Jonas L Profile picture
21 Nov, 6 tweets, 1 min read
People ask me all the time: As an advanced APT how would you persist, avoid detection and do you think that technique is actively used currently?

Nah, they dont- and if they did I would ask them to leave me alone.

I did have some random thoughts about it in the shower though.
These days "living off the land" is gaining popularity.

What I dont get is why there is not more "EATING the land"

If there already is functionality for your intended goal- why not use it?
A simple example is cryptolockers.... hey- we already have bitlocker for that, change some settings- maybe inject a little code and you will avoid detection and antivirus etc.
But- what about persistence?

Well, why not reuse the built in kernel mode executing virtual machines?
There is even one intended for ofuscation of the codes execution.
By transforming code into Warbird bytecode and injecting it a place like authenticode validation you get it all
Obscurity, evasaion of AV and persistent execution.

But what about stuff like c&c- surviving reboots etc.

Well, the filtering platform could be a fit for that, kernel mode, interpeted and obscure.

You could survive reboots as an ummm firewall rule I guess?
You can intercept and inject traffic into network as you want- bypass other filters, AV, endpoints etc. while not being listed as a loaded driver/nor a running exe/dll in any lists that could be inspected.

Few people would even know how to approach detection of such a beast.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jonas L

Jonas L Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jonasLyk

14 Jul
As Microsoft have no intensions of ever paying me for all my submitted vulnerabilities I am forced to do this.
Countdown starts today- then I will post them all public.
Ms is just trying to get time to patch them then never pay me.
I have for over 100.000$ in submissions.

14
I have not had a bounty paid for over 7 months I am in debt, my life is ruined- because I trusted that money was on the way.
I am getting sick by stress, but they just ignore me.

I have submitted hyper-v virtual file system escape.
bitlocker full hd encryption bypass
lock screen / login bypass
Total ntfs access control and file lock bypass for read from lowbox token sandbox
Uefi partition writeable from low box token sandbox
So many Escalation of privelegies I cannot keep track
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!