Flying Under the Radar series
Introduction to the Flying Under the Radar series
Learning about low level programming and the Windows Operating System has always appealed to me. Paired with my equally strong interest in adversarial simulations, it may not be surprising that it has lead me towards malware development, and consequently the recurring desire to defeat defensive security tooling which may provide Next-Generation Antivirus (NGAV) and/or Endpoint Detection & Response (EDRs) capabilities. Basically defensive tooling that boasts some kind of advanced prevention & detection capability.
There are some key considerations that impact the ability of a threat actor. As there is an element of speculation, I believe the following areas are concerned:
- External Perimeter: The robustness of areas commonly targeted by threat actors to achieve Initial Access. Mail & Web configurations, remote access solutions, cloud technologies, physical security, etc
- (Execution Preventions) Endpoint Hardening: What is the level of ability of a user or administrator on a given Windows endpoint? Consider restrictions implemented via Group Policy Objects (GPO), Registry settings and/or application control solution(s) (think AppLocker, WDAC, etc)
- Static Detections: You may have developed the most sophisticated malware, but if it is caught by security tooling due to the presence of its binary representation on disk it would have all been for nothing. Being able to effectively defeat static analysis and sandboxing1 is a desirable skill for any operator.
- Dynamic Detections: If initial static detection scans allow for the malware to exist, will the code implementations of your malware trigger detections based on the actions it performs? There are very many OPSEC considerations in this area; these mainly concern areas such as EDR bypasses.
The External Perimeter and the Endpoint Hardening are quite variable concerns and are very contextual to given entities e.g organisations and private individuals. Therefore, these will for the most part not be covered in this blog series. However, there is a lot more contextual common ground when it comes to defeating Static & Dynamic Detections. Therefore, the “Flying Under the Radar” blog series will aim to share knowledge, considerations and techniques relating to malware development. With a focus on Static & Dynamic analysis evasion by leveraging low-level programming.
Rough “Flying Under the Radar” series plan:
- Part1 - Function Resolves with x64 MASM Assembly
- Part2 - Leveraging Indirect Syscalls (and searching for opportunities for improvements)
- Part3 - More Obfuscation, IOCs and Detections
Note: The plan could change over time.
Sandboxing - I think its hard to place, if anything it overlaps across the last 3 considerations. I believe security product sandboxing executes just before a user execution (pre-execution) or directly following a static analysis scan. However, the virtual environment can be configured any manner of ways and some form of “dynamic” analysis is performed locally and potentially in a security vendors cloud containers. For the purpose of the Flying Under the Radar series, I will be focusing on the pre-execution aspect of sandboxing, considering it’s versatility. ↩