Skip Navigation
Get a Demo
 
Share
Resources Webinars

The Detection Series: Installer packages

Experts from Red Canary and MITRE ATT&CK® examine how installer packages work on different operating systems, analyze the ways adversaries are currently abusing them, and demonstrate how organizations can analyze the contents of installer packages and defend against malicious installers.

On-Demand

60 mins.

Virtual

Experts from Red Canary and MITRE ATT&CK® examine how installer packages work on different operating systems, analyze the ways adversaries are currently abusing them, and demonstrate how organizations can analyze the contents of installer packages and defend against malicious installers.

 

T1546.016: Installer Packages is a MITRE ATT&CK® technique that covers adversary abuse of packaging formats designed to simplify the packaging, installation, and update process for applications. These packages can contain scripts, resources, or other information that an application may need in order to run on an operating system. Developers, administrators, and users routinely run installer packages to install legitimate software. However, adversaries also abuse installer packages by modifying scripts or otherwise embedding malicious payloads within malicious installers masquerading as legitimate software.

Microsoft’s MSIX format for Windows is quickly emerging as a reliable format for adversaries to package malicious fake installers, enabling them to deliver payloads, evade defensive controls, and more. However, this is not limited just to Windows or MSIX. Different operating systems use different installer package formats—sometimes more than one—and adversaries have abused installer packages on macOS in addition to Windows.

Attendees will walk away from this webinar with:

  • A better understanding of installer packaging formats and how adversaries leverage them to perform malicious activity
  • Knowledge of which data and log sources offer visibility into malicious installer package activity
  • How to develop reliable detection coverage for T1546.016: Installer Packages

Last but not least, we introduce you to a new free tool that you can use to investigate the contents of certain installer packages and share testing strategies you can use to validate your defensive controls against malicious installer packages.

MEET THE SPEAKERS
 
Matt Graeber
Director, Threat Research | Red Canary
Matt has worked the majority of his security career in offense, facilitating his application of an attacker’s mindset to detection engineering which involves developing detection evasion strategies. By pointing out gaps in detection coverage, Matt is able to effectively offer actionable detection improvement guidance. Matt loves to apply his reverse engineering skills to understand attack techniques at a deeper level in order to more confidently contextualize them, understand relevant detection optics, and to understand the workflow attackers use to evade security controls. Matt is committed to making security research both accessible and actionable.
Matt has worked the majority of his security career in offense, facilitating his application of an attacker’s mindset to detection engineering which involves developing detection evasion strategies. By pointing out gaps in detection coverage, Matt is able to effectively offer actionable detection improvement guidance. Matt loves to apply his reverse engineering skills to understand attack techniques at a deeper level in order to more confidently contextualize them, understand relevant detection optics, and to understand the workflow attackers use to evade security controls. Matt is committed to making security research both accessible and actionable.
 
Frank Lee
Threat Hunter | Red Canary
Frank is deeply passionate about leveraging his expertise at the crossroads of cybersecurity, intelligence, and the law to combat bullying, both in the physical realm and cyberspace. He started his career as an incident response consultant at Palo Alto Network's Unit 42. At Red Canary, Frank aids customers in mitigating diverse threats within their environments and works as a part of the Intelligence Operations team to craft actionable intelligence reports for public and customer consumption.
Frank is deeply passionate about leveraging his expertise at the crossroads of cybersecurity, intelligence, and the law to combat bullying, both in the physical realm and cyberspace. He started his career as an incident response consultant at Palo Alto Network's Unit 42. At Red Canary, Frank aids customers in mitigating diverse threats within their environments and works as a part of the Intelligence Operations team to craft actionable intelligence reports for public and customer consumption.
 
Cat Self
Principal Adversary Emulation Engineer | MITRE ATT&CK
Cat started her cyber security career at Target as a developer building software to assess the organization's security posture where her team’s work resulted in a patent. She was Target's first female internal red team operator and helped build Target's Threat Hunting team as Target’s first full time threat hunter. Cat is a former military intelligence professional and served in an Army Airborne unit with two combat deployments. Cat pays it forward through mentorship, technical macOS open-source contributions, and public speaking. Outside of work, she is often planning an epic adventure, climbing mountains in foreign lands, or learning Chinese.
Cat started her cyber security career at Target as a developer building software to assess the organization's security posture where her team’s work resulted in a patent. She was Target's first female internal red team operator and helped build Target's Threat Hunting team as Target’s first full time threat hunter. Cat is a former military intelligence professional and served in an Army Airborne unit with two combat deployments. Cat pays it forward through mentorship, technical macOS open-source contributions, and public speaking. Outside of work, she is often planning an epic adventure, climbing mountains in foreign lands, or learning Chinese.
 
 
 
 
Back to Top