Please enable JavaScript.
Coggle requires JavaScript to display documents.
Weaponization & Initial Access (Methods (Hosting Files (Web Driven…
Weaponization & Initial Access
Methods
Executables
dll
User Driven
Metasploit Framework Exploits
on-demand /Custom
Hosting Files
Web Driven
Must Have Protection to avoid detection
Techniques
Obfuscate Known bad in unknown
Fool AV to Stop Emulating Exe
De-obfuscate known bad and execute
understanding Endpoint Security mechanisms is important
Understanding PRE-RUN state of exe & dlls to endpoint security mechanisms
Local Analysis
Things to be careful From
Static Analysis
Rule based
signatures
Obfuscation
Crypt it
Heuristic
looking for observable properties
Using Meta from other soft.
Code signing
using Dynamic func; getprocaddress
Correlation
Appending bad binary with known
Dynamic Analysis
Sandbox
Taking Advantage of Time
Taking Advantage of lack of emulation
Cloud Analysis
detonate sandbox
Application White-listing
Run payload via white-listed pro
MS Office Macro
powershell
LOLbins
DLLSideloading
Code Execution Chain
TradeCraft Evasion :red_flag:
Exe and scripts
Obfuscate and avoid base64
Behavior
Avoid/Spoof parent PID/ Tailor to product
Avoid commonly abused apps
In-Memory Evasion
Thread start Address
avoid stagers
module stamping
obfuscate, change memory size header
Initial Access
Client Side Attacks
Map client side attack surface
Configure and disguise the attack
Systems profiling
Spear Phishing
Tradecrafts
connect directly to mail server
Match from "MAIL From Envelope"
sender policy framework
Domain Keys Identified Mail
DMARC