Teruki Yoshikawa SOC Analyst, NTT Security Holdings
Teruki Yoshikawa is a security analyst at NTT Security Holdings. He is responsible for monitoring NW/EDR alerts, while also being involved in malware analysis and development of in-house systems. He is currently interested in Red Teaming, particularly in Windows environments. He has been a speaker at JSAC.
Talk: Exploring MSIX Threat Landscape
Talks will be streamed on YouTube and Twitch for free.
BlueTeam analyzes new attack methods that attackers consider and comes up with detection and defense methods. This is an eternal cat and mouse game. However, the attackers are always ahead of us. The attack using the installer file MSIX is a prime example. To overcome this situation, we have discovered a new attack method that attackers will use MSIX in the future. This gives us an advantage over attackers.
This presentation will briefly describe existing attack techniques, followed by an introduction to the Virtual File System (VFS) in Windows. In particular, we will share in detail the functionality of VFS in MSIX files, a Windows application package. This allows the audience to understand how MSIX files utilize VFS. We will then demonstrate how the VFS mechanism can be exploited to perform DLL Side-Loading and AppDomainManager Injection in a far stealthier way than traditional ones. These are attack techniques that has not yet been observed to date. Finally, we will explore defensive strategies to safeguard systems against these attack methods. The talk will include detailed operational logs and detection logic, providing actionable insights for implementing effective countermeasures.
Please see the attached document for details.