DRAFT - Beating EDR Detections

EDR 101

Anti-virus products used to search for static Indicators of Compromise (IOC), which typically took the form of an MD5 checksum, a url, or a filename. Well, referencing the “Pyramid of Pain” of IOCs, we can see that these are trivial for adversaries to change. It’s not unknown for APTs to change attack infrastructure in the middle of a campaign in order to foil any attempt at detecting their static IOCs.

Enter EDR.

Read More

DRAFT - Generating Export Tables from DLLs

The Motivation

Recently, I was on a threat hunt and noticed a .dll being used in the command-line by rundll32. My bad-guy radar immediately went off, as this is a common way for adversaries to execute specific functions from both legitimate and illegitimate .dll files. I tried googling the exact filename and filepath, but unfortunately Microsoft does not keep a centralized directory of all of their distributed .dll files and what they do. I want to change that.

Read More