updating malware page

malware.md

@@ -29,20 +29,93 @@ title: Malware Techniques
 
 ## Compression
 
+* Combining the compressed data with decompression code into a single executable
+* Runtime packers
+* Self extractive archives
+* List of packers
+  * [Themida](http://www.oreans.com/themida.php)
+  * [Armadillo](http://www.siliconrealms.com/armadillo.php)
+  * [ASPack](http://www.aspack.com/aspack.html)
+  * [ASPR (ASProtect)](http://www.aspack.com/asprotect32.html)
+  * [BoxedApp Packer](http://www.boxedapp.com/boxedapppacker)
+  * [CExe](http://www.scottlu.com/Content/CExe.html)
+  * [dotBundle](http://www.dotbundle.com)
+  * [Enigma Protector](http://www.enigmaprotector.com)
+  * [EXE Bundle](http://www.webtoolmaster.com/exebundle.htm)
+  * [EXE Stealth](http://www.webtoolmaster.com/exestealth.htm)
+  * [eXPressor(http://www.cgsoftlabs.ro/express.html)
+  * [FSG](http://xtreeme.prv.pl/)
+  * [kkrunchy](http://www.farbrausch.de/~fg/kkrunchy/)
+  * [MEW](https://web.archive.org/web/20070831063728/http://northfox.uw.hu/index.php?lang=eng&id=dev)
+  * [MPRESS](http://www.matcode.com/mpress.htm)
+  * [Obsidium](http://www.obsidium.de)
+  * [PESpin](http://pespin.w.interia.pl)
+  * [Petite](http://www.un4seen.com/petite)
+  * [RLPack Basic](http://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/RLPack-Basic-Edition.shtml)
+  * [Smart Packer Pro](http://www.smartpacker.nl)
+  * [Themida](http://www.oreans.com/themida.php)
+  * [UPX](https://upx.github.io/)
+  * [VMProtect](http://vmpsoft.com/products/vmprotect)
+  * [XComp/XPack](http://soft-lab.de/JoKo)
+  
 ## Obfuscation
 
+* Deliberate act of creating obfuscated code that is difficult for humans to understand
+* Plain text strings will appear as base64 or Xor
+* Malicious behavior will include junk functions or routines that do nothing to throw off the reverser.
+    * Control-Flow Flattening
+    * String Encryption
+    
+![alt text](https://securedorg.github.io/images/CodeObfuscation.gif "CodeObfuscation")
+
 ## Persistence 
 
+* Once malware gains access to a system, it often looks to be there for a long time. 
+* If the persistence mechanism is unique enough, it can even serve as a great way to identify a given piece of malware.
+
 ![alt text](https://securedorg.github.io/images/Persistence.png "Persistence")
  
-## Privilege Escalation     
+## Privilege Escalation
 
-## Defense Evasion    
+* Exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
+* Common Techniques:
+  * Dll Search Order Hijacking
+  * Dll injection
+  * Exploiting a vulnerability
+    * BufferOverflow
+    * StackOverflow
+    * Headspray
+    * Return Orientated Programming (ROP)
+  * Credential Theft
+  * UAC Bypasses
+
+Example: Dll Search Order Hijacking
+![alt text](https://securedorg.github.io/images/DLLload.gif "Dll loading")
+
+## Defense Evasion   
+* Evading detection or avoiding defenses.
+* Common Techniques:
+  * Killing AV
+  * Deleting itself after a run
+  * Timebombs/Timestomping
+  * Stolen Certificates
+  * Dll Side Loading
+  * Masquerading
+  * Process Hallowing
 
 ## Credential Theft
 
+* Going after password storage
+* Keylogging passwords
+* Screenshots
+
+Example: Mimikatz credential theft
+![alt text](https://securedorg.github.io/images/mimikatzElevate.png "Mimkatz Elevating")
+
 ## Reconnaissance   
 
+* Gain knowledge about the system and internal network.
+
 ## Lateral Movement     
 
 ## Execution