Source Byte

Аналог GetProcAddress, но написан на ассемблере. Гуд... https://github.com/WKL-Sec/FuncAddressPro #redteam #maldev #evasion

SyzRetrospector: A Large-Scale Retrospective Study of Syzbot credit : Ardalan Amiri Sani , Zhiyun Qian

#memes

The HKEY_CLASSES_ROOT (HKCR) key in the Windows registry is a merged view of the HKEY_LOCAL_MACHINE\Software\Classes and HKEY_CURRENT_USER\Software\Classes keys. By default, only users with administrator privileges can modify the keys and values under HKCR. If a non-administrator user attempts to write to a key under HKCR, and the key already exists under HKEY_CURRENT_USER\Software\Classes, the system will store the information there instead of under HKEY_LOCAL_MACHINE\Software\Classes. However, writing directly to HKCR typically requires administrator access because it affects system-wide settings²³.

In the simplest terms possible, this registry hive contains the necessary information for Windows to know what to do when you ask it to do something, like to view the contents of a drive, or open a certain type of file, etc. HKEY_CLASSES_ROOT\.avi HKEY_CLASSES_ROOT\.bmp HKEY_CLASSES_ROOT\.exe HKEY_CLASSES_ROOT\.html HKEY_CLASSES_ROOT\.pdf HKEY_CLASSES_ROOT\AudioCD HKEY_CLASSES_ROOT\dllfile ... Each of these keys stores information on what Windows should do when you double-click or double-tap a file with that extension in File Explorer. It might include the list of programs found in the "Open with..." section when right-clicking/tapping a file, and the path to each application listed. For example, when you open a file called draft.rtf, WordPad might open it. The registry data that makes that happen is stored in the HKEY_CLASSES_ROOT\.rtf key, which defines WordPad as the program that should open the RTF file.

tl;dr modify shell open command (default) to malicious payload with subsequent invocation of text editor + parameters. The .txt file won't be malicious, but the thing responsible for opening them will be ¯\_(ツ)_/¯

"Can a .txt file be malicious?" Short answer: No Long answer: Anything is possible through the power of Windows HKEY_CLASSES_ROOT

Inspired Shell Obfuscatio https://github.com/CyberSecurityN00b/shellfeck

Linux internals https://youtube.com/playlist?list=PLSIUOFhnxEiC3YTdxwqZqgEY5imVL8U8J&si=kVQOBW8ZFk33yYM- https://youtube.com/playlist?list=PLOEpetqiDZSrfM_HYPe9l6RC782Ttul2H&si=9nk4B_uVAbL2VtSK https://youtube.com/playlist?list=PLsI2APLEA9Eq6z8zUlOJrqmc5KBwLTV4A&si=oW0Nqinw5PgTw27q

Kimsucky analysis part2 https://somedieyoungzz.github.io/posts/kimsucky-2/ #malware_analysis

Rhysida Ransomware Link #malware_analysis

some good ETW blog posts [ 1 ] ETW visualization [ 2 ] Uncovering Windows Events [ 3 ] ETW internals for security research and forensics [ 4 ] Exploiting a “CVE-2020-1034” Vulnerability – In 35 Easy Steps or Less! [ 5 ] Design issues of modern EDRs: bypassing ETW-based solutions [ 6 ] A Primer On Event Tracing For Windows (ETW) [ 7 ] Windows 10 ETW Events references collection [ 8 ] evading EDR book [ 1 ] , [ 2 ] [ 9 ] Detecting In-Memory Threats with Kernel ETW Call Stacks [ 10 ] Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers [ 11 ] A Begginers All Inclusive Guide to ETW [ 12 ] ETW References [ 13 ] Give Me an E, Give Me a T, Give Me a W. What Do You Get? RPC! (pars events from the RPC ETW) [ 14 ] Attacks on ETW Blind EDR Sensors ( black hat con ) [ 15 ] This write-up will present a case study of using ETW (Event Tracing for Windows) to analyze an active Cobalt Strike Beacon that was still active and communicating to it's C2 Server. [ 16 ] coming soon ... ——— @islemolecule_source