Modern malware relies on autonomous execution to evade dynamic analysis. Building on a BSides Prague session, this workshop demonstrates how threat actors gate execution flow using environmental signals.

WHAT IT COVERS:

Focusing on Windows, we analyze how implants use Win32 APIs (network state, DNS, uptime) and state machines to build conditional execution paths. Practical insights align closely with OSED, OSEP, and OSCP methodologies.

CORE OUTCOMES:

1. Trace Logic: Reverse-engineer Win32 API sequences to uncover malware profiling.

2. Identify Blind Spots: Discover why standard sandboxes observe zero behavior.

3. Enhance Strategies: Improve automated detection and advanced threat testing.