Rules
Examples
Download
modified in the last day
persistence/registry
persist via TelemetryController registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via Netsh registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via Print Monitors registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via AutodialDLL registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via DOTNET_STARTUP_HOOKS registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via .NET DbgManagedDebugger registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via Explorer tools registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via COR_PROFILER_PATH registry value
j.j.vannielen@utwente.nl
persistence/registry
persist via Windows Error Reporting registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via UserInitMprLogonScript registry value
j.j.vannielen@utwente.nl
persistence/registry
persist via AutoplayHandlers registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via default file association registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via AeDebug registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via hhctrl COM hijack
j.j.vannielen@utwente.nl
persistence/registry
persist via HtmlHelp Author registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via TS InitialProgram registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via TimeProviders registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via Group Policy registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via AppX registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via BootVerificationProgram registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via Disk Cleanup Handler registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via PATH registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via RDP startup programs registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via App paths registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via Filter Handlers registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via AMSI registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via SilentProcessExit registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via LSA registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via Command Processor registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via Natural Language registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via AppCertDlls registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via Image File Execution Options registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via COM hijack
j.j.vannielen@utwente.nl
persistence/registry
persist via ContextMenuHandlers registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via Network provider registry key
j.j.vannielen@utwente.nl
persistence/registry
persist via Code signing registry key
j.j.vannielen@utwente.nl
persistence/scheduled-tasks
schedule task via schtasks
0x534a@mailbox.org, j.j.vannielen@utwente.nl
persistence/screensaver
persist via screensaver registry key
michael.hunhoff@mandiant.com
host-interaction/process/create
execute shell command via Windows Remote Management
michael.hunhoff@mandiant.com
persistence/registry
persist via Active Setup registry key
moritz.raabe@mandiant.com
persistence/registry/appinitdlls
persist via AppInit_DLLs registry key
michael.hunhoff@fireye.com
persistence/registry/winlogon-helper
persist via Winlogon Helper DLL registry key
0x534a@mailbox.org, j.j.vannielen@utwente.nl
persistence/registry/run
persist via Run registry key
moritz.raabe@mandiant.com
persistence/registry/ginadll
persist via GinaDLL registry key
michael.hunhoff@fireye.com
persistence/service
persist via Windows service
moritz.raabe@mandiant.com
persistence/startup-folder
write file to startup folder
matthew.williams@mandiant.com, j.j.vannielen@utwente.nl
persistence/scheduled-tasks
schedule task via at
joren485
modified in the last week
persistence/file-system
persist via lnk shortcut
j.j.vannielen@utwente.nl
persistence/file-system
write to browser extension directory
j.j.vannielen@utwente.nl
persistence/file-system
persist via Windows Terminal Profile
j.j.vannielen@utwente.nl
persistence/file-system
persist via ErrorHandler script
j.j.vannielen@utwente.nl
persistence/file-system
persist via PowerShell profile
j.j.vannielen@utwente.nl
persistence/file-system
persist via Get-Variable hijack
j.j.vannielen@utwente.nl
persistence/file-system
persist via Windows accessibility tools
j.j.vannielen@utwente.nl
persistence/file-system
persist via iphlpapi DLL hijack
j.j.vannielen@utwente.nl
anti-analysis/anti-av
block operations on executable memory pages using Arbitrary Code Guard
jakub.jozwiak@mandiant.com
modified in the last month
linking/static/touchsocket
linked against TouchSocket
still@teamt5.org
runtime/dotnet
compiled with .NET AoT
still@teamt5.org
persistence
persist via BITS job
j.j.vannielen@utwente.nl
host-interaction/wmi
connect to WMI namespace via WbemLocator
michael.hunhoff@mandiant.com
linking/hooking
hook routines via microsoft detours
william.ballenthin@mandiant.com
persistence
persist via application shimming
j.j.vannielen@utwente.nl
collection
get Steam token
still@teamt5.org
collection/browser
get elevation service for Chromium-based browsers
still@teamt5.org
collection/browser
get Chrome CookieMonster
still@teamt5.org
persistence
persist via Print Processors registry key
j.j.vannielen@utwente.nl
modified in the last three months
host-interaction/registry/create
set registry value
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com
host-interaction/file-system/move
move file
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com
host-interaction/file-system/write
write file on Windows
william.ballenthin@mandiant.com, anushka.virgaonkar@mandiant.com
host-interaction/file-system/copy
copy file
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com
host-interaction/file-system/write
set shadow password file entry on Linux
jonathanlepore@google.com
host-interaction/session
get password database entry on Linux
michael.hunhoff@mandiant.com, jonathanlepore@google.com
collection
get shadow password file entry on Linux
jonathanlepore@google.com
data-manipulation/encryption
create new key via CryptAcquireContext
chuong.dong@mandiant.com
host-interaction/process
get process filename
matthew.williams@mandiant.com
linking/runtime-linking
access PEB ldr_data
moritz.raabe@mandiant.com
anti-analysis/anti-vm/vm-detection
check for unmoving mouse cursor
BitsOfBinary
host-interaction/registry
open RecentDocs registry key
matthew.williams@mandiant.com
anti-analysis/packer/nmm-protect
packed with nmm-protect
william.ballenthin@mandiant.com
host-interaction/driver
complete processing asynchronous IO request
moritz.raabe@mandiant.com
host-interaction/os
hide shutdown actions via policy
still@teamt5.org
anti-analysis
execute syscall
@kulinacs, @mr-tz, mehunhoff@google.com, still@teamt5.org
linking/runtime-linking
populate SysWhispers2 syscall list
still@teamt5.org
host-interaction/firewall/modify
access firewall rule properties via INetFwRule
jakub.jozwiak@mandiant.com
host-interaction/firewall/modify
access firewall policy via INetFwPolicy2
jakub.jozwiak@mandiant.com
host-interaction/shortcut
interact with shortcut via IWshShortcut in .NET
mehunhoff@google.com
host-interaction/com
access unmanaged COM objects in .NET
mehunhoff@google.com
host-interaction/wsh
interact with Windows Scripting Host in .NET
mehunhoff@google.com
communication/websocket
use .NET library websocket-sharp
mehunhoff@google.com
host-interaction/ui/automation
implement UI automation client in .NET
mehunhoff@google.com
data-manipulation/json
use .NET library SimpleJSON
mehunhoff@google.com
check thread suspend count exceeded
ervinocampo@google.com
create thread bypassing process freeze
ervinocampo@google.com
host-interaction/network/traffic/filter
enumerate network filters via WFP API
jakub.jozwiak@mandiant.com
host-interaction/network/traffic/filter
delete network filter via WFP API
jakub.jozwiak@mandiant.com
linking/static/sqlite3
linked against SQLCipher
wballenthin@google.com
modified in the last year
host-interaction/hardware/firmware
get system firmware table
michael.hunhoff@mandiant.com
linking/static/minhook
linked against MinHook
jakub.jozwiak@mandiant.com
host-interaction/file-system/delete
delete file on Linux
mehunhoff@google.com
host-interaction/log/debug/write-event
print debug messages
michael.hunhoff@mandiant.com
calculate modulo 256 via x86 assembly
moritz.raabe@mandiant.com
anti-analysis/anti-forensic/self-deletion
self delete using alternate data streams
daniel.stepanic@elastic.co
data-manipulation/encoding/base64
decode data using Base64 via VBMI lookup table
still@teamt5.org
anti-analysis/anti-av
overwrite DLL .text section to remove hooks
jakub.jozwiak@mandiant.com
communication/socket
attach BPF to socket on Linux
jakub.jozwiak@mandiant.com
load-code/shellcode
execute shellcode via Windows callback function
ervin.ocampo@mandiant.com, jakub.jozwiak@mandiant.com, still@teamt5.org
communication/c2/file-transfer
upload file to OneDrive
jaredswilson@google.com, ervinocampo@google.com
load-code/dotnet
invoke .NET assembly method
anushka.virgaonkar@mandiant.com, mehunhoff@google.com
host-interaction/file-system/write
write file on Linux
joakim@intezer.com, mehunhoff@google.com
data-manipulation/encryption/hc-128
encrypt data using HC-128 via WolfSSL
blaine.stancill@mandiant.com
linking/runtime-linking
link function at runtime on Windows
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com
anti-analysis
load packed DEX via Jiagu on Android
mehunhoff@google.com
host-interation/process
get current process memory mapping on Linux
mehunhoff@google.com
host-interaction/bypass
modify API blacklist or denylist via JNI on Android
mehunhoff@google.com
host-interaction/file-system/truncate
truncate file on Linux
mehunhoff@google.com
linking/hooking
hook routines via LSPlant
mehunhoff@google.com
host-interation/process
get system property on Android
mehunhoff@google.com
host-interaction/bypass
bypass hidden API restrictions via JNI on Android
mehunhoff@google.com
host-interation/process
get current process filesystem mounts on Linux
mehunhoff@google.com
host-interaction/process/create
create process on Linux
joakim@intezer.com, mehunhoff@google.com
host-interaction/gui
set application hook
michael.hunhoff@mandiant.com
collection/keylog
log keystrokes via application hook
michael.hunhoff@mandiant.com
compiler/dart
compiled with Dart
jakub.jozwiak@mandiant.com
host-interaction/gui/window/hide
hide graphical window from taskbar
jakub.jozwiak@mandiant.com
persistence
act as Time Provider DLL
jakub.jozwiak@mandiant.com
host-interaction/file-system
check file permission on Linux
mehunhoff@google.com
host-interaction/memory
map or unmap memory on Linux
mehunhoff@google.com
anti-analysis/anti-emulation/android
check if process is running under Android emulator on Android
mehunhoff@google.com
host-interaction/memory
change memory permission on Linux
mehunhoff@google.com
host-interaction/file-system
change file permission on Linux
joakim@intezer.com, mehunhoff@google.com
persistence
act as Share Provider DLL
jakub.jozwiak@mandiant.com
persistence
act as WinDbg extension
jakub.jozwiak@mandiant.com
data-manipulation/encryption/dpapi
encrypt data using DPAPI
william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com
compiler/go
compiled with Go
michael.hunhoff@mandiant.com
communication/socket
get socket information
michael.hunhoff@mandiant.com
communication/socket
create raw socket
blas.kojusner@mandiant.com
communication/socket
initialize Winsock library
michael.hunhoff@mandiant.com
communication/socket
get socket status
michael.hunhoff@mandiant.com
communication/socket
set socket configuration
michael.hunhoff@mandiant.com
communication/socket/send
send data on socket
moritz.raabe@mandiant.com, joakim@intezer.com, anushka.virgaonkar@mandiant.com
communication/socket/udp/send
create UDP socket
moritz.raabe@mandiant.com, joakim@intezer.com, michael.hunhoff@mandiant.com
communication/socket/receive
receive data on socket
moritz.raabe@mandiant.com, joakim@intezer.com, michael.hunhoff@mandiant.com
communication/socket/tcp
connect TCP socket
moritz.raabe@mandiant.com, joakim@intezer.com
communication/socket/tcp
create TCP socket
william.ballenthin@mandiant.com, joakim@intezer.com, anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com
communication/dns
resolve DNS
william.ballenthin@mandiant.com, johnk3r, joakim@intezer.com, michael.hunhoff@mandiant.com
host-interaction/process
get current PID on Linux
michael.hunhoff@mandiant.com
host-interaction/thread
set thread name on Linux
michael.hunhoff@mandiant.com
linking/runtime-linking
link function at runtime on Linux
joakim@intezer.com
host-interaction/mutex
lock file
joakim@intezer.com
host-interaction/mutex
lock semaphore on Linux
@ramen0x3f
host-interaction/mutex
unlock semaphore on Linux
@ramen0x3f
host-interaction/mutex
create semaphore on Linux
@ramen0x3f
host-interaction/thread/create
create thread
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, joakim@intezer.com, anushka.virgaonkar@mandiant.com
host-interaction/file-system/files/list
enumerate files recursively
@_re_fox, anushka.virgaonkar@mandiant.com
host-interaction/file-system/files/list
enumerate files on Linux
william.ballenthin@mandiant.com
host-interaction/file-system/read
read file on Linux
joakim@intezer.com
host-interaction/session
get current user on Linux
joakim@intezer.com
host-interaction/hardware/memory
get memory information
joakim@intezer.com
duplicate stdin and stdout
joakim@intezer.com
delay execution
michael.hunhoff@mandiant.com, @ramen0x3f
linking/runtime-linking
link many functions at runtime
moritz.raabe@mandiant.com, joakim@intezer.com
data-manipulation/encryption/rc4
encrypt data using RC4 via SystemFunction033
daniel.stepanic@elastic.co
data-manipulation/encryption/salsa20
encrypt data using Salsa20 or ChaCha
moritz.raabe@mandiant.com
host-interaction/hardware/storage
unmount volume via IOCTL
william.ballenthin@mandiant.com
host-interaction/hardware/storage
get volume information via IOCTL
william.ballenthin@mandiant.com
impact/inhibit-system-recovery
resize volume shadow copy storage
michael.hunhoff@mandiant.com
host-interaction/hardware/storage
get disk information via IOCTL
william.ballenthin@mandiant.com
host-interaction/hardware/storage
get storage device properties
michael.hunhoff@mandiant.com
host-interaction/driver
install driver
moritz.raabe@mandiant.com
host-interaction/driver
interact with driver via IOCTL
moritz.raabe@mandiant.com
host-interaction/driver
unload driver
moritz.raabe@mandiant.com
host-interaction/hardware/storage
get disk size
michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
impact/wipe-disk
delete drive layout via IOCTL
william.ballenthin@mandiant.com
host-interaction/process/inject
process ghostly hollowing
sara.rincon@mandiant.com
linking/static/hp-socket
linked against hp-socket
still@teamt5.org
data-manipulation/compression
create Cabinet on Windows
michael.hunhoff@mandiant.com, jakub.jozwiak@mandiant.com
collection/network
capture public ip
@_re_fox, still@teamt5.org
linking/hooking
hook routines via dlsym RTLD_NEXT
william.ballenthin@mandiant.com
host-interation/process
get current process file path
william.ballenthin@mandiant.com
host-interation/process
get current process command line
william.ballenthin@mandiant.com
collection/network
get MAC address in .NET
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, echernofsky@google.com
host-interaction/file-system/files/list
enumerate files in .NET
moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com
host-interaction/file-system/files/list
enumerate files on Windows
moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com
collection/network
get MAC address on Windows
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, echernofsky@google.com
host-interaction/hardware
enumerate devices by category
@mr-tz
host-interaction/thread/tls
allocate thread local storage
michael.hunhoff@mandiant.com
host-interaction/thread/tls
set thread local storage value
michael.hunhoff@mandiant.com
anti-analysis
reference analysis tools strings
michael.hunhoff@mandiant.com
allocate or change RW memory
0x534a@mailbox.org, @mr-tz
allocate memory
0x534a@mailbox.org, @mr-tz
change memory protection
@mr-tz
older
anti-analysis/anti-debugging/debugger-detection
check for debugger via API
michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
host-interaction/file-system/read
read file via mapping
michael.hunhoff@mandiant.com
anti-analysis/anti-vm/vm-detection
check for Windows sandbox via genuine state
@_re_fox
communication/socket
create VMCI socket
jakub.jozwiak@mandiant.com
create File Compression Interface context on Windows
michael.hunhoff@mandiant.com
create File Decompression Interface context on Windows
jakub.jozwiak@mandiant.com
data-manipulation/compression
extract Cabinet on Windows
jakub.jozwiak@mandiant.com
internal/limitation/file
(internal) packer file limitation
william.ballenthin@mandiant.com
data-manipulation/encryption/rc4
encrypt data using RC4 via SystemFunction032
richard.weiss@mandiant.com
collection/microphone
capture microphone audio in .NET on Android
michael.hunhoff@mandiant.com
host-interaction
check for outgoing call in .NET on Android
michael.hunhoff@mandiant.com
host-interaction/os/info
get OS version in .NET on Android
michael.hunhoff@mandiant.com
host-interaction/hardware/camera
access camera in .NET on Android
michael.hunhoff@mandiant.com
collection/screenshot
capture screenshot in .NET on Android
michael.hunhoff@mandiant.com
host-interaction
check for incoming call in .NET on Android
michael.hunhoff@mandiant.com
compiler/xamarin
compiled with Xamarin
michael.hunhoff@mandiant.com
executable/dotnet-singlefile
bundled with .NET single-file deployment
sara.rincon@mandiant.com
anti-analysis/anti-av
patch Antimalware Scan Interface function
jakub.jozwiak@mandiant.com
internal/limitation/file
(internal) .NET single file deployment limitation
sara.rincon@mandiant.com
data-manipulation/encoding
encode data using ADD XOR SUB operations
jakub.jozwiak@mandiant.com
anti-analysis/anti-debugging/debugger-detection
check process job object
michael.hunhoff@mandiant.com
host-interaction/file-system/exists
check if file exists
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com
anti-analysis/anti-debugging/debugger-detection
check for protected handle exception
michael.hunhoff@mandiant.com
anti-analysis
inspect load icon resource
michael.hunhoff@mandiant.com
executable/pe
implement COM DLL
moritz.raabe@mandiant.com
data-manipulation/encoding/base58
reference Base58 string
william.ballenthin@mandiant.com
compiler/vb
compiled from Visual Basic
@williballenthin
host-interaction/service
run as service
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com
collection/credit-card
parse credit card information
@_re_fox
collection/screenshot
capture screenshot via keybd event
@_re_fox
persistence
act as DHCP server callout DLL
jakub.jozwiak@mandiant.com
persistence
act as DNS server plugin DLL
jakub.jozwiak@mandiant.com
persistence
persist via IIS module
william.ballenthin@mandiant.com
persistence
persist via ISAPI extension
william.ballenthin@mandiant.com
persistence/office
act as Excel XLL add-in
jakub.jozwiak@mandiant.com
persistence/office
act as Word WLL add-in
jakub.jozwiak@mandiant.com
persistence/authentication-process
act as password filter DLL
jakub.jozwiak@mandiant.com
persistence/authentication-process
act as SubAuthentication Package DLL
jakub.jozwiak@mandiant.com
persistence/authentication-process
act as Security Support Provider DLL
jakub.jozwiak@mandiant.com
persistence/authentication-process
act as credential manager DLL
jakub.jozwiak@mandiant.com
validate payment card number using luhn algorithm with lookup table
@_re_fox
data-manipulation/hashing/md5
hash data with MD5
moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com
load-code/pe
enumerate PE sections
@Ana06, @mr-tz
host-interaction/session
get token privileges
michael.hunhoff@mandiant.com
anti-analysis/anti-vm/vm-detection
check for sandbox via MAC address OUIs in .NET
jonathanlepore@google.com
anti-analysis/anti-debugging/debugger-detection
check for process debug object
michael.hunhoff@mandiant.com
collection/webcam
capture webcam video
@johnk3r
data-manipulation/hashing/ripemd128
hash data using RIPEMD128
raymond.leong@mandiant.com
compiler/perl2exe
compiled with perl2exe
@_re_fox
host-interaction/process/inject
allocate or change RWX memory
@mr-tz
host-interaction/process/modules/list
enumerate process modules
michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
host-interaction/process/list
enumerate processes
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com
host-interaction/clipboard
read clipboard data
michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
host-interaction/service
continue service
@mr-tz
host-interaction/service
pause service
@mr-tz
host-interaction/service/stop
stop service
moritz.raabe@mandiant.com
host-interaction/thread/list
enumerate threads
moritz.raabe@mandiant.com
host-interaction/gui/window/get-text
get graphical window text
moritz.raabe@mandiant.com
host-interaction/file-system/delete
delete file
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com
host-interaction/session
get session user name
moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com
host-interaction/hardware/keyboard
simulate CTRL ALT DEL
michael.hunhoff@mandiant.com, johnk3r
collection/webcam
capture webcam image
johnk3r
linking/runtime-linking
resolve function by Brute Ratel Badger hash
jakub.jozwiak@mandiant.com
linking/runtime-linking
resolve function by FIN8 fasthash
@r3c0nst (Frank Boldewin)
communication/socket/tcp
create TCP socket via raw AFD driver
william.ballenthin@mandiant.com
communication/c2/shell
create reverse shell
moritz.raabe@mandiant.com
data-manipulation/compression
decompress data using QuickLZ
david@edeca.net
data-manipulation/hashing
hash data via WinCrypt
michael.hunhoff@mandiant.com
data-manipulation/hashing/sha1
hash data using SHA1
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, william.ballenthin@mandiant.com
collection/screenshot
capture screenshot
moritz.raabe@mandiant.com, @_re_fox, michael.hunhoff@mandiant.com
anti-analysis/anti-forensic/clear-logs
clear Windows event logs
michael.hunhoff@mandiant.com
anti-analysis/anti-debugging/debugger-evasion
hide thread from debugger
michael.hunhoff@mandiant.com, jakub.jozwiak@mandiant.com
host-interaction/gui
set global application hook
michael.hunhoff@mandiant.com
data-manipulation/encryption
decrypt data via SSPI
matthew.williams@mandiant.com
host-interaction/hardware/monitor
power down monitor
michael.hunhoff@mandiant.com
communication/http/client
make an HTTP request with a Cookie
anamaria.martinezgom@mandiant.com
host-interaction/hardware
register raw input devices
michael.hunhoff@mandiant.com
host-interaction/accounts
add user account
michael.hunhoff@mandiant.com
anti-analysis/anti-debugging/debugger-detection
check ProcessDebugFlags
michael.hunhoff@mandiant.com
host-interaction/accounts
list user accounts
michael.hunhoff@mandiant.com
communication/http/server
register HTTP server URL
michael.hunhoff@mandiant.com
collection
enumerate device drivers on Windows
@mr-tz
collection/network
capture network configuration via ifconfig
joakim@intezeer.com
runtime
unmanaged call
michael.hunhoff@mandiant.com
impact/inhibit-system-recovery
disable automatic Windows recovery features
michael.hunhoff@mandiant.com
host-interaction/process
get process image filename
michael.hunhoff@mandiant.com
host-interaction/accounts
delete user account group
michael.hunhoff@mandiant.com
host-interaction/sid
compare security identifiers
michael.hunhoff@mandiant.com
host-interaction/container/docker
create container
william.ballenthin@mandiant.com
data-manipulation/compression
create zip archive in .NET
michael.hunhoff@mandiant.com
host-interaction/accounts
list groups for user account
michael.hunhoff@mandiant.com
data-manipulation/compression
extract zip archive in .NET
anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com
host-interaction/network/proxy
get proxy
moritz.raabe@mandiant.com
communication
query remote server for available data
michael.hunhoff@mandiant.com
impact/inhibit-system-recovery
delete Windows backup catalog
michael.hunhoff@mandiant.com
host-interaction/accounts
change user account password
michael.hunhoff@mandiant.com
host-interaction/firewall
interact with iptables
joakim@intezer.com
host-interaction/kernel
communicate with kernel module via Netlink socket on Linux
michael.hunhoff@mandiant.com
host-interaction/file-system
get file system information on Linux
michael.hunhoff@mandiant.com
data-manipulation/hashing/md4
hash data using MD4
anamaria.martinezgom@mandiant.com
host-interaction/process/list
enumerate processes via procfs
joakim@intezer.com
anti-analysis/anti-vm/vm-detection
check for windows sandbox via subdirectory
echernofsky@google.com
anti-analysis/anti-debugging/debugger-detection
check SystemKernelDebuggerInformation
michael.hunhoff@mandiant.com
collection/network
get MAC address on Linux
joakim@intezer.com
host-interaction/clipboard
monitor clipboard content
michael.hunhoff@mandiant.com
data-manipulation/encryption
get client handle via SChannel
matthew.williams@mandiant.com
data-manipulation/encryption
get remote cert context via SChannel
matthew.williams@mandiant.com
data-manipulation/encryption
get inbound credentials handle via CredSSP
matthew.williams@mandiant.com
communication/http
parse URL
michael.hunhoff@mandiant.com
host-interaction/domain
list domain servers
michael.hunhoff@mandiant.com
data-manipulation/hashing/sha1
hash data using SHA1 via WinCrypt
michael.hunhoff@mandiant.com
host-interaction/accounts
list user account groups
michael.hunhoff@mandiant.com
collection
collect ssh keys
joakim@intezer.com
communication/http
get HTTP request URI
william.ballenthin@mandiant.com
host-interaction/accounts
delete user account from group
michael.hunhoff@mandiant.com
host-interaction/accounts
add user account to group
michael.hunhoff@mandiant.com
collection/network
list TCP connections and listeners
michael.hunhoff@mandiant.com
communication/rpc/server
listen for remote procedure calls
michael.hunhoff@mandiant.com
host-interaction/accounts
delete user account
michael.hunhoff@mandiant.com
host-interaction/container/docker
build Docker image
william.ballenthin@mandiant.com
host-interaction/accounts
add user account group
michael.hunhoff@mandiant.com
host-interaction/thread
mark thread detached on Linux
michael.hunhoff@mandiant.com
host-interaction/network/address
monitor local IPv4 address changes
michael.hunhoff@mandiant.com
communication/http
send HTTP request with Host header
anamaria.martinezgom@mandiant.com
host-interaction/accounts
list user accounts for group
michael.hunhoff@mandiant.com
host-interaction/container/docker
run in container
william.ballenthin@mandiant.com
anti-analysis/anti-vm/vm-detection
check for Windows sandbox via mutex
@_re_fox
host-interaction/container/docker
list containers
william.ballenthin@mandiant.com
data-manipulation/encryption
encrypt data via SSPI
matthew.williams@mandiant.com
collection/network
list UDP connections and listeners
michael.hunhoff@mandiant.com
persistence
persist via GNOME autostart on Linux
michael.hunhoff@mandiant.com
compiler/py2exe
compiled with py2exe
@_re_fox
host-interaction/process
get process heap force flags
michael.hunhoff@mandiant.com
host-interaction/process
get process heap flags
michael.hunhoff@mandiant.com
host-interaction/process/dump
create process memory minidump
michael.hunhoff@mandiant.com
host-interaction/process/create
create process on Windows
moritz.raabe@mandiant.com
host-interaction/process/create
create process suspended
william.ballenthin@mandiant.com
host-interaction/process/list
enumerate processes via NtQuerySystemInformation
@_re_fox
host-interaction/process/list
get Explorer PID
michael.hunhoff@mandiant.com
host-interaction/process/terminate
terminate process
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
host-interaction/process/terminate
terminate process via kill
joakim@intezer.com
host-interaction/process/modify
acquire debug privileges
william.ballenthin@mandiant.com
host-interaction/filter
register minifilter driver
michael.hunhoff@mandiant.com
host-interaction/filter
start minifilter driver
michael.hunhoff@mandiant.com
host-interaction/mutex
check mutex
moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com
host-interaction/thread/resume
resume thread
0x534a@mailbox.org, anushka.virgaonkar@mandiant.com
host-interaction/thread/suspend
suspend thread
0x534a@mailbox.org, anushka.virgaonkar@mandiant.com
host-interaction/thread/terminate
terminate thread
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
host-interaction/gui/logon
references logon banner
@_re_fox
host-interaction/gui/window/hide
hide graphical window
michael.hunhoff@mandiant.com
host-interaction/gui/session
change the wallpaper
@_re_fox
host-interaction/gui/taskbar/find
find taskbar
moritz.raabe@mandiant.com
host-interaction/cli
resolve path using msvcrt
@_re_fox
host-interaction/environment-variable
get COMSPEC environment variable
matthew.williams@mandiant.com
host-interaction/os/version
get Linux distribution
joakim@intezer.com
host-interaction/file-system
get file system object information
michael.hunhoff@mandiant.com
host-interaction/file-system
get Program Files directory
moritz.raabe@mandiant.com
host-interaction/file-system
reference absolute stream path on Windows
blas.kojusner@mandiant.com, william.ballenthin@mandiant.com
host-interaction/file-system
get Windows directory from KUSER_SHARED_DATA
david.cannings@pwc.com
host-interaction/file-system/read
read file on Windows
moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com
host-interaction/file-system/windows-file-protection
bypass Windows File Protection
michael.hunhoff@mandiant.com
host-interaction/file-system/meta
set file attributes
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
host-interaction/file-system/meta
get file attributes
michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
host-interaction/bootloader
disable code signing
william.ballenthin@mandiant.com
host-interaction/session
get user security identifier
michael.hunhoff@mandiant.com
host-interaction/hardware/cpu
get CPU information
moritz.raabe@mandiant.com, joakim@intezer.com
collection
acquire credentials from Windows Credential Manager
moritz.raabe@mandiant.com
collection/network
capture network configuration via ipconfig
@_re_fox
persistence
persist via .desktop autostart
joakim@intezer.com
persistence
persist via shell profile or rc file
joakim@intezer.com
persistence/registry/appinitdlls
disable AppInit_DLLs code signature enforcement
william.ballenthin@fireye.com
persistence/service
persist via rc script
joakim@intezer.com
persistence/startup-folder
get startup folder
matthew.williams@mandiant.com
get OS version
@mr-tz
open process
0x534a@mailbox.org
create or open file
michael.hunhoff@mandiant.com, joakim@intezer.com
open thread
0x534a@mailbox.org
create or open registry key
michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
anti-analysis/anti-av
check for sandbox and av modules
@_re_fox
anti-analysis/anti-av
protect spawned processes with mitigation policies
jakub.jozwiak@mandiant.com
anti-analysis/anti-forensic
spoof parent PID
michael.hunhoff@mandiant.com
anti-analysis/anti-forensic
crash the Windows event logging service
michael.hunhoff@mandiant.com
anti-analysis/obfuscation/string/stackstring
contain obfuscated stackstrings
moritz.raabe@mandiant.com
anti-analysis/anti-vm/vm-detection
check for Windows sandbox via device
@_re_fox
anti-analysis/anti-vm/vm-detection
check for Windows sandbox via process name
@_re_fox
anti-analysis/anti-debugging/debugger-detection
check for unexpected memory writes
michael.hunhoff@mandiant.com
anti-analysis/anti-debugging/debugger-detection
check for OutputDebugString error
michael.hunhoff@mandiant.com
anti-analysis/anti-debugging/debugger-detection
check ProcessDebugPort
michael.hunhoff@mandiant.com
anti-analysis/packer/generic
packed with generic packer
william.ballenthin@mandiant.com
communication
send data
william.ballenthin@mandiant.com, joakim@intezer.com
communication
receive data
william.ballenthin@mandiant.com
communication/named-pipe/write
write pipe
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com
communication/ip
convert IP address from string
@mr-tz
communication/tcp/serve
start TCP server
william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com
communication/tcp/client
act as TCP client
william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com
communication/http
get HTTP content length
william.ballenthin@mandiant.com
communication/http/client
send file via HTTP
matthew.williams@mandiant.com
communication/http/client
get HTTP response content encoding
matthew.williams@mandiant.com
communication/http/client
send HTTP request
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com
data-manipulation/encoding/base64
encode data using Base64
moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com
data-manipulation/encoding/base64
decode data using Base64 via WinAPI
michael.hunhoff@mandiant.com
data-manipulation/encoding/base64
encode data using Base64 via WinAPI
moritz.raabe@mandiant.com
data-manipulation/checksum/luhn
validate payment card number using luhn algorithm
@_re_fox
data-manipulation/encryption
get outbound credentials handle via CredSSP
matthew.williams@mandiant.com
data-manipulation/prng
generate random numbers via RtlGenRandom
william.ballenthin@mandiant.com, richard.weiss@mandiant.com
load-code/dotnet
load Windows Common Language Runtime
michael.hunhoff@mandiant.com, blas.kojusner@mandiant.com, jakub.jozwiak@mandiant.com
host-interaction/file-system/move
move directory
michael.hunhoff@mandiant.com
executable/imprec
rebuilt by ImpRec
william.ballenthin@mandiant.com
host-interaction/network
enumerate network shares
michael.hunhoff@mandiant.com
anti-analysis/packer/simple-pack
packed with Simple Pack
william.ballenthin@mandiant.com
host-interaction/memory
manipulate unmanaged memory in .NET
michael.hunhoff@mandiant.com
data-manipulation/hashing/md5
authenticate data with MD5-MAC
william.ballenthin@mandiant.com
data-manipulation/encryption/aes
encrypt data using AES via x86 extensions
moritz.raabe@mandiant.com
data-manipulation/hashing/murmur
hash data using murmur2
william.ballenthin@mandiant.com
anti-analysis/anti-vm/vm-detection
reference processor manufacturer constants
matthew.williams@mandiant.com
linking/static/jsoncpp
linked against CPP JSON library
@mr-tz
linking/static/crypto
linked against libsodium
@mr-tz
data-manipulation/hashing/ripemd256
hash data using RIPEMD256
raymond.leong@mandiant.com
communication/dns
reference AliDNS DNS server
william.ballenthin@mandiant.com
data-manipulation/hashing
hash data via BCrypt
michael.hunhoff@mandiant.com
communication/dns
reference Verisign DNS server
william.ballenthin@mandiant.com
data-manipulation/json
serialize JSON in .NET
michael.hunhoff@mandiant.com
compiler/epl
compiled from EPL
william.ballenthin@mandiant.com
anti-analysis/packer/mpress
packed with Mpress
william.ballenthin@mandiant.com
executable/pe/section/tls
contain a thread local storage (.tls) section in .NET
michael.hunhoff@mandiant.com
anti-analysis/packer/vprotect
packed with VProtect
william.ballenthin@mandiant.com
data-manipulation/encryption/rsa
encrypt data using RSA
michael.hunhoff@mandiant.com
executable/installer/installshield
packaged as an InstallShield installer
moritz.raabe@mandiant.com
anti-analysis/packer/pepack
packed with Pepack
william.ballenthin@mandiant.com
data-manipulation/prng
generate random numbers in .NET
anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com
data-manipulation/hashing
initialize hashing via WinCrypt
michael.hunhoff@mandiant.com
executable/installer/createinstall
packaged as a CreateInstall installer
william.ballenthin@mandiant.com
collection/credit-card
search for credit card data
matthew.williams@mandiant.com
host-interaction/user
manipulate user privileges
michael.hunhoff@mandiant.com
communication/http
set web proxy in .NET
michael.hunhoff@mandiant.com
host-interaction/file-system
generate random filename in .NET
michael.hunhoff@mandiant.com
communication/dns
reference kornet DNS server
william.ballenthin@mandiant.com
host-interaction/gui
display service notification message box
anushka.virgaonkar@mandiant.com
host-interaction/registry
create registry key via StdRegProv
michael.hunhoff@mandiant.com
linking/static/cppregex
linked against CPP regex library
william.ballenthin@mandiant.com
communication/http
set HTTP User-Agent in .NET
michael.hunhoff@mandiant.com
anti-analysis/packer/dragon-armor
packed with Dragon Armor
william.ballenthin@mandiant.com
host-interaction/log/clfs/append
append data to CLFS log container
blaine.stancill@mandiant.com
host-interaction/browser/history/list
enumerate browser history
michael.hunhoff@mandiant.com
anti-analysis/packer/rpcrypt
packed with RPCrypt
william.ballenthin@mandiant.com
communication/http/client
send request in .NET
anushka.virgaonakr@mandiant.com
linking/runtime-linking
resolve function by hash
william.ballenthin@mandiant.com
host-interaction/file-system/exists
check if directory exists
michael.hunhoff@mandiant.com
anti-analysis/packer/starforce
packed with StarForce
william.ballenthin@mandiant.com
host-interaction/memory
allocate unmanaged memory in .NET
michael.hunhoff@mandiant.com
executable/installer/nsis
packaged as a NSIS installer
moritz.raabe@mandiant.com
host-interaction/process/terminate
terminate process by name in .NET
anushka.virgaonkar@mandiant.com
anti-analysis/anti-vm/vm-detection
reference the VMWare IO port
matthew.williams@mandiant.com
data-manipulation/hashing/aphash
hash data using aphash
@_re_fox
data-manipulation/hashing/sha512
hash data using SHA512Managed in .NET
jonathanlepore@google.com
communication/dns
reference Quad9 DNS server
william.ballenthin@mandiant.com
executable/installer/winzip
packaged as a WinZip self-extracting archive
william.ballenthin@mandiant.com
data-manipulation/hashing/rshash
hash data using rshash
@_re_fox
host-interaction/file-system
check file extension in .NET
michael.hunhoff@mandiant.com
host-interaction/os/version
get OS version in .NET
michael.hunhoff@mandiant.com
data-manipulation/encryption/aes
encrypt data using AES
william.ballenthin@mandiant.com, Ivan Kwiatkowski (@JusticeRage)
executable/pe/debug
debug build
william.ballenthin@mandiant.com
data-manipulation/encryption/rsa
encrypt data using OpenSSL RSA
Ana06
anti-analysis/packer/mew
packed with MEW
william.ballenthin@mandiant.com
communication/http
set HTTP cookie
michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
anti-analysis/anti-vm/vm-detection
check for minimum number of windows on screen
echernofsky@google.com
host-interaction/gui/window-station
migrate process to active window station
william.ballenthin@mandiant.com
communication/http
get system web proxy
michael.hunhoff@mandiant.com
persistence/startup-folder
reference startup folder
matthew.williams@mandiant.com
host-interaction/process/terminate
terminate process by name
william.ballenthin@mandiant.com
communication/authentication
manipulate network credentials in .NET
michael.hunhoff@mandiant.com
anti-analysis/packer/ccg
packed with CCG
william.ballenthin@mandiant.com
host-interaction/process/inject
add value to global atom table
@mr-tz
anti-analysis/packer/perplex
packed with Perplex
william.ballenthin@mandiant.com
load-code/dotnet
load .NET assembly
anushka.virgaonkar@mandiant.com
host-interaction/registry
set registry value via StdRegProv
michael.hunhoff@mandiant.com
anti-analysis/anti-vm/vm-detection
check license value
michael.hunhoff@mandiant.com
data-manipulation/encoding/base64
decode data using Base64 in .NET
michael.hunhoff@mandiant.com
collection
save image in .NET
michael.hunhoff@mandiant.com
host-interaction/process
create Restart Manager session
michael.hunhoff@mandiant.com
linking/runtime-linking
resolve function by FNV-1a hash
still@teamt5.org
linking/static/xzip
linked against XZip
moritz.raabe@mandiant.com
load-code/dotnet
execute .NET assembly
anushka.virgaonkar@mandiant.com
host-interaction/internet/cache
delete internet cache
michael.hunhoff@mandiant.com
anti-analysis/packer/procrypt
packed with ProCrypt
william.ballenthin@mandiant.com
communication/dns
reference OpenDNS DNS server
william.ballenthin@mandiant.com
linking/static/httplib
linked against CPP HTTP library
@mr-tz
data-manipulation/encryption/dsa
encrypt data using OpenSSL DSA
Ana06
anti-analysis/anti-debugging/debugger-detection
check thread yield allowed
michael.hunhoff@mandiant.com
data-manipulation/hashing/ripemd320
hash data using RIPEMD320
raymond.leong@mandiant.com
collection/credentials
prompt user for credentials
michael.hunhoff@mandiant.com
host-interaction/registry
query or enumerate registry value via StdRegProv
michael.hunhoff@mandiant.com
anti-analysis/packer/tsuloader
packed with TSULoader
william.ballenthin@mandiant.com
anti-analysis/packer/maskpe
packed with MaskPE
william.ballenthin@mandiant.com
host-interaction/process
get thread local storage value
michael.hunhoff@mandiant.com
executable/pintool
packaged as a Pintool
william.ballenthin@mandiant.com
host-interaction/registry
delete registry key via offline registry library
johnk3r
data-manipulation/regex
find data using regex in .NET
michael.hunhoff@mandiant.com
load-code/dotnet
compile .NET assembly
anushka.virgaonkar@mandiant.com
data-manipulation/encryption
encrypt data using FAKEM cipher
michael.hunhoff@mandiant.com
anti-analysis/packer/wwpack
packed with WWPACK
william.ballenthin@mandiant.com
data-manipulation/encryption/ecdsa
encrypt data using OpenSSL ECDSA
Ana06
host-interaction/hardware/keyboard
send keystrokes
anushka.virgaonkar@mandiant.com
communication/dns
reference Comodo Secure DNS server
william.ballenthin@mandiant.com
host-interaction/console
manipulate console window
michael.hunhoff@mandiant.com
host-interaction/registry
delete registry value via StdRegProv
michael.hunhoff@mandiant.com
data-manipulation/encryption/rsa
decrypt data using RSA
michael.hunhoff@mandiant.com
data-manipulation/hashing/sha256
hash data using sha256 via x86 extensions
@_re_fox
communication/dns
reference Google Public DNS server
william.ballenthin@mandiant.com
host-interaction/file-system
set current directory
michael.hunhoff@mandiant.com
data-manipulation/prng/lcg
generate random numbers using the Delphi LCG
william.ballenthin@mandiant.com
runtime/dotnet
unmanaged call via dynamic PInvoke in .NET
michael.hunhoff@mandiant.com
host-interaction/os/info
get system information on Linux
joakim@intezer.com, michael.hunhoff@mandiant.com
host-interaction/wmi
create process via WMI in .NET
anushka.virgaonkar@mandiant.com
load-code/dotnet
generate method via reflection in .NET
michael.hunhoff@mandiant.com
persistence/scheduled-tasks
schedule task via ITaskService
michael.hunhoff@mandiant.com
anti-analysis/obfuscation
obfuscated with KoiVM
michael.hunhoff@mandiant.com
host-interaction/registry
delete registry key via StdRegProv
michael.hunhoff@mandiant.com
host-interaction/network
get networking parameters
michael.hunhoff@mandiant.com
communication/dns
reference Cloudflare DNS server
william.ballenthin@mandiant.com
load-code/pe
enumerate PE sections in .NET
@mr-tz
load-code/shellcode
execute shellcode via indirect call
ronnie.salomonsen@mandiant.com
anti-analysis/packer/shrinker
packed with Shrinker
william.ballenthin@mandiant.com
host-interaction/network/routing-table
get routing table
michael.hunhoff@mandiant.com
host-interaction/clipboard
check clipboard data
anushka.virgaonkar@mandiant.com
collection/screenshot
capture screenshot in Go
joakim@intezer.com
communication/http/client
send data to Internet
michael.hunhoff@mandiant.com
anti-analysis/packer/epack
packed with Epack
william.ballenthin@mandiant.com
anti-analysis/anti-vm/vm-detection
check for VM using instruction VPCEXT
richard.weiss@mandiant.com
data-manipulation/xml
load XML in .NET
michael.hunhoff@mandiant.com
data-manipulation/database/sql
execute SQLite statement in .NET
michael.hunhoff@mandiant.com
communication/c2/file-transfer
read and send data from client to server
william.ballenthin@mandiant.com
communication/dns
reference 114DNS DNS server
william.ballenthin@mandiant.com
host-interaction/file-system
read raw disk data
william.ballenthin@mandiant.com
host-interaction/process
enumerate processes that use resource
@Ana06
data-manipulation/encoding/xor
covertly decode and write data to Windows directory using indirect calls
dan.kelly@mandiant.com
host-interaction/clipboard
clear clipboard data
anushka.virgaonkar@mandiant.com
host-interaction/uac/bypass
bypass UAC via scheduled task environment variable
anamaria.martinezgom@mandiant.com
host-interaction/registry
query or enumerate registry key via StdRegProv
michael.hunhoff@mandiant.com
communication/dns
reference L3 DNS server
william.ballenthin@mandiant.com
host-interaction/hardware/storage
enumerate disk volumes
michael.hunhoff@mandiant.com
collection/keylog
log keystrokes via raw input data
michael.hunhoff@mandiant.com
host-interaction/hardware/firmware
enumerate system firmware tables
michael.hunhoff@mandiant.com
communication/smtp/send
send email in .NET
michael.hunhoff@mandiant.com
compiler/exescript
compiled with ExeScript
jonathanlepore@google.com
load-code/dotnet/vb
compile Visual Basic in .NET
michael.hunhoff@mandiant.com
host-interaction/thread/timer
execute via timer in .NET
michael.hunhoff@mandiant.com
anti-analysis/packer/neolite
packed with Neolite
william.ballenthin@mandiant.com
anti-analysis/packer/crunch
packed with Crunch
william.ballenthin@mandiant.com
data-manipulation/encryption/aes
reference AES constants
william.ballenthin@mandiant.com
communication/dns
reference Hurricane Electric DNS server
william.ballenthin@mandiant.com
communication/sms
send SMS on Android
@mr-tz
impact/cryptocurrency
reference cryptocurrency strings
moritz.raabe@mandiant.com
host-interaction/thread/task
execute via asynchronous task in .NET
michael.hunhoff@mandiant.com
host-interaction/process
read process memory
matthew.williams@mandiant.com, @_re_fox, michael.hunhoff@mandiant.com
data-manipulation/hashing/sha1
hash data using sha1 via x86 extensions
@_re_fox
runtime
mixed mode
michael.hunhoff@mandiant.com
data-manipulation/hashing/whirlpool
hash data using Whirlpool
william.ballenthin@mandiant.com
executable/resource
linked against Go static asset library
joakim@intezer.com
linking/runtime-linking
resolve function by djb2 hash
still@teamt5.org
host-interaction/wmi
access WMI data in .NET
michael.hunhoff@mandiant.com
data-manipulation/checksum/crc32
hash data using CRC32b
moritz.raabe@mandiant.com
load-code/dotnet/csharp
compile CSharp in .NET
michael.hunhoff@mandiant.com
host-interaction/internet/cache
enumerate internet cache
michael.hunhoff@mandiant.com
anti-analysis/packer/enigma
packed with enigma
william.ballenthin@mandiant.com
communication/c2/file-transfer
receive and write data from server to client
william.ballenthin@mandiant.com
executable/installer/wiseinstall
packaged as a Wise installer
moritz.raabe@mandiant.com
data-manipulation/compression
compress data using GZip in .NET
michael.hunhoff@mandiant.com
anti-analysis/packer/svkp
packed with SVKP
william.ballenthin@mandiant.com
anti-analysis/anti-debugging
destroy software breakpoint capability
echernofsky@google.com
host-interaction/bootloader
enable safe mode boot
william.ballenthin@mandiant.com
host-interaction/file-system
enumerate drives
michael.hunhoff@mandiant.com
data-manipulation/encryption
encrypt or decrypt data via BCrypt
michael.hunhoff@mandiant.com
collection/keylog
log keystrokes via Input Method Manager
@mr-tz
collection
enumerate device drivers on Linux
@mr-tz
host-interaction/recycle-bin
empty the recycle bin
moritz.raabe@mandiant.com
host-interaction/process/dump
capture process snapshot data
@mr-tz
host-interaction/session
get session information
michael.hunhoff@mandiant.com
host-interaction/process/list
linked against Go process enumeration library
joakim@intezer.com
collection/database/wmi
linked against Go WMI library
joakim@intezer.com
communication/http
connect network resource
michael.hunhoff@mandiant.com
data-manipulation/prng
generate random bytes in .NET
michael.hunhoff@mandiant.com
host-interaction/registry
linked against Go registry library
joakim@intezer.com
data-manipulation/hashing/jshash
hash data using jshash
@_re_fox
host-interaction/os/version
get OS information via KUSER_SHARED_DATA
@mr-tz
host-interaction/user
impersonate user
michael.hunhoff@mandiant.com
linking/runtime-linking
get ntoskrnl base address
@mr-tz
executable/hooked/api-override
hooked by API Override
william.ballenthin@mandiant.com
data-manipulation/encoding/url
decode data using URL encoding
michael.hunhoff@mandiant.com
anti-analysis/packer/seausfx
packed with SeauSFX
william.ballenthin@mandiant.com
host-interaction/process/list
find process by name
anushka.virgaonkar@mandiant.com
data-manipulation/json
deserialize JSON in .NET
michael.hunhoff@mandiant.com
host-interaction/clipboard
list drag and drop files
michael.hunhoff@mandiant.com
compiler/zig
compiled with Zig
jakub.jozwiak@mandiant.com
compiler/pyarmor
compiled with pyarmor
@stvemillertime, @itreallynick
compiler/autohotkey
compiled with AutoHotKey
awillia2@cisco.com
compiler/v
compiled with V
jakub.jozwiak@mandiant.com
compiler/mingw
compiled with MinGW for Windows
william.ballenthin@mandiant.com
compiler/nuitka
compiled with nuitka
@williballenthin, @mr-tz
compiler/exe4j
compiled with exe4j
johnk3r
compiler/autoit
compiled with AutoIt
william.ballenthin@mandiant.com
compiler/ps2exe
compiled with ps2exe
@_re_fox, jakub.jozwiak@mandiant.com
compiler/nim
compiled with Nim
michael.hunhoff@mandiant.com
compiler/d
compiled with dmd
@_re_fox
compiler/cx_freeze
compiled with cx_Freeze
@mr-tz, jakub.jozwiak@mandiant.com
compiler/delphi
compiled with Borland Delphi
william.ballenthin@mandiant.com, @mr-tz
compiler/rust
compiled with rust
@_re_fox, william.ballenthin@mandiant.com
malware-family/plugx
match known PlugX module
still@teamt5.org
executable/resource
access .NET resource
@mr-tz
executable/resource
embed dependencies as resources using Fody/Costura
@johnk3r, @mr-tz
executable/resource
extract resource via kernel32 functions
william.ballenthin@mandiant.com
executable/subfile/pe
contain an embedded PE file
moritz.raabe@mandiant.com
executable/dotnet-singlefile
packaged as single-file .NET application
michael.hunhoff@mandiant.com
executable/pe/section/tls
contain a thread local storage (.tls) section
michael.hunhoff@mandiant.com
executable/pe/pdb
contains PDB path
moritz.raabe@mandiant.com
executable/pe/export
forwarded export
ronnie.salomonsen@mandiant.com
executable/installer/iexpress
packaged as an IExpress self-extracting archive
awillia2@cisco.com
executable/installer/inno-setup
packaged as an Inno Setup installer
awillia2@cisco.com
host-interaction/registry
query or enumerate registry value
william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
host-interaction/registry
query or enumerate registry key
michael.hunhoff@mandiant.com
host-interaction/registry
query registry key via offline registry library
johnk3r
host-interaction/registry
open registry key via offline registry library
johnk3r
host-interaction/registry
create registry key via offline registry library
johnk3r
host-interaction/registry
set registry key via offline registry library
johnk3r
host-interaction/registry/delete
delete registry key
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, johnk3r
host-interaction/registry/delete
delete registry value
michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
host-interaction/firewall/modify
access firewall settings via INetFwMgr
moritz.raabe@mandiant.com
host-interaction/software
get installed programs
moritz.raabe@mandiant.com, @_re_fox
host-interaction/uac/bypass
bypass UAC via AppInfo ALPC
richard.cole@mandiant.com
host-interaction/uac/bypass
bypass UAC via ICMLuaUtil
anamaria.martinezgom@mandiant.com
host-interaction/uac/bypass
bypass UAC via RPC
david.cannings@pwc.com, david@edeca.net
host-interaction/uac/bypass
bypass UAC via token manipulation
richard.cole@mandiant.com, david.cannings@pwc.com
host-interaction/process
map section object
william.ballenthin@mandiant.com
host-interaction/process/inject
use process replacement
william.ballenthin@mandiant.com
host-interaction/process/inject
inject shellcode using a file mapping object
jakub.jozwiak@mandiant.com
host-interaction/process/inject
free user process memory
michael.hunhoff@mandiant.com
host-interaction/process/inject
inject dll
0x534a@mailbox.org
host-interaction/process/inject
inject thread
anamaria.martinezgom@mandiant.com, 0x534a@mailbox.org
host-interaction/process/inject
use process Doppelgänging
moritz.raabe@mandiant.com
host-interaction/process/inject
hijack thread execution
0x534a@mailbox.org, michael.hunhoff@mandiant.com
host-interaction/process/inject
inject pe
0x534a@mailbox.org
host-interaction/process/inject
attach user process memory
michael.hunhoff@mandiant.com
host-interaction/process/inject
inject shellcode using extra window memory
jakub.jozwiak@mandiant.com
host-interaction/process/inject
inject shellcode using window subclass procedure
jakub.jozwiak@mandiant.com
host-interaction/process/inject
inject APC
william.ballenthin@mandiant.com
host-interaction/process/inject
allocate user process RWX memory
michael.hunhoff@mandiant.com
host-interaction/process/create
create a process with modified I/O handles and window
matthew.williams@mandiant.com, anushka.virgaonkar@mandiant.com
host-interaction/process/create
execute command
@mr-tz
host-interaction/process/list
find process by PID
michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
host-interaction/process/list
enumerate processes on remote desktop session host
michael.hunhoff@mandiant.com
host-interaction/process/modify
modify access privileges
moritz.raabe@mandiant.com
host-interaction/clipboard
write clipboard data
michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
host-interaction/clipboard
open clipboard
michael.hunhoff@mandiant.com
host-interaction/filter
enumerate minifilter drivers
aseel.kayal@mandiant.com
host-interaction/mutex
create mutex
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com
host-interaction/mutex
check mutex and exit
@_re_fox, moritz.raabe@mandiant.com
host-interaction/driver
create device object
@mr-tz
host-interaction/driver
disable driver code integrity
william.ballenthin@mandiant.com
host-interaction/service
query service status
michael.hunhoff@mandiant.com
host-interaction/service
query service configuration
@mr-tz
host-interaction/service/delete
delete service
moritz.raabe@mandiant.com
host-interaction/service/create
create service
moritz.raabe@mandiant.com
host-interaction/service/list
enumerate services
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com
host-interaction/service/start
start service
moritz.raabe@mandiant.com
host-interaction/service/modify
modify service
moritz.raabe@mandiant.com
host-interaction/log/winevt/access
access the Windows event log
moritz.raabe@mandiant.com
host-interaction/log/clfs/read
read data from CLFS log container
blaine.stancill@mandiant.com
host-interaction/gui
enumerate gui resources
johnk3r, anushka.virgaonkar@mandiant.com
host-interaction/gui
switch active desktop
jakub.jozwiak@mandiant.com
host-interaction/gui/console
set console window title
michael.hunhoff@mandiant.com
host-interaction/gui/window/find
find graphical window
moritz.raabe@mandiant.com
host-interaction/gui/session/lock
lock the desktop
michael.hunhoff@mandiant.com
host-interaction/gui/taskbar/hide
hide the Windows taskbar
michael.hunhoff@mandiant.com
host-interaction/cli
accept command line arguments
moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com
host-interaction/memory
create new application domain in .NET
jakub.jozwiak@mandiant.com
host-interaction/environment-variable
set environment variable
michael.hunhoff@mandiant.com
host-interaction/environment-variable
query environment variable
michael.hunhoff@mandiant.com, @_re_fox
host-interaction/network/domain
enumerate domain computers via LDAP
awillia2@cisco.com
host-interaction/network/domain
get domain information
awillia2@cisco.com, anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com
host-interaction/network/domain
get domain controller name
awillia2@cisco.com
host-interaction/network/traffic/filter
register network filter via WFP API
michael.hunhoff@mandiant.com
host-interaction/network/traffic/copy
copy network traffic
michael.hunhoff@mandiant.com
host-interaction/network/connectivity
check Internet connectivity via WinINet
matthew.williams@mandiant.com, michael.hunhoff@mandiant.com
host-interaction/network/connectivity
set TCP connection state
@johnk3r
host-interaction/network/interface
get networking interfaces
moritz.raabe@mandiant.com, joakim@intezer.com, anushka.virgaonkar@mandiant.com
host-interaction/network/address
get local IPv4 addresses
moritz.raabe@mandiant.com, joakim@intezer.com
host-interaction/os
shutdown system
michael.hunhoff@mandiant.com
host-interaction/os/info
get system information on Windows
moritz.raabe@mandiant.com, joakim@intezer.com
host-interaction/os/version
check OS version
michael.hunhoff@mandiant.com, johnk3r
host-interaction/os/version
get kernel version
joakim@intezer.com
host-interaction/os/hostname
get hostname
moritz.raabe@mandiant.com, joakim@intezer.com, anushka.virgaonkar@mandiant.com
host-interaction/file-system
bypass Mark of the Web
william.ballenthin@mandiant.com
host-interaction/file-system
create virtual file system in .NET
jakub.jozwiak@mandiant.com
host-interaction/file-system
get common file path
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
host-interaction/file-system/read
read virtual disk
@_re_fox
host-interaction/file-system/read
read .ini file
@_re_fox, michael.hunhoff@mandiant.com
host-interaction/file-system/delete
delete directory
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com
host-interaction/file-system/create
create directory
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com
host-interaction/file-system/meta
get file version info
michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
host-interaction/file-system/meta
get file size
michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
host-interaction/console
manipulate console buffer
william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com
host-interaction/bootloader
manipulate safe mode programs
william.ballenthin@mandiant.com
host-interaction/bootloader
manipulate boot configuration
william.ballenthin@mandiant.com
host-interaction/bootloader
set UEFI variable
jakub.jozwiak@mandiant.com
host-interaction/bootloader
get UEFI variable
jakub.jozwiak@mandiant.com
host-interaction/session
get session integrity level
michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
host-interaction/session
get logon sessions
awillia2@cisco.com
host-interaction/session
get token membership
michael.hunhoff@mandiant.com
host-interaction/hardware/mouse
swap mouse buttons
moritz.raabe@mandiant.com
host-interaction/hardware/storage
enumerate disk properties
michael.hunhoff@mandiant.com
host-interaction/hardware/storage
get disk information
moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com
host-interaction/hardware/cpu
get number of processor cores
michael.hunhoff@mandiant.com
host-interaction/hardware/cpu
get number of processors
michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
host-interaction/hardware/memory
get memory capacity
moritz.raabe@mandiant.com
host-interaction/hardware/cdrom
manipulate CD-ROM drive
michael.hunhoff@mandiant.com
host-interaction/hardware/keyboard
get keyboard layout
michael.hunhoff@mandiant.com
host-interaction/recycle-bin
empty recycle bin quietly
matthew.williams@mandiant.com
collection
get geographical location
moritz.raabe, michael.hunhoff@mandiant.com
collection
use .NET library SharpClipboard
@johnk3r
collection/database/sql
reference SQL statements
william.ballenthin@mandiant.com
collection/database/wmi
reference WMI statements
michael.hunhoff@mandiant.com
collection/password-manager
steal KeePass passwords using KeeFarce
@Ana06
collection/browser
gather firefox profile information
@_re_fox, still@teamt5.org
collection/browser
gather chrome based browser login information
@_re_fox, still@teamt5.org
collection/microphone
capture microphone audio
@_re_fox
collection/group-policy
discover Group Policy via gpresult
william.ballenthin@mandiant.com
collection/network
capture packets using SharpPcap
jakub.jozwiak@mandiant.com
collection/network
get domain trust relationships
johnk3r
collection/keylog
log keystrokes via polling
michael.hunhoff@mandiant.com
collection/keylog
log keystrokes
moritz.raabe@mandiant.com
collection/file-managers
gather expandrive information
@_re_fox
collection/file-managers
gather alftp information
@_re_fox
collection/file-managers
gather staff-ftp information
@_re_fox
collection/file-managers
gather ftp-voyager information
@_re_fox
collection/file-managers
gather frigate3 information
@_re_fox
collection/file-managers
gather total-commander information
@_re_fox
collection/file-managers
gather flashfxp information
@_re_fox
collection/file-managers
gather ws-ftp information
@_re_fox
collection/file-managers
gather fling-ftp information
@_re_fox
collection/file-managers
gather robo-ftp information
@_re_fox
collection/file-managers
gather faststone-browser information
@_re_fox
collection/file-managers
gather wise-ftp information
@_re_fox
collection/file-managers
gather ftpgetter information
@_re_fox
collection/file-managers
gather winzip information
@_re_fox
collection/file-managers
gather ftp-explorer information
@_re_fox
collection/file-managers
gather 3d-ftp information
@_re_fox
collection/file-managers
gather classicftp information
@_re_fox
collection/file-managers
gather direct-ftp information
@_re_fox
collection/file-managers
gather bitkinex information
@_re_fox
collection/file-managers
gather xftp information
@_re_fox
collection/file-managers
gather global-downloader information
@_re_fox
collection/file-managers
gather leapftp information
@_re_fox
collection/file-managers
gather cuteftp information
@_re_fox
collection/file-managers
gather fasttrack-ftp information
@_re_fox
collection/file-managers
gather cyberduck information
@_re_fox
collection/file-managers
gather turbo-ftp information
@_re_fox
collection/file-managers
gather netdrive information
@_re_fox
collection/file-managers
gather directory-opus information
@_re_fox
collection/file-managers
gather coreftp information
@_re_fox
collection/file-managers
gather securefx information
@_re_fox
collection/file-managers
gather nova-ftp information
@_re_fox
collection/file-managers
gather bulletproof-ftp information
@_re_fox
collection/file-managers
gather ftpnow information
@_re_fox
collection/file-managers
gather ftpinfo information
@_re_fox
collection/file-managers
gather ftp-commander information
@_re_fox
collection/file-managers
gather ultrafxp information
@_re_fox
collection/file-managers
gather smart-ftp information
@_re_fox
collection/file-managers
gather ftprush information
@_re_fox
collection/file-managers
gather ffftp information
@_re_fox
collection/file-managers
gather freshftp information
@_re_fox
collection/file-managers
gather winscp information
@_re_fox
collection/file-managers
gather southriver-webdrive information
@_re_fox
collection/file-managers
gather softx-ftp information
@_re_fox
collection/file-managers
gather goftp information
@_re_fox
collection/file-managers
gather filezilla information
@_re_fox
collection/file-managers
gather nexusfile information
@_re_fox
collection/file-managers
gather ftpshell information
@_re_fox
collection/file-managers
gather blazeftp information
@_re_fox
persistence
create shortcut via IShellLink
matthew.williams@mandiant.com
persistence/exchange
act as Exchange transport agent
jakub.jozwiak@mandiant.com
persistence/office
act as Office COM add-in
jakub.jozwiak@mandiant.com
persistence/scheduled-tasks
schedule task via ITaskScheduler
moritz.raabe@mandiant.com
contain pusha popa sequence
moritz.raabe@mandiant.com
get service handle
moritz.raabe@mandiant.com
write process memory
moritz.raabe@mandiant.com
PEB access
michael.hunhoff@mandiant.com
validate payment card number using luhn algorithm with no lookup table
@_re_fox
create or open section object
william.ballenthin@mandiant.com
contain loop
moritz.raabe@mandiant.com
anti-analysis/anti-av
patch Event Tracing for Windows function
jakub.jozwiak@mandiant.com
anti-analysis/anti-forensic
patch process command line
william.ballenthin@mandiant.com, @_re_fox
anti-analysis/anti-forensic
impersonate file version information
awillia2@cisco.com
anti-analysis/anti-forensic/timestomp
timestomp file
moritz.raabe@mandiant.com
anti-analysis/anti-forensic/self-deletion
self delete
michael.hunhoff@mandiant.com, @mr-tz
anti-analysis/anti-disasm
64-bit execution via heavens gate
awillia2@cisco.com
anti-analysis/anti-disasm
contain anti-disasm techniques
moritz.raabe@mandiant.com
anti-analysis/obfuscation
obfuscated with ADVobfuscator
jakub.jozwiak@mandiant.com
anti-analysis/obfuscation
obfuscated with Dotfuscator
jakub.jozwiak@mandiant.com
anti-analysis/obfuscation
obfuscated with Yano
jakub.jozwiak@mandiant.com
anti-analysis/obfuscation
obfuscated with Babel Obfuscator
jakub.jozwiak@mandiant.com
anti-analysis/obfuscation
obfuscated with Spices.Net Obfuscator
jakub.jozwiak@mandiant.com
anti-analysis/obfuscation
obfuscated with vs-obfuscation
jakub.jozwiak@mandiant.com
anti-analysis/obfuscation
obfuscated with DeepSea Obfuscator
jakub.jozwiak@mandiant.com
anti-analysis/obfuscation
obfuscated with callobfuscator
johnk3r
anti-analysis/obfuscation
obfuscated with SmartAssembly
jakub.jozwiak@mandiant.com
anti-analysis/anti-vm/vm-detection
check for sandbox username or hostname
@_re_fox, echernofsky@google.com
anti-analysis/anti-vm/vm-detection
reference anti-VM strings targeting VMWare
michael.hunhoff@mandiant.com, @johnk3r
anti-analysis/anti-vm/vm-detection
check for foreground window switch
ervin.ocampo@mandiant.com
anti-analysis/anti-vm/vm-detection
check for microsoft office emulation
@_re_fox
anti-analysis/anti-vm/vm-detection
detect VM via motherboard hardware WMI queries
anders.vejlby@mandiant.com
anti-analysis/anti-vm/vm-detection
reference anti-VM strings targeting Parallels
michael.hunhoff@mandiant.com
anti-analysis/anti-vm/vm-detection
reference anti-VM strings targeting VirtualPC
michael.hunhoff@mandiant.com
anti-analysis/anti-vm/vm-detection
reference anti-VM strings targeting VirtualBox
michael.hunhoff@mandiant.com
anti-analysis/anti-vm/vm-detection
reference anti-VM strings targeting Xen
michael.hunhoff@mandiant.com
anti-analysis/anti-vm/vm-detection
check for Windows sandbox via dns suffix
@_re_fox
anti-analysis/anti-vm/vm-detection
detect VM via disk hardware WMI queries
anders.vejlby@mandiant.com
anti-analysis/anti-vm/vm-detection
reference anti-VM strings targeting Qemu
michael.hunhoff@mandiant.com
anti-analysis/anti-vm/vm-detection
check for Windows sandbox via registry
@_re_fox
anti-analysis/anti-vm/vm-detection
reference anti-VM strings
moritz.raabe@mandiant.com
anti-analysis/anti-debugging/debugger-detection
check for trap flag exception
michael.hunhoff@mandiant.com
anti-analysis/anti-debugging/debugger-detection
check for time delay via GetTickCount
michael.hunhoff@mandiant.com
anti-analysis/anti-debugging/debugger-detection
check for time delay via QueryPerformanceCounter
michael.hunhoff@mandiant.com
anti-analysis/anti-debugging/debugger-detection
check for software breakpoints
michael.hunhoff@mandiant.com
anti-analysis/anti-debugging/debugger-detection
check for kernel debugger via shared user data structure
michael.hunhoff@mandiant.com
anti-analysis/anti-debugging/debugger-detection
check for PEB NtGlobalFlag flag
moritz.raabe@mandiant.com
anti-analysis/anti-debugging/debugger-detection
check for hardware breakpoints
michael.hunhoff@mandiant.com
anti-analysis/anti-debugging/debugger-detection
check for PEB BeingDebugged flag
moritz.raabe@mandiant.com
anti-analysis/anti-debugging/debugger-detection
execute anti-debugging instructions
moritz.raabe@mandiant.com
anti-analysis/anti-emulation/wine
check if process is running under wine
@_re_fox
anti-analysis/packer/confuser
packed with Confuser
william.ballenthin@mandiant.com
anti-analysis/packer/nspack
packed with nspack
@_re_fox
anti-analysis/packer/vmprotect
packed with VMProtect
william.ballenthin@mandiant.com
anti-analysis/packer/kkrunchy
packed with kkrunchy
@_re_fox
anti-analysis/packer/peshield
packed with peshield
@_re_fox
anti-analysis/packer/rlpack
packed with rlpack
@_re_fox
anti-analysis/packer/upx
packed with UPX
william.ballenthin@mandiant.com
anti-analysis/packer/pebundle
packed with pebundle
@_re_fox
anti-analysis/packer/pelocknt
packed with pelocknt
@_re_fox
anti-analysis/packer/themida
packed with Themida
william.ballenthin@mandiant.com
anti-analysis/packer/amber
packed with amber
john.gorman@mandiant.com
anti-analysis/packer/gopacker
packed with GoPacker
jared.wilson@mandiant.com
anti-analysis/packer/pespin
packed with PESpin
jakub.jozwiak@mandiant.com
anti-analysis/packer/petite
packed with petite
@_re_fox
anti-analysis/packer/upack
packed with upack
@_re_fox
anti-analysis/packer/pecompact
packed with PECompact
william.ballenthin@mandiant.com
anti-analysis/packer/y0da
packed with y0da crypter
@_re_fox
anti-analysis/packer/huan
packed with Huan
jakub.jozwiak@mandiant.com
anti-analysis/packer/aspack
packed with ASPack
william.ballenthin@mandiant.com
linking/static
linked against CPP standard library
@mr-tz
linking/static/aplib
linked against aPLib
still@teamt5.org
linking/static/polarssl
linked against PolarSSL/mbed TLS
william.ballenthin@mandiant.com
linking/static/msdetours
linked against Microsoft Detours
moritz.raabe@mandiant.com
linking/static/cryptopp
linked against Crypto++
moritz.raabe@mandiant.com
linking/static/openssl
linked against OpenSSL
william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com
linking/static/libcurl
linked against libcurl
moritz.raabe@mandiant.com
linking/static/sqlite3
linked against sqlite3
still@teamt5.org
linking/static/sqlite3
linked against CppSQLite3
still@teamt5.org
linking/static/wolfcrypt
linked against wolfCrypt
jakub.jozwiak@mandiant.com
linking/static/zlib
linked against ZLIB
william.ballenthin@mandiant.com
linking/static/wolfssl
linked against wolfSSL
jakub.jozwiak@mandiant.com
linking/runtime-linking
get ntdll base address
moritz.raabe@mandiant.com
linking/runtime-linking
get kernel32 base address
moritz.raabe@mandiant.com
impact/wipe-disk/wipe-mbr
overwrite Master Boot Record (MBR)
michael.hunhoff@mandiant.com
impact/inhibit-system-recovery
delete volume shadow copies
moritz.raabe@mandiant.com
communication/mailslot
read from mailslot
nick.simonian@mandiant.com
communication/mailslot
create mailslot
william.ballenthin@mandiant.com
communication/ftp/send
send file using FTP
michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
communication/named-pipe/connect
connect pipe
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com
communication/named-pipe/read
read pipe
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com
communication/named-pipe/create
create two anonymous pipes
matthew.williams@mandiant.com
communication/named-pipe/create
create pipe
moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com
communication/socket/tcp/send
obtain TransmitPackets callback function via WSAIoctl
jonathan.lepore@mandiant.com
communication/socket/tcp/send
send TCP data via WFP API
michael.hunhoff@mandiant.com
communication/icmp
send ICMP echo request
michael.hunhoff@mandiant.com
communication/dns
reference DNS over HTTPS endpoints
markus.neis@swisscom.com / @markus_neis
communication/c2/file-transfer
download and write a file
moritz.raabe@mandiant.com
communication/c2/file-transfer
write and execute a file
moritz.raabe@mandiant.com
communication/c2/shell
execute shell command and capture output
matthew.williams@mandiant.com
communication/c2/shell
execute shell command received from socket on Linux
joakim@intezer.com
communication/c2/shell
create reverse shell on Linux
joakim@intezer.com
communication/http
reference HTTP User-Agent string
@mr-tz
communication/http
initialize WinHTTP library
michael.hunhoff@mandiant.com
communication/http
read HTTP header
michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
communication/http
initialize IWebBrowser2
matthew.williams@mandiant.com
communication/http
set HTTP header
michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
communication/http/server
receive HTTP request
michael.hunhoff@mandiant.com
communication/http/server
send HTTP response
michael.hunhoff@mandiant.com
communication/http/server
start HTTP server
michael.hunhoff@mandiant.com, jakub.jozwiak@mandiant.com
communication/http/client
prepare HTTP request
michael.hunhoff@mandiant.com
communication/http/client
get HTTP document via IWebBrowser2
matthew.williams@mandiant.com
communication/http/client
connect to URL
michael.hunhoff@mandiant.com
communication/http/client
decompress HTTP response via IEncodingFilterFactory
matthew.williams@mandiant.com
communication/http/client
check HTTP status code
@mr-tz
communication/http/client
read data from Internet
michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
communication/http/client
connect to HTTP server
michael.hunhoff@mandiant.com
communication/http/client
extract HTTP body
matthew.williams@mandiant.com
communication/http/client
create HTTP request
michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
communication/http/client
receive HTTP response
michael.hunhoff@mandiant.com
communication/http/client
create BITS job
@mr-tz
communication/http/client
download URL
matthew.williams@mandiant.com, michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
targeting/language
identify system language via API
william.ballenthin@mandiant.com
targeting/automated-teller-machine
identify ATM dispenser service provider
william.ballenthin@mandiant.com
targeting/automated-teller-machine/ncr
load NCR ATM library
william.ballenthin@mandiant.com
targeting/automated-teller-machine/ncr
reference NCR ATM library routines
william.ballenthin@mandiant.com
targeting/automated-teller-machine/diebold-nixdorf
load Diebold Nixdorf ATM library
william.ballenthin@mandiant.com
targeting/automated-teller-machine/diebold-nixdorf
reference Diebold ATM routines
william.ballenthin@mandiant.com
internal/limitation/file
(internal) autoit file limitation
william.ballenthin@mandiant.com
internal/limitation/file
(internal) installer file limitation
william.ballenthin@mandiant.com
internal/limitation/file
(internal) autohotkey file limitation
@mr-tz
internal/limitation/file
(internal) Visual Basic file limitation
@mr-tz
data-manipulation/encoding/base64
decode data using Base64 via dword translation table
gilbert.elliot@mandiant.com, sara.rincon@mandiant.com
data-manipulation/encoding/base64
reference Base64 string
moritz.raabe@mandiant.com
data-manipulation/encoding/xor
encode data using XOR
moritz.raabe@mandiant.com
data-manipulation/checksum/crc32
hash data with CRC32
moritz.raabe@mandiant.com
data-manipulation/checksum/adler32
compute adler32 checksum
matthew.williams@mandiant.com
data-manipulation/encryption
encrypt data using memfrob from glibc
zander.work@mandiant.com
data-manipulation/encryption
encrypt or decrypt via WinCrypt
moritz.raabe@mandiant.com
data-manipulation/encryption
import public key
william.ballenthin@mandiant.com
data-manipulation/encryption/twofish
encrypt data using twofish
@_re_fox
data-manipulation/encryption/skipjack
encrypt data using skipjack
@_re_fox
data-manipulation/encryption/blowfish
encrypt data using blowfish
@_re_fox
data-manipulation/encryption/hc-128
encrypt data using HC-128
awillia2@cisco.com
data-manipulation/encryption/aes
decrypt data using AES via x86 extensions
moritz.raabe@mandiant.com
data-manipulation/encryption/aes
encrypt data using AES via WinAPI
moritz.raabe@mandiant.com
data-manipulation/encryption/aes
use .NET library EncryptDecryptUtils
@johnk3r
data-manipulation/encryption/aes
manually build AES constants
huynh.t.nhan@gmail.com
data-manipulation/encryption/aes
encrypt data using AES via .NET
william.ballenthin@mandiant.com
data-manipulation/encryption/aes
encrypt data using AES MixColumns step
@mr-tz
data-manipulation/encryption/rsa
reference public RSA key
moritz.raabe@mandiant.com
data-manipulation/encryption/rc4
encrypt data using RC4 KSA
moritz.raabe@mandiant.com
data-manipulation/encryption/rc4
encrypt data using RC4 with custom key via WinAPI
blaine.stancill@mandiant.com
data-manipulation/encryption/rc4
encrypt data using RC4 PRGA
moritz.raabe@mandiant.com
data-manipulation/encryption/rc4
encrypt data using RC4 via WinAPI
moritz.raabe@mandiant.com
data-manipulation/encryption/des
encrypt data using DES
@_re_fox, william.ballenthin@mandiant.com
data-manipulation/encryption/des
encrypt data using DES via WinAPI
@_re_fox
data-manipulation/encryption/tea
encrypt data using TEA
william.ballenthin@mandiant.com, raymond.leong@mandiant.com
data-manipulation/encryption/tea
decrypt data using TEA
william.ballenthin@mandiant.com, raymond.leong@mandiant.com
data-manipulation/encryption/camellia
encrypt data using Camellia
@_re_fox
data-manipulation/encryption/xxtea
encrypt data using XXTEA
raymond.leong@mandiant.com
data-manipulation/encryption/sosemanuk
encrypt data using Sosemanuk
awillia2@cisco.com
data-manipulation/encryption/elliptic-curve
encrypt data using Curve25519
dimiter.andonov@mandiant.com
data-manipulation/encryption/vest
encrypt data using vest
@_re_fox
data-manipulation/encryption/rc6
encrypt data using RC6
william.ballenthin@mandiant.com
data-manipulation/encryption/xtea
encrypt data using XTEA
raymond.leong@mandiant.com
data-manipulation/prng
generate random numbers via WinAPI
michael.hunhoff@mandiant.com, johnk3r
data-manipulation/prng/mersenne
generate random numbers using a Mersenne Twister
moritz.raabe@mandiant.com
data-manipulation/json
use .NET library Newtonsoft.Json
@johnk3r
data-manipulation/svg
use .NET library SharpVectors
@johnk3r
data-manipulation/compression
decompress data using UCL
jakub.jozwiak@mandiant.com
data-manipulation/compression
compress data via WinAPI
moritz.raabe@mandiant.com
data-manipulation/compression
decompress data using LZO
david@edeca.net, david.cannings@pwc.com
data-manipulation/compression
decompress data using aPLib
@r3c0nst (Frank Boldewin), moritz.raabe@mandiant.com, cdong49@gatech.edu
data-manipulation/compression
decompress data via IEncodingFilterFactory
matthew.williams@mandiant.com
data-manipulation/compression
compress data via ZLIB inflate or deflate
blas.kojusner@mandiant.com
data-manipulation/compression
compress data using LZO
david@edeca.net, david.cannings@pwc.com
data-manipulation/hashing/tiger
hash data using tiger
@_re_fox
data-manipulation/hashing/sha384
hash data using SHA384
william.ballenthin@mandiant.com
data-manipulation/hashing/sha512
hash data using SHA512
william.ballenthin@mandiant.com
data-manipulation/hashing/djb2
hash data using djb2
awillia2@cisco.com, still@teamt5.org
data-manipulation/hashing/murmur
hash data using murmur3
william.ballenthin@mandiant.com
data-manipulation/hashing/fnv
hash data using fnv
moritz.raabe@mandiant.com, @_re_fox, michael.hunhoff@mandiant.com
data-manipulation/hashing/sha224
hash data using SHA224
moritz.raabe@mandiant.com
data-manipulation/hashing/sha256
hash data using SHA256
moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com, william.ballenthin@mandiant.com
data-manipulation/hmac
authenticate HMAC
moritz.raabe@mandiant.com
runtime/dotnet
execute via .NET startup hook
william.ballenthin@mandiant.com
runtime/dotnet
compiled to the .NET platform
william.ballenthin@mandiant.com
load-code
execute VBScript Javascript or JScript in memory
blas.kojusner@mandiant.com
load-code/powershell/
run PowerShell expression
anamaria.martinezgom@mandiant.com
load-code/pe
access PE header
moritz.raabe@mandiant.com
load-code/pe
inject DLL reflectively
@Ana06
load-code/pe
inspect section memory permissions
@Ana06
load-code/pe
parse PE header
moritz.raabe@mandiant.com
load-code/pe
rebuild import table
@Ana06
load-code/pe
resolve function by parsing PE exports
sara-rn
load-code/shellcode
execute shellcode via Windows fibers
jakub.jozwiak@mandiant.com
load-code/shellcode
spawn thread to RWX shellcode
moritz.raabe@mandiant.com
load-code/shellcode
execute shellcode via CreateThreadpoolWait
jakub.jozwiak@mandiant.com
load-code/shellcode
execute shellcode via CopyFile2
jakub.jozwiak@mandiant.com