Linenoise
by Phrack Staff
Phrack Magazine Issue 71, article 3
https://phrack.org/issues/71/3.html
| Notes |
|---|
| Practical tips and thoughts to improve your malware stealthiness and increase dwell time |
| LOLBAS |
| ShellExecute InstallScreensaver API |
| fake entry point trick |
| Mocoh Polymorphic Engine |
| TTPs |
| evasion tactics |
| malware scene evolution |
| dwell time |
| FUDness - Fully UnDetectable |
| Windows Messaging System |
| port knocking |
| the devil is in the details |
| avoid patterns, reinvent the weheel |
| Windows Crypto API |
| false assumption: ransomware will use Crypto API |
| code reuse as attribution |
| staged vs non-staged malware |
| relays + multi-protocol command and control |
| NetFlow |
| metadata |
| IP flow tuple |
| force analysts to consider all protocols |
| C2 infrastructure obfuscation |
| port knocking + raw sockets = stealth bind |
| FASM syntax |
| TTL |
| ioctlsocket API |
| SIO_RCVALL |
| sniffing |
| reverse shell |
| packet |
| netstat |
| System Informer |
| TCPview |
| WireShark |
| DLP |
| WinPcap |
| WIndows Messaging System persistence |
| WM_SYSCOMMAND |
| SC_MONITORPOWER |
| wParam |
| HWND_BROADCAST |
| RunOnce key |
| BSOD |
| WM_QUERYENDSESSION |
| WM_ENDSESSION |
| MessageBoxA |
| CreateWindowEx |
| ExitProcess |
| GetMessage/SendMessage |
| RegCreateKeyExA |
| DefWindowProc |
| GetModuleFileName |
| RegCloseKey |
| PostQuitMessages |
| “Forbes - Why the Dwell Time of Cyberattacks Has Not Changed” |
| Microsoft 2021 - System shutdown messages |
| Microsoft 2021 - Cryptography functions |
| RFC 3954 - NetFlow Version 9 |
| Bugs in Evolution Software Building Access Control Software |
| Building Access Control |
| CTF |
| add a user to the system |
| get a user’s card data |
| PoC |
| Python requests |
| BeautifulSoup |
| argparse |
| re |
| evildaemond |
| Evolution Software |
| The Weaponization of Automation by Xenon Hexaflouride |
| AI |
| automation |
| righteous hacks |
| ML |
| expert systems |
| runbooks |
| mechanical turks |
| buzzword |
| AI poisoning |
| swatting |
| phreaking |
| Halo teabagging |
| Brian Krebs |
| SWAT |
| false positive |
| VirusTotal |
| signature-based detection |
| URL reputation - often done anonymously or by IT staff |
| low-hanging fruit |
| public databases |
| business application |
| low-prevalence files |
| dropper |
| Epic Medical Software |
| Kaspersky attacks |
| .rsrc section |
| DMCA |
| Automated Copyright Enforcement |
| YouTube ContentID |
| Sony BMG |
| The Orchard |
| Propellerheads - History Repeating |
| Riding with the Chollimas |
| Mauro Eldrich |
| Quetzal Team |
| Argentina |
| Uruguay |
| Bitso |
| web3 |
| APT |
| Fancy Lazarus |
| Ransom DDoS |
| Lazarus |
| Labyrinth CHollima, Velvet Chollima |
| Qianlima/Senrima |
| North Korean Chollima Movement |
| CrowdStrike |
| DarkSeoul |
| Sony and Bangaladesh Bank hack |
| Ronin, Horizon bridges |
| WannaCry |
| GMT |
| EDR |
| CTI |
| OSINT |
| Juan Brodersen |
| QR code |
| CrowdStrike Falcon |
| QRLog |
| base64 - QUIET_ZONE_DATA |
| .java file extension |
| UAC bypass |
| 0-day |
| VirusTotal |
| random string |
| carelessness with maldev |
| Maximiliano Firtman |
| AlienVault OTX |
| GitHub |
| LetsEnrypt |
| VPS |
| Log4j |
| Jokerspy |
| Cobalt Strike |
| IoC |
| Tox |
| attribution |
| Telegram |
| SSH brute forcing |
| TA |
| honeypot |
| snitches get stitches |
| DPRK RGB |
| threat intelligence |
| attacker infrastructure |
| IP address |
| AWS |
| corporate espionage |
| AstraZeneca |
| Daily NK |
| WMD |
| cyberwarfare |
| People’s Armed Forces |
| Kim Jong-Un |
| HC3 |
| CISA |
| Sigal Mandelker |
| malware campaign |
| OPSEC failure |
| home directory and folders as attribution |
| The Hacker News |
| SentinelOne |
| SC Magazine |
| Master of Puppes - turning AV sandboxes into a botnet |
| Grzegorz Tworek |
| “static analysis is losing value as the man method of knowing what happens in the infected system” |
| “virtual machines are cheaper, more reliable, easier to orchestrate” |
| Internet |
| DNS |
| NTP |
| HTTP |
| EXE file |
| malware detonation, sandbox |
| PE file |
| dumpbin.exe |
| DLL |
| Antivirus |
| imphash |
| .rdata, .rsrc. .data sections |
| C |
| source code |
| ifdef, define macros |
| preprocessor |
| SNMP |
| Bcrypt |
| compile malware every time it is downloaded |
| BCryptSecretAgreement |
| red herring |
| Visual Studio |
| Tiny C Compiler |
| Fabrice Bellard |
| CGI |
| Microsoft IIS |
| parent-child |
| _wsystem() |
| C2 communication |
| User-Agent |
| D-1521 computer |
| ISAPI |
| libtcc.dll |
| tcc.exe |
| compiler optimization |
| WAF |
| WAN |
| bandwidth |
| reverse proxy |
| load balancer |
| Terms of Service (TOS) |
| Google - Tracking Malware Import Hashing |
| Ciphers by Ritter Randc.html |
| TrollAV |
| Learning an ISA by force of will |
| iximeow |
| whitequark |
| instruction set, instruction |
| firmware |
| Robert Xiao |
| Dragon CTF |
| “resize the window until it looks right” trick fr looking at raw data |
| processor |
| ARM |
| 8080/6502 |
| xxd, vim |
| head |
| opcode, operand |
| function prologue, function epilogue |
| control flow |
| ALU |
| register |
| xor instruction |
| calling convention |
| binja |
| https://github.com/whitequark/binja-averna |
| https://github.com/prehistoricman/AV7300 |
| Averna processors |
| disassembler |
| yaxpeax-averna |