Research into removing strings & API call references at compile-time (Anti-Analysis)
GitHub

An example in C/C++ of how we can remove static string & function call references by using obfuscation paired with runtime function pointers. As a result, static analysis using tools such as IDA or x64Dbg increases in time/difficulty. You may be able to hide specific API calls from anti-malware systems. On the other hand, some AVs might also flag this behavior as being malicious due to there being a lack of "real looking behavior" in the binary.

#malware_dev #evasion

CBS - Custom Breakpoint Setter
This is an IDA Plugin powered by Python that sets a disabled breakpoint on specific instruction's mnemonic.

credit : AmirMohammad Jahangirzad

https://github.com/Reodus/CBS

Zhassulan_Zhussupov_Malware_Development_for_Ethical_Hackers_Learn.pdf

Red Team infrastructure hardening resources
[+] GitHub

This wiki is intended to provide a resource for setting up a resilient Red Team infrastructure. It was made to complement Steve Borosh (@424f424f) and Jeff Dimmock's (@bluscreenofjeff) BSides NoVa 2017 talk "Doomsday Preppers: Fortifying Your Red Team Infrastructure" (slides)

[ Slides ]

#c2 #redteam

Silently install Chrome extensions by modifying the configuration file

In practice, Chrome usually turns on remote debugging, which is a very risky approach.

https://syntax-err0r.github.io/Silently_Install_Chrome_Extension.html

#chrome #extension

IAT-Tracer V2

IAT-Tracer V2 is a plugin for Tiny-Tracer framework

Now, you can automatically trace and watch any Windows API function a binary uses, whether imported or *dynamically resolved*.

credit : Yoav Levi

https://github.com/YoavLevi/IAT-Tracer

Windows Internals Learning Resources
credit : Patrick Matula

A summary of learning resources in the categories:

+ Windows Internals
+ Windows Debugging and Troubleshooting
+ Windows Performance
+ Windows Programming

https://github.com/pmatula/Windows-Internals-Learning-Resources

https://github.com/mgeeky/ProtectMyTooling
Holy tool for red teamers

Emulating inline decryption for triaging C++ malware
[ Blog ]

References
Glory Sprout string decryptor:
gsprout_string_decryption.py
Glory Sprout Hash resolver:
gsprout_api_resolver.py
GlorySprout sample:
Malwarebazaar
Insight from GlorySprout and Taurus Stelaer:
RussianPanda Research Blog
Let’s play (again) with Predator the thief
An In-Depth analysis of the new Taurus Stealer

#malware_analysis

Unauthenticated SSRF on Havoc C2 teamserver via spoofed demon agent
Credit : Evan Ikeda


https://blog.chebuya.com/posts/server-side-request-forgery-on-havoc-c2/

درود. من یک مطلب کوتاهی نوشتم برای درک پروسه‌ای که توی کرنل رخ می‌ده موقع Null-dereference (معماری x86) و مقداری در مورد Virtual Memory Management کرنل صحبت کردم. شاید برای بچه‌هایی که روی آسیب‌پذیری‌های سمت کرنل کار می‌کنن هم جالب باشه:
https://imanseyed.github.io/posts/the-flow-of-the-kernel-upon-receiving-a-sigsegv-for-null-dereferene/

11 Strategies of a World-Class Cybersecurity Operations Center
by mitre

Strategy 1: Know What You Are Protecting and Why
Strategy 2: Give the SOC the Authority to Do Its Job
Strategy 3: Build a SOC Structure to Match Your Organizational Needs
Strategy 4: Hire AND Grow Quality Staff
Strategy 5: Prioritize Incident Response
Strategy 6: Illuminate Adversaries with Cyber Threat Intelligence
Strategy 7: Select and Collect the Right Data
Strategy 8: Leverage Tools to Support Analyst Workflow
Strategy 9: Communicate Clearly, Collaborate Often, Share Generously
Strategy 10: Measure Performance to Improve Performance
Strategy 11: Turn up the Volume by Expanding SOC Functionality