Overview In this post, we are going to demonstrate how to build a script to automate persistence lay down via WMI Event Subscription and dynamically generated PowerShell payloads. By the end, we will have a single parameterized script that can be leveraged to establish signature resistant persistence, thus alleviating much of the tedious manual work […]
Persistence with WMI Event Subscription and PowerShell Cradles Read More »
Introduction In this article, I will present a new technique to bypass Microsoft’s Anti-Malware Scan Interface (AMSI) using API Call Hooking of CLR methods. When executed on a Windows system, this AMSI bypass will prevent the current process from passing any more data to the installed AV, thus allowing for malicious code to be loaded
New AMSI Bypass Using CLR Hooking Read More »
The purpose of this dataset is to provide raw labeled portable executables to security and AI researchers in order to improve cyber security in the industry. Many of the datasets that I have seen (such as this dataset from a Microsoft sponsored Kaggle competition) does not provide the raw binary files themselves, but rather metadata that has already been pre-extracted from the samples. This prevents a lot of potential learning that can come from exploring other features that could be extracted from the raw samples themselves.
PE Malware Machine Learning Dataset Read More »
Using static analysis of function imports to triage files in order to determine if they are legitimate or malicious.
Threat Hunting with Function Imports Read More »
What are Digital Signatures? Digital Signatures provide a way to determine whether or not I can trust a particular file. A digital signature on a file can be used to verify that the file was signed by a code signing certificate issued by a certificate authority. Then you can decide whether or not you trust
Threat Hunting with Digital Signatures Read More »
What is the PE Checksum? When the portable executable format was developed, network connections were much less reliable than they are today. It was not uncommon for the integrity of a connection to be compromised and the data being transferred to become corrupted. Additionally, it was difficult for a client to detect whether or not
Threat Hunting with the PE Checksum Read More »
Using entropy as a feature to find malware.
Threat Hunting with File Entropy Read More »
