Spoofing Call Stacks To Confuse EDRs
Tags
attack-pattern: | Data Direct Credentials - T1589.001 Hardware - T1592.001 Software - T1592.002 Tool - T1588.002 |
Common Information
Type | Value |
---|---|
UUID | b8849b0e-8263-49f2-ba79-e08cab96ba4c |
Fingerprint | 5ba65011ce0af254 |
Analysis status | DONE |
Considered CTI value | 1 |
Text language | |
Published | June 30, 2022, midnight |
Added to db | Dec. 19, 2024, 8:35 p.m. |
Last updated | Dec. 24, 2024, 12:05 a.m. |
Headline | Spoofing Call Stacks To Confuse EDRs |
Title | Spoofing Call Stacks To Confuse EDRs |
Detected Hints/Tags/Attributes | 55/1/36 |
Source URLs
URL Provider
Attributes
Details | Type | #Events | CTI | Value |
---|---|---|---|---|
Details | Domain | 4709 | github.com |
|
Details | Domain | 4 | doxygen.reactos.org |
|
Details | Domain | 4 | codemachine.com |
|
Details | Domain | 319 | docs.microsoft.com |
|
Details | Domain | 259 | gist.github.com |
|
Details | File | 4 | sysmondrv.sys |
|
Details | File | 2 | except.cpp |
|
Details | File | 2 | unwind_8c.html |
|
Details | File | 2 | x64_deep_dive.html |
|
Details | File | 2 | c:\users\wb\source\repos\vulcanraven\vulcanraven\vulcanraven.cpp |
|
Details | File | 2 | d:\a01\_work\43\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp |
|
Details | File | 38 | c:\windows\system32\ntdll.dll |
|
Details | File | 22 | c:\windows\system32\kernelbase.dll |
|
Details | File | 2 | c:\windows\system32\lsm.dll |
|
Details | File | 8 | c:\windows\system32\rpcrt4.dll |
|
Details | File | 25 | c:\windows\system32\kernel32.dll |
|
Details | File | 2 | vulcanraven.exe |
|
Details | File | 2335 | cmd.exe |
|
Details | Github username | 6 | mgeeky |
|
Details | Github username | 4 | cracked5pider |
|
Details | Github username | 3 | hzqst |
|
Details | Github username | 52 | microsoft |
|
Details | Github username | 7 | ccob |
|
Details | Github username | 7 | countercept |
|
Details | Github username | 3 | stephenfewer |
|
Details | md5 | 3 | fe3b63d80890fafeca982f76c8a3efdf |
|
Details | Url | 2 | https://github.com/mgeeky/threadstackspoofer |
|
Details | Url | 3 | https://github.com/cracked5pider/ekko |
|
Details | Url | 2 | https://github.com/hzqst/unicorn_pe/blob/master/unicorn_pe/except.cpp#l773 |
|
Details | Url | 2 | https://doxygen.reactos.org/d8/d2f/unwind_8c.html#a03c91b6c437066272ebc2c2fff051a4c |
|
Details | Url | 2 | https://github.com/microsoft/krabsetw/pull/191 |
|
Details | Url | 2 | https://codemachine.com/articles/x64_deep_dive.html |
|
Details | Url | 1 | https://docs.microsoft.com/en-us/cpp/build/exception-handling-x64?view=msvc |
|
Details | Url | 1 | https://gist.github.com/ccob/fe3b63d80890fafeca982f76c8a3efdf. |
|
Details | Url | 2 | https://github.com/countercept/callstackspoofer |
|
Details | Url | 1 | https://github.com/stephenfewer/reflectivedllinjection |