Loading…
Saturday April 5, 2025 9:00am - 11:30am EDT
What do we call living off the land in Python? LOLmodules? There are numerous dual use modules such as the socket module which can import a shell. In Feb 2025, malicious code was found in a model published on HuggingFace and research was published on a novel method of embedding malware in an LLM model to be reconstituted by an execution payload using a serialization module. In both cases, the research trumpeted the claim that these were "undetectable" by AV or EDR tools. Why are these things undetected? How can we detect unexpected behavior in a Python IDE? Benign execution and network connection events are far too numerous to think about conventional alerting and the definition of what normal looks like, for any given codebase, is often in the head of the developer. In this workshop we introduce OpenDR, a lightweight FOSS EDR alternative for Windows and Linux implemented in Python. OpenDR generates logs of process, network and user events; running Windows services; installed software; and key information for threat hunting and detection including endpoint IP address, name and SIDs / GUIDs for positive identifications. It has two modes of operation; it can run in a stand-alone mode, for ad hoc monitoring or investigations, or it can ship logs to a database in a multi-agent deployment. . We will cover setup and deployment of both modes, local (and non-interrupting) alerting using toasters, and detection of an example reverse shell from a Python script. If you have additional examples of dual-use Python code you want to bring, we can include them in a threat hunting and detection engineering workshop using OpenDR data.

Attendees should come prepared with the following
1) A laptop with Anaconda, Postgresql and Beekeeper ( a database client) installed, and a working Python instance, and VScode, or
2) a laptop with VMware Workstation or Fusion which can run a VM we provide. Such laptops should have at least 16 GB RAM and 100 GB free disk space.
3) Under Windows, having a D: drive is recommended to reduce the risk of filling up the C: drive in the event the EDR agents are left running for a long time and the C: drive is low on space.
4) You should have admin accesson your laptop
Speakers
avatar for Craig Chamberlain

Craig Chamberlain

Security Researcher, CyberDyne Labs
Craig Chamberlain has been working on threat hunting and detection for most of his life. He has contributed to several products you may have used. He has been a principal at six startups, four of which had successful exits, and including four security products. He dis extensive work... Read More →
avatar for Anirudh Upadhyayula

Anirudh Upadhyayula

Security Researcher, OpenDR
Anirudh Upadhyayula has been a security engineer for the past 4 years. He has worked at companies such as Schneider Electric and HP. He's really passionate about anything related to tech and has worked on personal projects such as creating his own miniaturized version of a music streaming... Read More →
Saturday April 5, 2025 9:00am - 11:30am EDT
Workshop B, 5 Wayside Rd 5 Wayside Rd, Burlington, MA 01803, USA

Log in to save this to your schedule, view media, leave feedback and see who's attending!

Share Modal

Share this link via

Or copy link