LASCON 2017 has ended
Thursday, October 26 • 12:00pm - 1:00pm
Abusing Normality: Data Exfiltration in Plain Site

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.

As a defender, you can recognize a potential compromise when a new WMI class appears on an endpoint that constantly connects to mflzwsyimbwkrlnvhrp.xyz. But how likely are you to notice a regular-looking Symantec virus definition file, placed in its designated folder, on a machine that’s communicating with a Wikipedia-based C&C, about once a week and only after previous, legitimate visits to the site? Or a malware saving keystrokes to a Word dictionary file, reading it five days later using Outlook, embedding the captured data in an email header to a legitimate-looking recipient?

This talk will cover common and uncommon channels attackers can use to communicate and hide information. From prefetch files and Search Index to event logs and Recent Documents, free disk space, Excel templates, and many otherwise inconspicuous objects, the goal of this talk is to show that a clever attacker can hide anywhere that is considered too normal and noisy to monitor.


Aelon Porat

Aelon Porat is an information security manager at Cision. He has extensive experience attacking and defending corporate environments. Aelon likes to jump inside networks and out of planes, and in his spare time, he enjoys demoing, speaking, and providing training at different events... Read More →

Thursday October 26, 2017 12:00pm - 1:00pm
Under Armour Room

Attendees (15)