“said protections. a bypass in the context of this post does not generate false positives. it is not meant to confuse analysts or blend in with existing results. a true bypass results in zero results from a memory scanner before and after an implant is injected. encrypting data th…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
97%
“method to detect foliage ( more on this in the next section ). the scanner now looks for threads with a wait reason of “ userrequest ”, which also have a return address to kiuserapcdispatcher somewhere on their call stack. this will be covered in further detail below. an interest…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
92%
“stack. these arguments may resemble memory addresses to create an indicator for scanners that inspect return addresses. a more stable technique is demonstrated in foliage. the author uses ntsetcontextthread to overwrite the original thread ’ s context with a manufactured context …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1497.003Time Based Checks
67%
“on this later ) - sleeps for the specified time with ntdelayexecution - instructs the ksecdd driver to decrypt the implant memory - restores the original thread context - changes the implant memory to be executable - exits the new thread this process can be further examined by re…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
64%
“and other vendors will likely use it. a quick google search can find many yara rules for cobalt strike. for example, the following demonstration scans two cmd. exe processes with a set of rules targeting cobalt strike : one benign and one injected with an implant. memory attribut…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
60%
“commit memory addresses. this check is simple enough to evade, since the start address of a thread is not changed after creation. a new thread with an image commit start address can be created in a suspended state, modified to execute the target shellcode, and resumed. pe - sieve…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
55%
“- executable. both examples require at least one executable region to remain unchanged, though. there will always be at least one point of detection from scanners using the “ masking stub ” technique, and yara rules can be created to detect the stub itself. return oriented progra…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
54%
“avoiding memory scanners avoiding memory scanners kyle avery / / introduction this post compliments a presentation i gave at def con 30 – “ avoiding memory scanners : customizing malware to evade yara, pe - sieve, and more, ” which included the public release of a new tool called…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
49%
“set this wait reason. waitforsingleobject is an api that fits this requirement and sets a wait reason of “ userrequest ”. the following demonstration replaces the sleep api call with waitforsingleobject to bypass these tools. return address spoofing spoofing the return address in…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1486Data Encrypted for Impact
39%
“##crypt and decrypt data. an excellent solution for this problem is hinted at in mimikatz. the author implements systemfunction032 : a system function that can be resolved from advapi32. dll to perform rc4 encryption and decryption. this api call accepts two arguments that contai…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
34%
“s allocations the official sleep mask kit from cobalt strike provides a list of memory addresses for encryption. their solution is clean, but it requires the use of sleep mask kit, which, as described in the following section, prevents us from bypassing some scanners. last year, …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
33%
“release of aceldr, hunt - sleeping - beacons has been updated to detect foliage. the scanner will now check all threads with a wait reason of “ userrequest ” which also have a return address to kiuserapcdispatcher somewhere on their call stack. this cannot be easily bypassed with…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
31%
“- executable. both examples require at least one executable region to remain unchanged, though. there will always be at least one point of detection from scanners using the “ masking stub ” technique, and yara rules can be created to detect the stub itself. return oriented progra…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Kyle Avery // Introduction This post compliments a presentation I gave at DEF CON 30 – “Avoiding Memory Scanners: Customizing Malware to Evade YARA, PE-sieve, and More,” which included the […]
