Presentation I gave at Drexel’s Nerd Night titled “Practical Applications of Reverse Engineering using NSA’s GHIDRA”.
Anti-virus products used to search for static Indicators of Compromise (IOC), which typically took the form of an MD5 checksum, a url, or a filename. Well, referencing the “Pyramid of Pain” of IOCs, we can see that these are trivial for adversaries to change. It’s not unknown for APTs to change attack infrastructure in the middle of a campaign in order to foil any attempt at detecting their static IOCs.
Recently, I was on a threat hunt and noticed a
.dll being used in the command-line by
rundll32. My bad-guy radar immediately went off, as this is a common way for adversaries to execute specific functions from both legitimate and illegitimate
.dll files. I tried googling the exact filename and filepath, but unfortunately Microsoft does not keep a centralized directory of all of their distributed
.dll files and what they do. I want to change that.