Teruki Yoshikawa SOC Analyst, NTT Security Holdings
Teruki Yoshikawa is a security analyst at NTT Security Holdings. He is responsible for monitoring NW/EDR alerts, while also being involved in malware analysis and development of in-house systems. He is currently interested in Red Teaming, particularly in Windows environments. He has been a speaker at JSAC.
Talk: Exploring MSIX Threat Landscape
Talks will be streamed on YouTube and Twitch for free.
BlueTeam analyzes new attack methods that attackers consider and comes up with detection and defense methods. This is an eternal cat and mouse game. However, the attackers are always ahead of us. The attack using the MSIX file is a prime example. To overcome this situation, we have researched new attack techniques that attackers would use in the future. This gives us an advantage over attackers.
This presentation will briefly describe existing attack techniques, followed by an introduction to new MSIX abuse techniques that we have discovered. In MSIX abuse techniques, a feature named the Virtual File System (VFS), used to maintain compatibility, is particularly utilized. We will share how the VFS mechanism is abused to perform DLL Hijacking and AppDomainManager Injection. This allows the audience to understand how VFS can be abused. And we’ll also introduce attack techniques that abuse other features of MSIX. These attack techniques has not yet been observed to date.
Finally, we will explore defensive strategies against these attack methods. The talk will include detailed detection logic and effective countermeasures.