Malware Morphology for Detection Engineers

Retour à la liste des conférenciers et sessions

As Defenders it is easy to view attacker behavior through a Technique lens, but this perspective often causes us to forget about the diversity of implementation, morphology, that exists within a Technique. This often leads to detection rules that are more narrowly focused on specific tools instead of on the underlying behavior(s) themselves. MITRE ATT&CK provides a schema for evaluating inter-technique differences between tools, such as the differences between Kerberoasting and DCSync, but we currently do not have an industry-wide model for evaluating intra-technique differences, such as the how two tools performing LSASS Dumping might differ in approach and thus lead to evasion opportunities.

In this workshop, attendees will be presented with various tools that implement the same Technique, but use different approaches, or Procedures, to do so. We will then walk participants through the process of analyzing these tools to understand exactly where and by how much they differ. Participants will then learn how to model different Procedures to evaluate their similarity and determine the optimal events or logs to serve as a foundation for building resilient detection rules.

Participants should prepare by:

Familiarity with Windows Internals basics, programming experience is helpful but not necessary

Participants must have the following equipment:

A Windows laptop preinstalled with IDA 8.2 Free.

Jared Atkinson Chief Strategist, SpecterOps

Jared is a security researcher who specializes in Digital Forensics and Incident Response. Recently, he has been building and leading private sector Hunt Operations capabilities. In his previous life, Jared lead incident response missions for the U.S. Air Force Hunt Team, detecting and removing Advanced Persistent Threats on Air Force and DoD networks. Passionate about PowerShell and the open source community, Jared is the lead developer of PowerForensics, Uproot, and maintains a Detection Engineering focused blog at

Jonathan Johnson Senior Consultant, SpecterOps

Jonny is a security enthusiast who loves spending time with all things related to Windows Internals, reverse engineering, and data analysis. Jonny applies threat research and low-level knowledge to defensive capabilities, arming defenders with the information and tools needed to cover defensive gaps. Jonny loves to share his actionable findings in blogs ( and is committed to helping defenders be effective, independent, and efficient.