Sensors have started watching a Chinese resource that is focused on endpoint security evasion by manipulating certain features machine learning models rely on (nothing novel). Some of these feature manipulations look to change-up API profiles from commonly used profiles (CreateProcessA with suspended flag is quite effective in our testing) and by using direct system calls. We are making available a JSON set containing the APIs and native binaries mentioned within this post. Modern defenses will need to leverage indicators such as these, paired with automation that defines behaviors to proactively hunt and detect adversary movements. This is not relying on Sysmon to tell you that a process has been tampered with. Do you know what API calls Sysmon actually hooks as Sysmon is just a wrapper? For example, do you know where your blind spots are in regard to process injection? Organizations will need to develop the ability to look at their network’s raw telemetry and then hunt with advanced signatures made up of things like API calls, process contexts, leveraged binaries (native) and other more advanced indicators of malicious behaviors.
Repo: Airboi/bypass-av-note: 免杀技术大杂烩---乱拳打死老师傅 (github.com)
Blog (Uncovering the Unknowns-SPECTREOPS): Uncovering The Unknowns. Mapping Windows API’s to Sysmon Events | by Jonathan Johnson | Posts By SpecterOps Team Members