ioc[.]one - OSINT Cyber Threat Intelligence Database

BSides CPH 2024 Writeup: DIY Trojan horse or: How to get your malware past EDR

Tags

country:	Russia
attack-pattern:	Data Direct Hardware - T1592.001 Hooking - T1617 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Process Hollowing - T1055.012 Software - T1592.002 Tool - T1588.002 Hooking - T1179 Powershell - T1086 Process Hollowing - T1093 Rootkit - T1014 Hooking Rootkit

Show in Graph

Common Information

Type	Value
UUID	aea6e708-9230-459a-95b5-21b0a1e883ff
Fingerprint	b7640936adfd8f82
Analysis status	DONE
Considered CTI value	-2
Text language
Published	Nov. 11, 2024, 4:57 p.m.
Added to db	Nov. 11, 2024, 6:12 p.m.
Last updated	Nov. 17, 2024, 7:44 p.m.
Headline	BSides CPH 2024 Writeup: DIY Trojan horse or: How to get your malware past EDR
Title	BSides CPH 2024 Writeup: DIY Trojan horse or: How to get your malware past EDR
Detected Hints/Tags/Attributes	79/2/69

Source URLs

	Redirection	Url
Details	Source	https://medium.com/@0x0vid/bsides-cph-2024-writeup-diy-trojan-horse-or-how-to-get-your-malware-past-edr-0e5ed2196ccd?source=rss------malware-5
Details	Source	https://medium.com/@0x0vid/bsides-cph-2024-writeup-diy-trojan-horse-or-how-to-get-your-malware-past-edr-0e5ed2196ccd?source=rss------cybersecurity-5

URL Provider

Details	Provider	Source level domain
Details	medium.com	medium.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	167	✔	Cybersecurity on Medium	https://medium.com/feed/tag/cybersecurity	2024-08-30 22:08
Details	171	✔	Malware on Medium	https://medium.com/feed/tag/malware	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	8	rule.name
Details	Domain	768	www.youtube.com
Details	Domain	3	s3cur3th1ssh1t.github.io
Details	Domain	50	cloud.google.com
Details	Domain	1	www.adlice.com
Details	Domain	4	unprotect.it
Details	Domain	21	www.joesandbox.com
Details	Domain	911	any.run
Details	Domain	268	www.virustotal.com
Details	Domain	207	learn.microsoft.com
Details	Domain	3	jsecurity101.medium.com
Details	Domain	1	research.meekolab.com
Details	Domain	2	www.phrack.me
Details	Domain	4	redops.at
Details	Domain	4127	github.com
Details	Domain	434	medium.com
Details	Domain	2	redsiege.com
Details	Domain	32	www.techtarget.com
Details	Domain	5	0xrick.github.io
Details	File	1	attacksurfacereductionrules.json
Details	File	1	patching-etw-in-c.html
Details	Github username	1	kaidja
Details	Github username	1	tierzerosecurity
Details	Github username	5	s3cur3th1ssh1t
Details	Github username	1	helixo32
Details	Github username	1	aaaddress1
Details	Github username	12	byt3bl33d3r
Details	Github username	2	icyguider
Details	Github username	2	netero1010
Details	Url	1	https://raw.githubusercontent.com/kaidja/defender-for-endpoint/main/attacksurfacereductionrules.json
Details	Url	1	https://www.youtube.com/watch?v=ckfjlnemfvi&ab_channel=hackintheboxsecurityconference
Details	Url	1	https://kleiton0x00.github.io/posts/the-more-predictable-you-are-the-less-you-are-able-to-get-detected
Details	Url	1	https://s3cur3th1ssh1t.github.io/building-a-custom-mimikatz-binary
Details	Url	1	https://cloud.google.com/learn/what-is-encryption
Details	Url	1	https://www.adlice.com/runpe-hide-code-behind-legit-process
Details	Url	1	https://unprotect.it/technique/process-hollowing-runpe
Details	Url	1	https://unprotect.it/technique/pe-injection
Details	Url	1	https://www.joesandbox.com/#windows
Details	Url	8	https://any.run
Details	Url	7	https://www.virustotal.com/gui/home/upload
Details	Url	1	https://unprotect.it/technique/checking-memory-size
Details	Url	1	https://unprotect.it/technique/rdtscp
Details	Url	1	https://www.ired.team/offensive-security/code-injection-process-injection/how-to-hook-windows-api-using-c
Details	Url	1	https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/event-tracing-for-windows--etw-
Details	Url	1	https://jsecurity101.medium.com/uncovering-windows-events-b4b9db7eac54
Details	Url	1	https://research.meekolab.com/introduction-into-microsoft-threat-intelligence-drivers-etw-ti
Details	Url	10	https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
Details	Url	1	https://www.phrack.me/tools/2023/04/10/patching-etw-in-c.html
Details	Url	2	https://redops.at/en/blog/direct-syscalls-a-journey-from-high-to-low
Details	Url	1	https://github.com/tierzerosecurity/edr_blocker
Details	Url	1	https://github.com/s3cur3th1ssh1t/nim-runpe/blob/main/nimrunpe.nim
Details	Url	1	https://github.com/helixo32/nimreflectiveloader/blob/main/src/runremotedll.nim
Details	Url	1	https://github.com/aaaddress1/runpe-in-memory/blob/master/runpe-in-memory/runpeinmemory/fixiat.hpp
Details	Url	1	https://github.com/byt3bl33d3r/offensivenim/blob/master/src/encrypt_decrypt_bin.nim
Details	Url	3	https://github.com/byt3bl33d3r/offensivenim
Details	Url	1	https://github.com/icyguider/nimcrypt2/tree/main
Details	Url	1	https://medium.com/p/460b5b3692e0
Details	Url	1	https://kaidojarvemets.com/simplifying-cyber-defense-how-to-configure-attack-surface-reduction-with-powershell
Details	Url	1	https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/applications-that-can-bypass-appcontrol
Details	Url	1	https://learn.microsoft.com/en-us/compliance/anz/e8-app-control
Details	Url	1	https://learn.microsoft.com/en-us/windows/win32/api/utilapiset/nf-utilapiset-beep
Details	Url	1	https://github.com/netero1010/edrsilencer
Details	Url	1	https://redsiege.com/blog/2023/04/evading-crowdstrike-falcon-using-entropy
Details	Url	1	https://www.techtarget.com/searchsecurity/definition/trojan-horse
Details	Url	1	https://0xrick.github.io/win-internals/pe1
Details	Url	1	https://offwhitesecurity.dev/malware-development/portable-executable-pe/nt-headers/optional-header/data-directories
Details	Url	1	https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc
Details	Url	1	https://www.ired.team/offensive-security/code-injection-process-injection/process-hollowing-and-pe-image-relocations#relocation
Details	Url	1	https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection#resolving