APT

  • Sponsored Cyber attacks targeting specific organizations to achieve a clear objective without being detected for a long period of time - CSTT

Workflow

  • Initial compromise
  • Establish beachhead: Ensure future access to compromised assets without needing a repeat initial intrusion
  • Escalate privileges
  • Internal reconnaissance
  • Network colonization
  • Persist
  • Complete mission: Exfiltrate stolen data

Analysis Reports

C2 Techniques

  • Using Trusted Forums to exchange messages

Intercepting SYSCalls

INS_Delete: Delete a specific instruction INS_RewriteMemmoryOperand: Change memory address by the program PIN_AddSyscallEntryFunction: Intercept syscalls at the entry point PIN_AddSyscallExitFunction: Execute after syscall (usable to alter the result)