Adversary Village
DEF CON 30
Speakers

Oleg Lerner

Security Research Team Lead at Sygnia

Oleg leads Sygnia’s Adversarial Research team, which is focused on offensive and defensive research for Sygnia’s Adversarial Tactics department. Oleg is a cyber security expert with more than 9 years of offensive and defensive cyber security experience in research and development, as well as red/purple team engagements and product assessments. Oleg has a deep technical background that spans offensive engineering projects and tools development to security research and analysis. Before joining Sygnia, Oleg served in an IDF technological unit, and later worked as a security researcher at CyberArk, researching domain network protocols and a variety of security solutions. At Sygnia, Oleg leads research and innovation of offensive tools and infrastructure, for red-team activities. His experience enables him to bring a unique perspective to security engagements and network operations, and challenge operational assets from a unique perspective.

Tool Demo: Qemuno – An uninvited guest
Adversary Tool

Evolving endpoint protection controls, including hardening and security software with enhanced detection capabilities and greater visibility coverage, have been pushing red team and purple team operational complexity to a higher level. Malicious actors and security professionals alike are increasingly focusing on leveraging virtualization technologies to overcome prevention and detection mechanisms. Although utilizing virtualization as an attack platform assists in evading most security controls by “default”, creating and using a virtualization platform in a client environment poses its own challenges. We embraced the trend and created our own virtualized offensive operations suite , which can be utilized to execute any offensive tool, starting from network reconnaissance to privilege escalation, avoiding the cat and mouse game of crafting custom payloads and tools to evade the latest endpoint security stack detection mechanisms. The offensive operations suite utilizes a QEMU open-source emulator as the virtualization software, coupled with a lean Linux distribution, docker containerization platform, and a custom GUI web interface based on a Flask micro-framework. The suite leverages docker technology to create modularity, in order to maximize functionality and avoid issues like software and OS dependencies, while keeping the build lean for ease of deployment in offensive security engagements. In this talk, we will present the architecture and capabilities of the Qemuno offensive operations suite, present several real use cases where we leveraged Qemuno, and demo how it can be leveraged in a highly-hardened environment.