a rough certificate\, instead we\n aimed to turn the original Windows Defender process to our full\n control.\n\n In this talk we will deep dive into Windows Defender archi tecture\, the\n signature database format and the update process\, with a focus on the\n security verification logic. We will explain how an att acker can\n completely compromise any Windows agent or server\, includin g those\n used by enterprises\, by exploiting a powerful 0day vulnerabil ity that\n even we didn't expect to discover.\n\n We will demonstrate Defender-Pretender\, a tool we developed to achieve\n neutralization of the EDR. allowing any already known malicious code\n to run Fully Un-Det ected. It can also force Defender to delete\n admin’s data. OS and dri ver files\, resulting in an unrecoverable OS.\n We will also explain how an attacker can alter Defender's detection\n and mitigation logic.\n\n '\n\n 1. #CaesarsAcademyBR\n 2. https://twitter.com/@omerat21\n\n\n DTEND:20230811T201500Z DTSTART:20230811T193000Z LOCATION:DC - Caesars Forum - Academy - 407-410 - Track 4 SUMMARY:Defender-Pretender: When Windows Defender Updates Become a Security Risk END:VEVENT END:VCALENDAR