504.5 Flashcards
Ghost
Modifying the assembly of an executable in order to bypass an EDR systems by inserting junk code. The junk code modifies the program but with no lasting changes to how the program executes.
Defender Check
Takes a malicious file and scans it on a local windows 10 machine with windows Defender. If the file code raises an alert it will split the code into 2 smaller chunks and scan each piece independently while discarding the code that did not trigger the alarm.
Metasm Framework
Tool that uses scripts to disassemble payload raw source code into ASCII assembly source code.
Keyed Payloads
A technique where the payload is encrypted using a key that is taken from an environment variable.
Live of the Land
Instead of adding third party executables, the attacker reuses existing tools to accomplish their goals. Because these existing tools are generally considered non-malicious by the infected OS.
MSBuild
A built-in tool for building and executing C, C++, C# code. An attacker can use MSBuild to run code written in any of these languages by compiling and running a source file.
Hijacking Attack
An adversary responds to system requests for services and pretends to be the legitimate system
Responder
Hijacking tool that impersonates servers and harvest credentials. (works with SMB and other protocols)
UTMP File
Unix file for storing info about all users currently logged into the system.
wmtp file
stores information about all the users who have ever logged on to the machine
btmp file
stores information about bad login attempts. often disabled by sysadmins because a file would be left around containing passwords in clear text if users entered passwords into username field and vice versa.
lastlog file
shows information associated with the most recent login time and date for each user.
Persistence goals
1) Regain Access
2) Avoid Detection
3) Preserve Privileges
4) Flexible in reestablishing access
persistence_service
metasploit module for automating the process of creating a service and automatically running an automatically-generated payload written to a temporary directory
silent exit process
Target process can be launched when another process exits. intended for developers to use to launch a debugger process when a target process terminates (normally or unexpectedly)
Real Intelligence Threat Analytics (RITA)
Offline tool that uses statistical threat identification to analyze data over time for threat hunting instead of packet analysis. 24 hr packet capture is ideal.
Exploded DNS Analysis
Shows you the unique sub-domain and reference count. Look for irregularly high number of sub-domains
Security Token Service
AWS service that allows users to request temporary IAM credentials with limited privileges. Serves as a post-exploitation account enumeration technique for attackers
WeirdAAL
Python script that automates the process of enumerating AWS access privileges and cloud assets.
AzureStealth
Windows tool for enumerating shadow admin accounts.
Pacu
AWS interrogation and attack framework similar to metasploit. Includes several exploit and enumeration modules.
Cloud Mapper
Discovers and illustrates relationships in an AWS environment
atbroker
a way to start malware through a trusted library (atbroker.exe) so an attacker can bypass endpoint protection
