“hashing algorithm, is similar to this. the value of 0xd ( 13 ) is important here as later we will change this value to generate new hashes that can bypass detection. this is a simplification, and the actual logic is slightly more complex. if you ’ re interested in understanding t…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1027.007Dynamic API Resolution
98%
“an analyst that they should go looking for suspicious files that may have been created. a common means of avoiding both of these situations is to use a technique known as api hashing. this is a technique where attackers will implement their own version of getprocaddress that will…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
98%
“might be targeted by the remaining vendors, since they are behaviors typically associated with shellcode. - cld / 0xfc being the first instructions executed - ( cld is used to reset direction flags used in byte / string copy operations ) - suspicious calls to registers ( eg call …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1027.007Dynamic API Resolution
89%
“), we confirmed the avast yara ruleset reliably detected and identified all of our generated payloads. great news for team blue — and great work from the threat intel team at avast. the tl ; dr takeaways - api hashes present in shellcode are reliable indicators that can be used f…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
79%
“below is an example of how to use the script to modify the shellcode file. notes and limitations of this script - this script only replaces hashes and the hashing logic. if there are other suspicious indicators in your shellcode, you may need to find your own method to hide them …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
64%
“##inet ” ( one upper case i ). as well as the cld instruction now located after our pop rbp. we then confirmed that our shellcode still functioned, and then resubmitted it to virustotal. finally, we had hit 0 / 55 detections without breaking our code. we then checked the same wit…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1027.007Dynamic API Resolution
53%
“anywhere in between, we hope this blog provides some useful insight into an interesting bypass and detection technique. if screenshots like this excite you, read on. technical tl ; dr our research suggests that a large number of vendors have based their cobalt strike and metasplo…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
50%
“red teamers, respectively : team blue - continuously test and update your detection logic - actively threat hunt! no alerts = no malware - search through a variety of log sources — an av may not have caught this, but the network traffic might stand out like a sore thumb team red …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
40%
“piece of software needed to call a function of the windows api ( for example, if it wanted to use createfilew to create a file ), the software would need to reference the api name “ directly ” in the code. this typically looks like the screenshot below. by “ directly ” using an a…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.012Process Hollowing
39%
“##ing routine and will produce the same hash values when using the same function - these hashes introduce unique hex values that can be used to easily identify the malware families by using google yara rules from the perspective of a security analyst or detection engineer, this w…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1106Native API
38%
“go searching for suspicious files. if an attacker doesn ’ t want their api to show up in an import table, then the alternative is to load the apis dynamically ( when the malware actually runs ). the easiest way to do this is to use a windows function called getprocaddress. this m…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1027.007Dynamic API Resolution
38%
“often see random hex values pushed to the stack, followed by an immediate call to a register value. typically, this call will resemble call rbp, but the register could technically be any value. below is a screenshot taken from some cobalt strike shellcode where api hashing was us…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1588.002Tool
35%
“interesting to note that the two remaining vendors differed between the modified payloads. at this point, we also checked that the original yara rules were no longer detecting our payloads. and confirmed that they were no longer being detected. the tl ; dr takeaways - a large num…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.012Process Hollowing
34%
“static analysis, although it is difficult to find what the hashes resolve to - similar hashing logic is often used across similar malware families - the exact same hashing logic is often across samples from msfvenom, metasploit and cobalt strike poking a bit further we eventually…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1027Obfuscated Files or Information
30%
“were generated. our threatops team was able to discover this through a combination of the metasploit source code and by analyzing the assembly instructions present in samples of shellcode. by nature of how hashing works, we theorized that it should only take minor changes to the …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Hackers could be outsmarting preventive tools by making trivial changes to default settings. We dive into our research in this blog.