Johann Rehberger

Johann Rehberger

Johann has over eighteen years of experience in threat analysis, threat modeling, risk management, penetration testing, and red teaming. As part of his many years at Microsoft, Johann established an offensive security team in Azure Data and led the program as Principal Security Engineering Manager for years. He also built out a red team at Uber and currently works as an independent security and software engineer. Johann is well versed in analysis, design, implementation, and testing of software systems. Additionally, he enjoys providing training and was an instructor for ethical hacking at the University of Washington. Johann contributed to the MITRE ATT&CK framework (Pass those Cookies!) and holds a master’s in computer security from the University of Liverpool. For latest updates and information visit his blog at

Welcome the Shadowbunny - Leveraging virtual machines during lateral movement to evade detections and persist

In this talk we will explore usage of virtual machines for lateral movement. There are multiple reasons why you should add this technique to your red teaming knowledge-base and skill set. We also highlight how we can build better detections for catching VM misuse.

A Shadowbunny is basically a virtual machine (VM) instance that is deployed by an adversary on a target host to pivot and provide persistence and at the same time evade detection. During red teaming operations the Shadowbunny technique has been used by the presenter multiple teams over the last couple of years. The VM itself does not have any security monitoring and is entirely attacker controlled.

Recently real world malware, like Rangar Locker Ransomware has been seen to use virtual machines (VirtualBox) to hide its tracks. So it is important that we start discussing and researching these attacks more to build better defenses and detections.

Schedule : September 24, 2020 - 09:45 AM