Hey #ATTACKcon here's a recap of
#GuardrailsOfTheGalaxy: The Prologue
including the *first* three awards – #Guardies 🏆
+ the slides
I'm your thread host, @ItsReallyNick from the #AdvancedPractices 🦅 Adversary Methods team where we "reverse engineer" attacker techniques...

Why a lightning talk on Execution Guardrails (#T1480)?
• We worked with @stromcoffee & @MITREattack team who added the new technique in April 2019:
• Smart people suggest that guardrails are correlated with adversary sophistication
• 💂🛤️ are fun! ...

Guardrail Definition & Detection Concepts
$coverage = /de(fini|tec)tion/

The unique combination of behaviors that define guardrailing – and their order – can be used to detect it.

Pitfalls: stage 1 recon, confusing with broader AV/tech evasions, and "legitimate" guardrailing...

And now for the first 3 awards for technical achievement in adversary guardrailing! #Guardies 🏆
Roll out the red team carpet for @buffaloverflow and the amazing, creative, & inspiring Demiguise HTA payload encryption tool!
#DailyToolDrop 🌶️😉

My award for the best guardrails in an APT group's close access operation: virustotal.com/gui/file/3fab3… 👀 enjoy!
Installs a hard-coded attacker-controlled wireless access point to a victim with a specific TP-LINK USB WiFi adapter 📶
Wonder if they got the USB stick at a conference 🔥

The lifetime achievement in guardrailing goes to #APT41 🐉🐉
You have heard of their connection to supply chain compromises with payloads restricted by MAC address.
How about DPAPI with keys tied per user & system?
Volume serial ID keying? Oh my.
See the APT41 talk #FireEyeSummit