“##b isn ’ t a particularly stealthy tool, and neither is the method of ‘ killing ’ the processes of edrs and avs …. but attackers do be like that sometimes. i asked general awesome human being and lead product owner, the ninja sharon martin about the above : case three : obfuscat…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
98%
“undermine a security solution ’ s visibility. taxonomized as t1562. 001 in att & ck, threat actors can use the legitimate functionality of security tools to impair their efficacy. in a recent webinar, my colleague, matt anderson, detailed a case where the threat actor brought ove…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1620Reflective Code Loading
98%
“number when ‘ quickbooks ’ would fail to load. i spoke with the investigator of this case my colleague cat contillo : case seven : reflective loading i asked matt anderson for his thoughts on something particularly sneaky and cool. he shared this case : another way to avoid detec…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1685Disable or Modify Tools
92%
“’ s nice to know we strike fear in our enemies! i was amused and stressed at this turn in the adversaries ’ campaign. here, i ’ ll show you an in - situ snapshot of my stress levels : what was stupid in this case is that the threat actor tried to blind huntress after they had exe…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
78%
“thoughts : case four : lnk to exe i love offensive security. as a member of the blue team, i appreciate my red counterparts pushing and innovating new techniques that challenge our assumptions. one particular offensive security technique i enjoyed unraveling involved an executabl…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
75%
“and harmless. under the lens of the human eye and security solution, this kind of technique may succeed in evading. there are other techniques wrapped up in this lnk - > exe, such as some light xor encryption ( t1140 ) that encrypts and then decrypts the bytes of the exe, to evad…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
68%
“( etw ) and anti malware scanning interface ( amsi ) are staples of the modern security architecture that windows offers ( etw is not strictly devoted to security, serving diagnostic logging purposes, too ). there is a range of adversarial techniques that seek to slip by these se…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
61%
“( caspol. exe ). the process tree from sysinternals process monitor below visually demonstrates the impact of the malicious payload that was injected into the memory of caspol. exe. the malicious activity included making tcp connections, thus suggesting some kind of c2, as well a…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.002Compromise Software Supply Chain
44%
“brought to our attention by a partner. the threat actor compromised a machine, planted a number of insidious persistence roots, masqueraded as accounting software quickbooks …. all to end up with a pop up : how fascinating. the threat actor had all the time in the world to do all…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
41%
“techniques like this that are able to thwart and subvert a fundamental security apparatus ( etw and amsi ), the tradeoff is an initiating executable that you ’ ll catch, amongst other things you ’ ll catch for this technique, if you ’ re getting the basics right of security monit…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1620Reflective Code Loading
41%
“( caspol. exe ). the process tree from sysinternals process monitor below visually demonstrates the impact of the malicious payload that was injected into the memory of caspol. exe. the malicious activity included making tcp connections, thus suggesting some kind of c2, as well a…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1218System Binary Proxy Execution
38%
“brought to our attention by a partner. the threat actor compromised a machine, planted a number of insidious persistence roots, masqueraded as accounting software quickbooks …. all to end up with a pop up : how fascinating. the threat actor had all the time in the world to do all…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.001Spearphishing Attachment
35%
“techniques like this that are able to thwart and subvert a fundamental security apparatus ( etw and amsi ), the tradeoff is an initiating executable that you ’ ll catch, amongst other things you ’ ll catch for this technique, if you ’ re getting the basics right of security monit…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Continuing our blog series on defense evasion, this blog dives into some practical, real-world examples of defense evasion in action.