Skip to content



  • Initial compromise
  • Establish beachhead: Ensure future access to compromised assets without needing a repeat initial intrusion
  • Escalate privileges
  • Internal reconnaissance
  • Network colonization
  • Persist
  • Complete mission: Exfiltrate stolen data

Analysis Reports

C2 Techniques

  • Using Trusted Forums to exchange messages

Intercepting SYSCalls

INS_Delete: Delete a specific instruction INS_RewriteMemmoryOperand: Change memory address by the program PIN_AddSyscallEntryFunction: Intercept syscalls at the entry point PIN_AddSyscallExitFunction: Execute after syscall (usable to alter the result)

Adversary Emulation