memory evasion and detect mechanisms
evasion alias √
detect alias x
https://blog.virustotal.com/2023/07/actionable-threat-intel-iv-yara-beyond.html
- https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures x
- https://www.elastic.co/security-labs/upping-the-ante-detecting-in-memory-threats-with-kernel-call-stacks x
- https://github.com/dodo-sec/Malware-Analysis/blob/main/Cobalt%20Strike/Indirect%20Syscalls.md analysis indirect syscall x
- https://www.elastic.co/security-labs/itw-windows-lpe-0days-insights-and-detection-strategies x
- https://www.elastic.co/security-labs/effective-parenting-detecting-lrpc-based-parent-pid-spoofing
LRPC Detection 算是对进程创建断链的检测思路
LRPC WMI/COM Detect x
- https://www.cobaltstrike.com/blog/cobalt-strike-and-yara-can-i-have-your-signature/ √
- https://labs.withsecure.com/publications/spoofing-call-stacks-to-confuse-edrs √
- https://unprotect.it/category/antivirus-evasion/ evasion techniques collection
- https://github.com/grugq/grugq.github.com/blob/master/docs/phrack-62-05.txt detect algorithm
- backup: https://gist.github.com/bopin2020/9c21f356ca37ad3d59be5eebc98d8987
- https://nostarch.com/evading-edr
- https://nostarch.com/download/EvadingEDR_chapter6.pdf file system minifilter driver
Chapter 1: EDR-chitecture Chapter 2: Function-Hooking DLLs Chapter 3: Process- and Thread-Creation Notifications Chapter 4: Object Notifications Chapter 5: Image-Load and Registry Notifications Chapter 6: Filesystem Minifilter Drivers Chapter 7: Network Filter Drivers Chapter 8: Event Tracing for Windows Chapter 9: Scanners Chapter 10: Anti-Malware Scan Interface Chapter 11: Early Launch Anti-Malware Drivers Chapter 12: Microsoft-Windows-Threat-Intelligence Chapter 13: Case Study: A Detection-Aware Attack Appendix: Auxiliary Sources
- https://nostarch.com/download/EvadingEDR_chapter6.pdf file system minifilter driver