diff --git a/images/CodeObfuscation.gif b/images/CodeObfuscation.gif new file mode 100644 index 0000000..b07445d Binary files /dev/null and b/images/CodeObfuscation.gif differ diff --git a/images/DLLload.gif b/images/DLLload.gif new file mode 100644 index 0000000..dc278f5 Binary files /dev/null and b/images/DLLload.gif differ diff --git a/images/mimikatzElevate.png b/images/mimikatzElevate.png new file mode 100644 index 0000000..1faa184 Binary files /dev/null and b/images/mimikatzElevate.png differ diff --git a/malware.md b/malware.md index 0613275..58b269a 100644 --- a/malware.md +++ b/malware.md @@ -29,20 +29,93 @@ title: Malware Techniques ## Compression +* Combining the compressed data with decompression code into a single executable +* Runtime packers +* Self extractive archives +* List of packers + * [Themida](http://www.oreans.com/themida.php) + * [Armadillo](http://www.siliconrealms.com/armadillo.php) + * [ASPack](http://www.aspack.com/aspack.html) + * [ASPR (ASProtect)](http://www.aspack.com/asprotect32.html) + * [BoxedApp Packer](http://www.boxedapp.com/boxedapppacker) + * [CExe](http://www.scottlu.com/Content/CExe.html) + * [dotBundle](http://www.dotbundle.com) + * [Enigma Protector](http://www.enigmaprotector.com) + * [EXE Bundle](http://www.webtoolmaster.com/exebundle.htm) + * [EXE Stealth](http://www.webtoolmaster.com/exestealth.htm) + * [eXPressor(http://www.cgsoftlabs.ro/express.html) + * [FSG](http://xtreeme.prv.pl/) + * [kkrunchy](http://www.farbrausch.de/~fg/kkrunchy/) + * [MEW](https://web.archive.org/web/20070831063728/http://northfox.uw.hu/index.php?lang=eng&id=dev) + * [MPRESS](http://www.matcode.com/mpress.htm) + * [Obsidium](http://www.obsidium.de) + * [PESpin](http://pespin.w.interia.pl) + * [Petite](http://www.un4seen.com/petite) + * [RLPack Basic](http://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/RLPack-Basic-Edition.shtml) + * [Smart Packer Pro](http://www.smartpacker.nl) + * [Themida](http://www.oreans.com/themida.php) + * [UPX](https://upx.github.io/) + * [VMProtect](http://vmpsoft.com/products/vmprotect) + * [XComp/XPack](http://soft-lab.de/JoKo) + ## Obfuscation +* Deliberate act of creating obfuscated code that is difficult for humans to understand +* Plain text strings will appear as base64 or Xor +* Malicious behavior will include junk functions or routines that do nothing to throw off the reverser. + * Control-Flow Flattening + * String Encryption + +![alt text](https://securedorg.github.io/images/CodeObfuscation.gif "CodeObfuscation") + ## Persistence +* Once malware gains access to a system, it often looks to be there for a long time. +* If the persistence mechanism is unique enough, it can even serve as a great way to identify a given piece of malware. + ![alt text](https://securedorg.github.io/images/Persistence.png "Persistence") -## Privilege Escalation +## Privilege Escalation -## Defense Evasion +* Exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. +* Common Techniques: + * Dll Search Order Hijacking + * Dll injection + * Exploiting a vulnerability + * BufferOverflow + * StackOverflow + * Headspray + * Return Orientated Programming (ROP) + * Credential Theft + * UAC Bypasses + +Example: Dll Search Order Hijacking +![alt text](https://securedorg.github.io/images/DLLload.gif "Dll loading") + +## Defense Evasion +* Evading detection or avoiding defenses. +* Common Techniques: + * Killing AV + * Deleting itself after a run + * Timebombs/Timestomping + * Stolen Certificates + * Dll Side Loading + * Masquerading + * Process Hallowing ## Credential Theft +* Going after password storage +* Keylogging passwords +* Screenshots + +Example: Mimikatz credential theft +![alt text](https://securedorg.github.io/images/mimikatzElevate.png "Mimkatz Elevating") + ## Reconnaissance +* Gain knowledge about the system and internal network. + ## Lateral Movement ## Execution