A tale on the Windows API system, EDRs and malware evasion. This work is part of my dissertation paper for the BSc degree in Computing & IT, at the Derby University.
1. Introduction
Driven by financial gain, cyber-attacks have increased exponentially in the past couple of years, averaging an estimated $1.8 million per ransom, as indicated by the Unit 42 ransomware threat report (Palo Alto, 2022). However, cyber-attacks carried out by nation-state actors have also had political motivations, especially since the beginning of the Ukrainian invasion in February.
These nation-sponsored actors, also known as advanced persistent threats, or APTs, most often employ techniques and tactics designed to stay off the radar and not get detected by conventional security products. In a recent report from cybersecurity firm, Mandiant, it was estimated that the average dwell time between compromise and detection was around 21 days (Scroxton, 2022).
In an attempt to limit these attacks, companies have invested heavily in many security products such as firewalls, endpoint security, email gateways, and many others; however, malicious actors found ways to enhance their craft by developing malware capable of evading such products, and despite recent advancements in endpoint protection, the industry is far from considered safe.
On the other hand, contrary to a widespread belief that sophisticated actors use only zero-day exploits and undiscovered vulnerabilities, most attacks were carried out using standard utilities, otherwise known as living off the land binaries, already found in the Windows OS family (SentinelOne, 2020).
Emphasising the endpoint security aspect, this paper attempts to provide a holistic view of the Windows architecture from an API perspective, how modern EDRs work and their detection capabilities and standard evasion techniques, and also look at potential solutions the industry can approach.
1.1 Aims & Objectives
The study offers a clear view of the modern techniques that malware authors use to evade endpoint security products in the hope that the information gathered in the paper will guide defenders toward a more resilient security posture and allow managers to make informed decisions when purchasing commercial endpoint security solutions. Please note that proof of concept testing on a commercial EDR cannot be performed due to legal aspects, which the author’s employer later explained.
Objectives:
§ Understand how endpoint security solutions monitor and respond to malware.
§ Gather data on evasion techniques from multiple sources, including whitepapers, intelligence reports, and individual work carried out by security researchers.
§ Understand how specific techniques work from an API perspective.
1.2 Literature Review & Project Rationale
While many EDR (Endpoint Security & Response) vendors claim their products can detect a wide range of attacks, malicious actors always discover new ways to repurpose existing functionality and use it to their advantage. Defenders who often rely on the output of such security tools need a better understanding of the potential evading techniques that an attacker might use.
Unlike attacks that seek to monetise quickly, advanced persistent threats, or APTs, employ stealthier
techniques and aim to remain undetected for a considerable time (Karantzas & Patsakis, 2021); in some cases, years.
Recent security breaches have demonstrated that endpoint security is crucial to any information security
management framework. While vendors claim their products can detect and stop many attacks, malicious actors always discover new ways to repurpose existing Windows API functionality (Yosifovich et al., 2017), thus, allowing their activities to remain undetected.
An EDR product works best against publicly known exploit kits; however, experienced hackers always find ways to disable or bypass its protection mechanism; some of the standard terms related to such techniques are Userland hooking, Syscalls, P/Invoke /D-Invoke (Mosch, 2021).
This report was based on multiple sources, including news articles, conferences, academic and industry whitepapers, and work carried out by individual security researchers. A complete list of references can be found towards the end of the report.
1.3 Study Design & Methods
The research relies on information gathered from secondary sources, enabling the study to illustrate various techniques used by malware to evade endpoint security solutions.
Data will be gathered from multiple online sources, including white papers, intelligence reports, and individual work by security researchers.
Some screenshots illustrated in this report are taken from a Windows 11 OS since it is the most used operating system in many enterprises.
2. Windows Architecture
Before diving into the specifics of how an EDR protects the OS, it is essential to understand the basics of the Windows architecture, how programs, processes and memory work, and most importantly, the distinction between user-mode and kernel-mode.
At its highest level of abstraction, a process is best defined as a container for a program, having at least a portion of virtual memory allocated, an execution thread, a unique identifier commonly referred to as the process ID, and a security context.
Illustrated in Figure 1 is a portion of the Process Explorer output, an utility from Sysinternals. Here is observed the Spotify process along with several threads and process IDs.
Figure 1 — Process Explorer
Software, or programs, may vary in terms of the programming language they were created with; however, in order to interact with system services and other OS components, they run in user-mode and go through one or more subsystem DLLs such as kernel32.dll, advapi32.dll, and user32.dll. These DLLs implement the Windows API, commonly referred to as Win32, regardless of the 32-bit and 64-bit architectures.
The Windows API functions are documented procedures written in C and include subroutines such as GetMessage, CreateProcess, and others.
In addition to Win32, an underlying special system library called ntdll.dll, mostly undocumented, implements architecture-specific functions or system calls that run directly in kernel mode. The library is also responsible for supporting subsystem DLLs such as Win32 and native images or programs that do not tie with any subsystem. An example of a native image is the Session Manager process (smss.exe) (Yosifovich, et al., 2017).
Furthermore, to improve the security posture and stability of the OS, the concepts of user mode and kernel mode were introduced in the Windows NT family, with the primary differentiator between the two being the level of access to system memory and CPU instructions, the former being restrictive in terms of privilege, while the latter having full access.
Figure 2 shows a simplified blueprint of the Windows API architecture, in which a user application that requires access to, for example, a storage device, creates a path through the Win32 subsystem DLL, which in turn depends on the ntdll.dll to send a system call to kernel mode and interact with the device drivers.
Similarly, malware can take advantage of the same functionality to gain access to the kernel-mode space, which allows it to harm, including encrypting files, stealing credentials from memory, traversing the network and infecting other systems. Consequently, the IT industry was forced to develop security solutions to block these actions.
Figure 2 — Windows architecture (Yosifovich, et al., 2017)
3. Endpoint Detection and Response Systems
The evolution of cyber attacks required proportionate security solutions, and in 2013, the term EDR was formulated by Anton Chuvakin; it stands for Endpoint Detection and Response, emphasising its response capabilities, and it was designed to replace traditional antivirus security solutions that would otherwise lack the ability to log critical endpoint events and perform complex endpoint analysis. Nowadays, most security analysts rely on the output of such solutions and make use of telemetry that the EDR’s sensor records, including events such as file creation, network connections, processes, registry, and many others.
3.1 Detection Mechanisms
An EDR retains some classic AV features in detecting malware, such as file reputation checks; however, machine learning features also enhance its capabilities, especially with automatic intelligent cloud-based sandboxing and behavioural analysis. The following section looks at common detection mechanisms that an EDR employs (Crowdstrike, 2021).
3.1.1 Reputation Detection
As the name implies, detection based on the file’s reputation is usually the first step in detecting malware, and it is performed against known samples found on databases such as VirusTotal or Malware Bazaar. The EDR inspects the hash values that it calculates from files which are executed in real-time, or simply written to disk.
This type of detection works best against known adware variants that do not have the ability to adapt and change their code, unwanted software, and even known adversary tools. One of them is Mimikatz, a binary that can dump credentials from memory and be detected by almost all security products, as in the following screenshot. Note that the file was not executed, but simply written to disk, and it still got quarantined by Windows Defender.
Figure 3 — Mimikatz detection
3.1.2 Behavioural Detection
When a previously unknown executable runs on a host, the EDR inspects the binary for complexity in its data, otherwise known as entropy, and checks for any anomalistic behaviour by analysing the binary’s API calls and execution command line, network communications, patterns that match previously known malware (Whiteheart, 2019). While the sandboxing occurs locally, modern EDRs can leverage the cloud for similar indicators found on Threat Intelligence for activity matching known threat actors (TA). Many security vendors have branded this anomalistic/sandboxing analysis as machine learning or ML detection.
3.1.3 IOA Detection
So far, the above detection mechanisms are focused solely on a precise type of static digital evidence, the indicator of compromise (IOC); however, an IOA, or indicator of attack, works dynamically by continuously monitoring possible intent carried out regardless of the binary, as noted by (Kost, 2022), especially with the recent proliferation of “living off the land” binaries or LOLBins. A LOLBin is any legitimate Windows OS or third-party binary that may be used to carry out an attack (Keshet, 2022).
A good example is the recent Emotet campaign in May 2022, where the TA leveraged LNK shortcut files with embedded scripts to download a malicious payload and executed it with regsvr32, a legitimate Windows binary (Manaster, et al., 2022).
Attack chain: .ZIP -> .LNK -> PowerShell -> regsvr32
Armed with this knowledge, the security vendor or a company’s analyst could write a custom IOA that would look for LNK files executed from abnormal locations, such as the user’s downloads folder.
3.2 EDR Telemetry
The above section explains the high-level overview of detection capabilities that an EDR may have; however, it is equally important to understand how these capabilities work from an API perspective.
An EDR may use its mechanisms, but it can also rely on other sources of telemetry in order to detect and trace potential malicious activity, offering the possibility of creating smaller monitoring agents that can be deployed onto a target host.
A known fact is that the industry has produced a wide range of security products which relies on the Windows platform for logging and telemetry, specifically the Windows event tracing feature (ETW) and the antimalware scan interface (AMSI). The EDR domain is no exception and has some of the biggest brands based on ETW for detecting malicious activity.
3.2.1 EDR Hooking
Since most malware starts its execution in User Mode, EDR products have begun hooking or hijacking the normal execution flow of programs with a jmp instruction and redirecting them to the inspection modules, looking for anomalistic behaviour, suspicious function arguments, and blacklisted APIs used by common malware such as CreateRemoteThread (Red Team Experiments, n.d.). Generally speaking, most products monitor API calls originating from known DLLs such kernel32.dll and user32.dll; however, the most important one should be ntdll.dll since it contains the last API calls before a direct system call in unrestricted Kernel Mode. This interaction is illustrated in Figure 5, in which an executable that relies on APIs found in kernel32.dll is hooked upon execution and redirected to the EDR’s inspection modules.
Figure 4 — EDR hooking (Red Team Experiments 2021)
3.2.2 ETW
What was initially developed as a troubleshooting mechanism and introduced in Windows XP, the Event Tracing for Windows (ETW), has shaped the security industry by using its capacity to produce more than 50.000 event types originating from over 1000 providers, generated from both user-mode Win32 applications and kernel-mode drivers (Microsoft Documentation, 2021). These events range from file, registry, network, process, thread, drivers, and others; they can be consumed in real-time by any application that registers with ETW. However, the main advantage of ETW lies in its system-wide availability, standardised, readily available, without additional drivers installed, qualities that allow for fast ETW-based security products development.
The following diagram illustrates the relationship between the various ETW components. A consumer is any application capable of reading the capture logs from the database or through an active trace session (Microsoft Documentation, 2022).
Figure 5 — ETW Architecture (Microsoft documentation 2022)
3.2.3 AMSI
The second source of telemetry available to security products comes from the antimalware scan interface (AMSI), an API developed by Microsoft that can integrate with any security product, designed to enhance the product’s detection capabilities. According to (Microsoft Documentation, 2019), AMSI is readily available in modern Windows versions and provides a varied scope in terms of the components that it may integrate with, such as:
§ User Account Control, or UAC (elevation of EXE, COM, MSI, or ActiveX installation)
§ PowerShell (scripts, interactive use, and dynamic code evaluation)
§ Windows Script Host (wscript.exe and cscript.exe)
§ JavaScript and VBScript
§ Office VBA macros
AMSI telemetry can be gathered and interrogated in two distinct ways, the first being through a provider DLL, which is usually what antimalware products use, and the second, through ETW like other events.
3.2.4 Sandboxing
Another component of an EDR continues to be local or cloud-based sandboxing, primarily used for detonating unknown binaries when all of the above cannot give a strong indicator of legitimacy or it may pose a threat to performing local analysis. This service performs an automated analysis and looks for suspicious indicators found during the binary execution. While EDRs are integrated platforms with their cloud-sandboxing capabilities, free services exist on the Internet. Figure 6 shows a sample analysis for a malicious Excel document performed using JoeSanbox. Typically, the binary’s behaviour will generate a score, which will later be the foundation for classifying the file as either malicious, suspicious, clean, or unknown.
Figure 6 — Joe’s sandbox
Looking at the above components for a typical EDR ETW-based product should accurately depict how it works, what are its main components and dependencies, but also potential blind spots that may be used to evade such a product.
3.3 EDR Evasion
While ETW and AMSI documentation is freely available for anyone with Internet access, the EDR’s inspection code remains closed-source, posing a challenge for security researchers and threat actors alike.
Circling back to the EDR hooking mechanisms, there is a known fact that many products will make use of a jmp instruction to redirect the execution flow of a program; however, knowing exactly where the detour happens would only be possible by having access to a host with the EDR agent installed. In this case, two instances would facilitate this access: the company’s internal research team or the customer’s security team; however, for a threat actor, that would present a complicated challenge.
What was long theorised came to fruition earlier this year in March, when the invasion of Ukraine created a divide between members of the Conti Group. In February 2022, an anonymous account on Twitter disclosed several files containing Jabber conversations spanning a couple of years. Researchers found that the group, possibly others, are using legitimate companies as a front and buying many security products, especially in the EDR sphere (CYFIRMA, 2022).
Once a threat actor has access to an EDR product, it can begin its payload evasion testing by looking for hooking points, monitoring API calls, and generating telemetry. All of this can be achieved with various open-source tools such as x64dbg, but most folks working in the evasion space are leveraging a project named Telemetry Sourcerer. According to its GitHub project page, this tool can disable common telemetry sources used by EDR, enumerate kernel-mode callbacks, and detect user mode hooks, as illustrated in Figure 7.
Figure 7 — Telemetry Sourcerer
Equipped with a couple of EDR products, a threat actor can begin to leverage Telemetry Sourcerer or other debug tools and look for execution paths that would not trigger a detection. Research shows that the most common evasion techniques that attackers and security researchers focus on are some of the following:
§ Process Injection
§ DLL Side-Loading
§ Obfuscation
§ Memory-Only
§ Defense Tampering
3.3.1 Process Injection
As pointed out in an earlier section, a process has a lot of resources allocated when running, including a potentially elevated security context, e.g. local administrator or even the SYSTEM account, making process injection a looked-for technique by many threat actors (MITRE, 2021). For the past couple of years, security researchers or threat actors have found various injection methods for bypassing EDR products; however, in their most basic form, these approaches have followed a typical model but with slight changes. Figure 8 details the execution flow for one of many injection methods named process hollowing.
Figure 8 — Process Hollowing
The flow begins with the CreateProcess API call, which spawns a “sacrificial” process as simple as Paint or Calculator in suspended mode, using the CREATE_SUSPENDED flag. As a side note, when malware creates a process in User Mode, it cannot gain higher privileges than the spawned process; therefore, some adversaries are leveraging other utilities such as the Task Scheduler for privilege escalation (Vögele, 2022).
The second stage involves one of the unmapping APIs that will empty the process memory and make room for the malware payload.
Next, a memory section is allocated with the VirtualAllocEx API call, followed by another call for setting up a process thread context.
Finally, after all the memory and thread parameters are set, the process is resumed from its previously suspended state. The malicious code can now run within the context of a legitimate process.
3.3.2 DLL Side-Loading
Malicious actors heavily abuse another interesting technique that relies on Windows’s mechanisms for loading dependencies, specifically, the shared libraries used by various software (Krishnasamy, et al., 2021). When a particular program runs, in addition to its code, it loads additional libraries or DLLs that perform multiple functions such as network connectivity, encryption, or other requirements. Utilities such as Process Monitor allow security professionals and hackers alike to view which DLLs are loaded by a specific program, an example illustrated in Figure 9, where the Windows 11 Calculator application loads its dependencies.
Figure 9 — Process Monitor
This attack works well because of the inherited Windows search order when dependencies are loaded, a concept illustrated in Figure 10.
When an application loads a shared library, the search order starts from code already loaded in memory and progresses from its directory to common locations such as the System32 or the environment paths (Hsu, 2022). As imagined, this leaves room for threat actors to abuse this behaviour. A good example is a recent discovery on 15 July 2022 by multiple security researchers and media outlets, who reported on Twitter a technique shift in the QakBot malware, which uses DLL search order to infect computers. Below is the complete attack chain, illustrated in Figure 11.
Figure 10 — DLL search order
Figure 11 — QakBot analysis
The author of this project performed the analysis of a QakBot sample on 15 July using a private malware analysis system; here, it can be observed that a copy of a legitimate calc.exe gets copied to a temporary location alongside a few malicious DLLs. When the calc.exe program gets executed, it relies on WindowsCodecs.dll as a dependency; however, based on its current directory, it will first load the malicious DLL from the current directory, according to the search order illustrated in Figure 10.
3.3.3 Obfuscation
Obfuscation is yet another technique that makes malware more difficult to dissect through conventional automatic analysis tools, allowing encrypted, compressed, or archived payloads to stay undetected. There are multiple ways to obfuscate malicious code; however, most threat actors create payloads using a mix of transformation encryption cyphers, encoding, packing and string operations such as concatenation, with some of the most popular operations being base64 encoding alongside an exclusive OR (XOR) (Malviya, 2020). Recent research from Akamai shows that over 25% of malicious JavaScript is obfuscated (Cyware, 2021).
Figure 12 shows a simple transformation technique using a public service such as CyberChef, in which a simple text string “University of Derby” gets converted into “VW5pdmVyc2l0eSBvZiBEZXJieQ==”.
Figure 12 — Base64 encoding
However, the above example is a simplified version of what can be achieved with code obfuscation. Figure 13 illustrates a PowerShell command line from an actual malware sample analysed by (Ring Zero Labs, 2020) that uses multiple transformation layers.
Figure 13 — Obfuscated VBA — Ring Zero Labs, 2020
The above example uses obfuscation at the command line, includes a couple of variables used for character substitution, and includes a key for the XOR operation on the text. This will later decode to C# code, triggering a second stage download, most likely establishing a command and control channel, otherwise known as C2 (Dahan, 2022).
3.3.4 Memory-Only
The first three evasion methods are primarily used as an initial access vector; however, attackers have changed their craft for more complex operations, such as enumerating domain service accounts, privilege escalation, lateral movement, or even data exfiltration. They are now using fileless malware, which runs only in memory in most cases, executing under the form of .NET assemblies or obfuscated PowerShell running with the IEX flag. This is incredibly convenient since both frameworks are found on almost all Windows versions, and no additional components are needed to be pre-installed (Cybereason Team, 2019).
A typical attack that involves the usage of fileless malware has at its core a C2 communication channel established beforehand with the help of a beacon that may communicate with the attacker through a variety of well-known protocols such as HTTPS or DNS since many organisations heavily use both, and firewalls do not block them (Grimmick, 2021). In addition to the chosen protocol, an attacker can use redirectors and public cloud services, which adds an additional layer of secrecy by blending in with legitimate traffic (bigb0ss, 2021). Figure 14 illustrates the concept used where AWS is used as a proxy for C2 traffic.
Figure 14 — AWS Cloud Fronting
Once a communication channel has been established, the threat actor can instruct the beacon to run a shellcode that would inject directly into the beacon’s memory. Tools such as Donut created by (TheWover, 2019) can convert known attack tools into shellcode.
3.3.5 Defence tampering
Lastly, tampering with the security product itself is also an evasion method used by criminal actors by attempting to patch ETW and AMSI API system calls such as NtTraceEvent, EventWrite, or EtwEventWrite. Once these calls are patched, the functionality to send event logs is disabled, therefore, rendering the EDR completely useless. There are multiple ways to attack ETW, and Figure 15 shows the threat modelling of different ETW components. As of 2021, there were at least 36 techniques for tampering with ETW.
Figure 15 — ETW Threat Modelling (Binarly Team, 2021)
AMSI can also be bypassed using in-memory patching system calls or a simple PowerShell downgrade to version 2, allowing attackers to run malicious scripts (Pentest Laboratories, 2021). Worth noting that as of 2022, not all vendors support AMSI.
Please note that sophisticated actors can leverage the above evasion mechanisms combined in order to achieve a high level of stealth. For example, a malicious actor can take advantage of an encrypted C2 channel to drop a beacon, run a .NET assembly in memory, patch ETW and AMSI, and perform process injection into high-privilege processes.
4. Solutions
While the above evasion techniques only scratch the surface of known methods for evading security products, some solutions have been discussed within the industry to address these detection gaps, specifically by protecting the ETW session, increasing collaboration between independent security researchers and major EDR vendors, implementing post-exploitation detection, and others.
4.1 ETW Kernel Memory Protection
One of the mechanisms to protect ETW sessions is to protect the NT kernel memory areas that hold security descriptors for DefenderApiLogger, the logger for the Microsoft Defender. These descriptors are stored in the WMI_LOGGER_CONTEXT. SecurityDescriptor.Object, and are responsible for protecting the Defender’s ETW session, as explained by Igor Korkin, a kernel security researcher (Korkin, et al., 2022).
His proposal and proof of concept to address this issue resulted in the development of MemoryRanger, a hypervisor-based memory protection mechanism that isolates kernel memory when a new driver, potentially malicious or exploitable, is loaded into the kernel space. One example was first discovered in 2020 during the RobbinHood ransomware attack when malicious actors took advantage of a vulnerable Gigabyte driver to tamper with security products (Abrams, 2020). Figure 16 illustrates the MemoryRanger architecture.
Figure 16 — MemoryRanger architecture
MemoryRanger uses virtualisation technologies such as VT-x and extended page tables (EPT) to create isolated kernel spaces for newly loaded drivers, thus, preventing them from escalating privileges and tampering with security descriptors.
4.2 Strategic Alliances
While this solution may not directly address the ETW problem, a much-needed ability needed in the security industry continues to be data and knowledge shared among vendors, a key element in transforming the traditional security operations centre (SOC), which in many enterprises relies on multiple tools that do not necessarily provide a unified approach to detection capabilities, enhanced intelligence and threat analysis.
CrowdStrike started one such initiative named CrowdXDR Alliance, a project that gathers other security vendors and creates an ecosystem for combined thread-centric detection and response, resulting in high-fidelity alerting. Vectra, a cloud-based security solution for detecting threats in multi-cloud and hybrid environments, is one of the latest partners to join the alliance in July 2022 (Vectra, 2022).
4.3 Better Collaboration
One of the most significant gaps in the EDR space remains a big disconnect between independent, respectable security researchers and the vast majority of vendors who do not benefit from their expertise and incorporate detection models based on their research. This allows attackers to get ahead of the game, learn from this research, which most of it is in the public domain, and develop exploits.
A good example is a security researcher and reverse engineer known by his Twitter handle as x86matthew, who develops proof of concepts for various evasion and process injection techniques on a recurrent basis. Aside from x86matthew, other researchers disclose a ton of information on Twitter. Figure 17 illustrates a screenshot from his website detailing a model for embedding an executable inside a registry file with automatic execution.
Figure 17 — x86matthew 2022
As a result, EDR vendors should develop programmes in a bug-bounty fashion that will considerably enhance their detection capabilities.
4.4 Pre/Post Exploitation Mitigations
Lastly, while an EDR solution may not be able to protect a company from every exploitation attack, organisations can employ a threat hunting approach and implement signatures that can prevent initial attack vectors such as phishing emails or post-exploitation activities such as gaining domain administrative privileges.
Post-exploitation activities such as getting high-privileged domain credentials could be detected based on a threshold for the number of Kerberos tickets using obsolete encryption requested in a specific time frame.
For example, emails can be checked for authenticity using known protocols such as SPF, DKIM and DMARC, drastically limiting the amount of spam and phishing emails an organisation receives. Figure 18 exemplifies how these protocols work together.
Figure 18 — SPF, DKIM, DMARC (Picard 2021)
Essentially, DMARC is built on top of SPF and DKIM; should any of these signatures fail, the DMARC will fail as well, and depending on the configured policies, it can reject the email or place it into quarantine.
5. Conclusion
This work looked at some core elements that most security professionals should familiarise themselves with, including an explanation of the core Windows architecture concepts and the standard capabilities of an endpoint security product. Moreover, the paper clarified a couple of evasion techniques used in the current security landscape, potential solutions to these products, and their reliance on old Microsoft technologies such as ETW. In protecting a company’s environment, future solutions should arise from both the vendor and the customer, including better collaboration with security researchers and a threat hunting methodology within the SOCs.
Lastly, future work should focus on protecting ETW sessions, creating memory isolation layers, or building security products based on newer technologies.
References
Abrams, L., 2020. Ransomware Exploits GIGABYTE Driver to Kill AV Processes. [Online]
Available at: https://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/
[Accessed 21 July 2022].
bigb0ss, 2021. [RedTeam] C2 Redirector — Cloud Fronting Setup (AWS). [Online]
Available at: https://bigb0ss.medium.com/redteam-c2-redirector-cloud-fronting-setup-aws-e7ed561a3a6c
[Accessed 19 July 2022].
Crowdstrike, 2021. WHAT IS ENDPOINT DETECTION AND RESPONSE (EDR)?. [Online]
Available at: https://www.crowdstrike.com/cybersecurity-101/endpoint-security/endpoint-detection-and-response-edr/
[Accessed 14 June 2022].
Cybereason Team, 2019. Fileless Malware 101: Understanding Non-Malware Attacks. [Online]
Available at: https://www.cybereason.com/blog/fileless-malware
[Accessed 19 July 2022].
CYFIRMA, 2022. Look Inside Ransomware Gang Through Conti Leaks. [Online]
Available at: https://www.cyfirma.com/blogs/look-inside-ransomware-gang-through-conti-leaks/
[Accessed 1 July 2022].
Cyware, 2021. Over 25% of Malicious JavaScript Code is Obfuscated. [Online]
Available at: https://cyware.com/news/over-25-of-malicious-javascript-code-is-obfuscated-77993ff5
[Accessed 18 July 2022].
Dahan, M., 2022. What are command and control attacks and what can you do to avoid them?. [Online]
Available at: https://www.comparitech.com/blog/information-security/command-and-control-attacks/
[Accessed 18 July 2022].
Grimmick, R., 2021. What is C2? Command and Control Infrastructure Explained. [Online]
Available at: https://www.varonis.com/blog/what-is-c2
[Accessed 18 July 2022].
Hsu, S., 2022. Threat Spotlight — DLL Hijacking (and .NET). [Online]
Available at: https://stillu.cc/threat-spotlight/2020/09/16/dll-hijacking/
[Accessed 17 July 2022].
Keshet, Y., 2022. What Are LOLBins and How Do Attackers Use Them in Fileless Attacks?. [Online]
Available at: https://www.cynet.com/attack-techniques-hands-on/what-are-lolbins-and-how-do-attackers-use-them-in-fileless-attacks/
[Accessed 25 June 2022].
Korkin, I., Teodorescu, C. & Golchiko, A., 2022. Veni, No Vidi, No Vici: Attacks on ETW Blind EDR Sensors. [Online]
Available at: https://www.youtube.com/watch?v=wZG0h1q7fMg&t=1260s
[Accessed 21 July 2021].
Kost, E., 2022. What are Indicators of Attack (IOAs)? How they Differ from IOCs. [Online]
Available at: https://www.upguard.com/blog/what-are-indicators-of-attack
[Accessed 25 June 2022].
Krishnasamy, V., Karthickkumar & Jaiswal, S., 2021. REvil Ransomware Uses DLL Sideloading. [Online]
Available at: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/revil-ransomware-uses-dll-sideloading/
[Accessed 16 July 2022].
Malviya, N., 2020. Using Base64 for malware obfuscation. [Online]
Available at: https://resources.infosecinstitute.com/topic/using-base64-for-malware-obfuscation/
[Accessed 18 July 2022].
Manaster, C., George, G. & Elio , B., 2022. Emotet Analysis: New LNKs in the Infection Chain — The Monitor, Issue 20. [Online]
Available at: https://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain
[Accessed 26 June 2022].
Microsoft Documentation, 2019. Antimalware Scan Interface (AMSI). [Online]
Available at: https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal
[Accessed 29 June 2022].
Microsoft Documentation, 2021. About Event Tracing. [Online]
Available at: https://docs.microsoft.com/en-us/windows/win32/etw/about-event-tracing
[Accessed 28 June 2022].
Microsoft Documentation, 2022. Instrumenting Your Code with ETW. [Online]
Available at: https://docs.microsoft.com/en-us/windows-hardware/test/weg/instrumenting-your-code-with-etw
[Accessed 29 June 2022].
MITRE, 2021. Process Injection: Portable Executable Injection. [Online]
Available at: https://attack.mitre.org/techniques/T1055/
[Accessed 14 July 2022].
Palo Alto, 2022. Ransomware Threat Report, s.l.: s.n.
Pentest Laboratories, 2021. AMSI BYPASS METHODS. [Online]
Available at: https://pentestlaboratories.com/2021/05/17/amsi-bypass-methods/
[Accessed 20 July 2022].
Red Team Experiments, n.d. Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs. [Online]
Available at: https://www.ired.team/offensive-security/defense-evasion/bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis
[Accessed 30 June 2022].
Ring Zero Labs, 2020. Obfuscated VBA, Powershell, C#. [Online]
Available at: https://www.ringzerolabs.com/2020/10/obfuscated-vba-powershell-c.html
[Accessed 18 July 2022].
Scroxton, A., 2022. Median threat actor ‘dwell time’ dropped during 2021. [Online]
Available at: https://www.computerweekly.com/news/252516081/Median-threat-actor-dwell-time-dropped-during-2021
[Accessed 3 August 2022].
SentinelOne, 2020. How Attackers Use LOLBins In Fileless Attacks. [Online]
Available at: https://www.sentinelone.com/blog/how-do-attackers-use-lolbins-in-fileless-attacks/
[Accessed 3 August 2022].
TheWover, 2019. Donut. [Online]
Available at: https://github.com/TheWover/donut
[Accessed 20 July 2022].
Vectra, 2022. Vectra Joins CrowdStrike’s CrowdXDR Alliance as a Partner. [Online]
Available at: https://en.prnasia.com/releases/apac/vectra-joins-crowdstrike-s-crowdxdr-alliance-as-a-partner-368884.shtml
[Accessed 21 July 2022].
Vögele, J.-F., 2022. LOLBin Attacks With Scheduled Tasks (T1053.005) and How To Detect Them. [Online]
Available at: https://www.linkedin.com/pulse/lolbin-attacks-scheduled-tasks-t1503005-how-detect-them-v%C3%B6gele/
[Accessed 15 July 2022].
Whiteheart, 2019. Entropy Analysis : A critical test for malware’s.. [Online]
Available at: https://whiteheart0.medium.com/entropy-analysis-a-critical-test-for-malwares-69939f5b8b1
[Accessed 20 June 2022].
Yosifovich, P., Ionescu, A., Russinovich, M. E. & Solomon, D. A., 2017. Windows Internals Seventh Edition. In: s.l.:Microsoft Press.
