Using LastSystemRITEventTickCount as a (lame) antisandbox trick
LastSystemRITEventTickCount is a member of a _KUSER_SHARED_DATA structure. If you google for this particular field’s description you will eventually find sth along these lines: Time in tick count for...
View ArticleUsing race conditions as an antisandbox trick
I have had this idea for a while and today I finally implemented it. My implementation is pretty lame and only affects those monitoring solutions that rely on hooking or […]
View ArticleEnter Sandbox – part 10: Removable devices & clickbait file names
Infection of removable drives is an old trick and no point explaining what it is. What is interesting though is looking at creativity of guys who leverage this infection vector and not […]
View ArticleBeyond good ol’ Run key, Part 33
There is a secret place in almost every organization utilizing Microsoft Outlook where malware can hide. Persistently. The pros: no one checks it. The cons: there is no API to […]
View ArticleHeaven’s gate and a chameleon code (x86/64)
A so-called heaven’s gate is not only a built-in feature of a 64-bit Windows, but also a neat reversing trick. It can be used (and is) by malware authors to […]
View ArticleAutoIt3 nested dolls
I recently came across a post on Twitter referring to an AutoIt3 sample that apparently could not be decompiled using Exe2Aut and myAuToExe. It triggered my interest. It turns out […]
View ArticleAntiEDR – Samples targeting EDR (Endpoint Detection and Response) solutions
I have recently came across an non-intriguing intriguing sample belonging to a family of applications commonly known as a PUA/PUP (Potentially Unwanted Application/Program). The ‘intriguing’ part is...
View ArticleIME code injection (old)
I like clever and unusual tricks that are meant to fool sandboxes or evade malware analysis (and fool researchers). One of the very first one I came across many years […]
View ArticleDetecting Wine via internal and legacy APIs
Many malicious samples try to detect sandbox environment and to do so they use an avalanche of tricks that are either generic (f.ex. checking a number of processors) or very […]
View ArticleReturning the call –‘moshi moshi’, the API way (a.k.a. API cold calling)
Software development is quite easy today. There is no longer a need to write your own libraries for everything (a mouse handler, a proprietary database, a graphics library, or your […]
View ArticlerEDRoviruses – Whether you’re a AV or whether you’re a EDR, You’re stayin’...
EDR software is so hot right now. While AV is mainly focused on badness and silent detections/reputation analysis, the EDR solutions log everything. Sooner or later this ‘everything’ will cause […]
View ArticleA few ideas to mess around with threat hunting, and EDR software (anti-threat...
I just came back from holidays and since time off it’s usually a great time to make your brain run idle, it often turns it into a bit more creative […]
View ArticleShellcode. I’ll Call you back.
Many malicious wrappers and position-independent payloads (especially based on AutoIT, and VB) attempt to use various techniques to execute the main payload evading the curious eyes of security...
View ArticleRunning programs via Proxy & jumping on a EDR-bypass trampoline
The parent-child process relationship is very helpful when it comes to defining detection rules and watchlists. For instance, anytime a winword.exe spawns a cmd.exe, powershell.exe, cscript.exe,...
View ArticleIf memory doesn’t serve me right…
Update One more item from @JamesHabben: One situation I frequently face is determining IIV for malware from months to years before. Memory analysis is useless for that. Old post I […]
View ArticleBeyond good ol’ Run key, Part 64
I recently updated my ‘collect all cool persistence mechanism described elsewhere’ post. After I announced it on Twitter, 3gstudent replied with one more link – one that led to his […]
View ArticleThe Wizard of X – Oppa PlugX style
Xwizard is an ‘Extensible wizard host process’. While I am not 100% sure what it is doing I know for certain that – whatever it is – PlugX guys would […]
View ArticleBeyond good ol’ Run key, Part 65
Looking for new ways to load code persistently I had a quick glance at Java. While it may not be present on all systems, it’s out there on at least […]
View ArticleRunning programs via Proxy & jumping on a EDR-bypass trampoline, Part 2
Update After my post Zod contacted me with this mike-dropping link: Ultimate AppLocker ByPass List. Really lots of good stuff there! Thx Zod! Old Post In the first part I […]
View ArticleBeyond good ol’ Run key, Part 66
I discussed Winsock-based persistence in the past. There is one more. It is a bit unusual, as it has to do with automatic proxy configuration, so it’s a bit tricky […]
View Article
