You're reading from Malware Analysis Techniques Tricks for the triage of adversarial software

Product type Paperback

Published in Jun 2021

Publisher Packt

ISBN-13 9781839212277

Length 282 pages

Edition 1st Edition

Languages

Python

Tools

VMware Server

Concepts

Malware Analysis

Author (1):

Dylan Barker

View More author details

Table of Contents (17) Chapters

Preface

1. Section 1: Basic Techniques

2. Chapter 1: Creating and Maintaining your Detonation Environment FREE CHAPTER

3. Chapter 2: Static Analysis – Techniques and Tooling

4. Chapter 3: Dynamic Analysis – Techniques and Tooling

5. Chapter 4: A Word on Automated Sandboxing

6. Section 2: Debugging and Anti-Analysis – Going Deep

7. Chapter 5: Advanced Static Analysis – Out of the White Noise

8. Chapter 6: Advanced Dynamic Analysis – Looking at Explosions

9. Chapter 7: Advanced Dynamic Analysis Part 2 – Refusing to Take the Blue Pill

10. Chapter 8: De-Obfuscating Malicious Scripts: Putting the Toothpaste Back in the Tube

11. Section 3: Reporting and Weaponizing Your Findings

12. Chapter 9: The Reverse Card: Weaponizing IOCs and OSINT for Defense

13. Chapter 10: Malicious Functionality: Mapping Your Sample to MITRE ATT&CK

14. Section 4: Challenge Solutions

15. Chapter 11: Challenge Solutions

16. Other Books You May Enjoy

Behavioral prevention

Behavioral or heuristic protection is often the stuff of EDR or AV platforms. Most platforms of this nature operate on a heuristic basis and utilize key MITRE ATT&CK tactics and techniques leveraged by real-world adversaries in order to prevent the execution of malicious commands, files, or techniques. For the sake of this discussion, we'll focus on command-line style behaviors for the sake of simplicity – things such as calling mshta.exe to open malicious HTA files or calling binaries from SMB shares.

Frequently, a well-built EDR solution is going to be irreplaceable in correctly and properly blocking behavioral-based techniques utilized by adversaries. However, this is not the only methodology available to us at a pinch.

Binary and shell-based blocking

In the Unix world, the proper way to achieve something of this nature is via the use of something like rsh – a restricted shell that allows us to basically "jail" our...