ITSEC Newsletter 2024-07-04

In this blog post, we will continue working on the MDA signatures, more specifically we focus on: The signature database, The loading process of the signatures, The types and layout of different signatures, A detailed discussion on two signature types: PEHSTR and PEHSTR_EXT.

Hello folks and have a good day. If u follow my blog, u might know that my two previous blog posts discussed km malware - rootkits and bootkits - focusing on the Ring 0 tricks they employ and the timeline of their appearance. I'm excited to share version two of my research paper "Windows Rootkits Guide", now titled "Windows Rootkits and Bootkits Guide," which includes even more information than the first version. The biggest addition is a deep dive into bootkit families and the techniques they use (TTPs), alongside more details about rootkit techniques.

The concept is not entirely new. EDR agents regularly communicate with central or cloud servers by sending telemetry, which includes host information, diagnostic alerts, detections, and other data. For more complex malware, the EDR agent may not terminate it immediately. Instead, the agent monitors the malware's behavior and leverages machine learning on the cloud. Once sufficient evidence is collected, the execution of the malware will be terminated. This indicates that EDR heavily relies on the cloud. Of course, the agent can still detect classic malware and techniques, such as a vanilla Mimikatz. However, without an internet connection, the EDR loses much of its effectiveness, and SOC teams cannot monitor the endpoint through the EDR management panel.