As a person who's been developing and analyzing malware for a couple of years now. On the more sophisticated side of malware it will be more evasive and hide itself better then the typical python grabber you see from github. Some don't even drop files, It just pads 0x90 (-x86-64 nopcode) and executes payloads that connect u to a backdoor etc... But most commonly, yes you will find the common malware hiding in these directory's.
@@ThisIsJustADrillBit Okay I'm going to answer this in a couple of parts. Malware does not always need to drop another file (example: you run "Main-Malware.exe" and it drops "Dropped-malware.exe"), You can simply make something that when ran it will execute payloads gathering system information or what ever you desire. If you were to restart your pc, the payloads are already executed and sent everything to a c2 server or how ever you developed it. You could also just develop the file to run on startup if that's what you're asking. It could also hide in the reg-keys, bios etc.. Plenty of different ways malware could hide its self, The video john made just goes for the more common types of malware. Hope this made sense. (sorry for the late response, this hurricane fucked my power xd)
Great Content John! It's awesome that you released a "pay what you can" course, some people - especially where the currency isn't strong - struggle to deal with the US$/€ "standard" price labels. Cheers!
Hi John, love your channel. I have a request, could you please do a similar video for Mac OS? Also I would request please do more videos targeting Mac OS
Hey John, the reason that your rule is not triggering is because your image doesn’t really contain \Users\*\. Instead you should consider making it more generic by adding just the \AppData\Local\Temp part, which is indeed part of the image and this will make it trigger for every user’s temp directory:)
The reason appdata isn't often considered, is because a lot of valid applications (like chome) will install there if the user chooses to install for "this user only". I think the rule you tried to wildcard might likely need to use their form of string matching ie: [^\\"]{1,20} (you can see an example of this in the dash @7:05)
Just to say that the Windows context menu is absolutely appalling. Why on earth they need you to click "More Options" just to rename is beyond me. The old menu was fine and worked well. P.S. I know you can amend things to back to this, but it shouldn't have been changed in any case
Hey John, love your videos. I don't think this one was very informative, I believe it's better to check where does malwares drop their files if you know what I mean.
6:28 he finally figured out that maybe it's just the name. Funny now OWROWRA doesn't even check file name history... And just gives up. Also not even having a hash of the raw exe of a known virus in a database? Not checking for it? This whole video feels like it's made for toddlers...
maybe the program that detects it runs from that location and fires of a notification so they removed it doubt it tho they could surely whitelist themselves!
@@AlexTsaava How is that impossible? The easiest way I can think of is probably to code a loader that would get the data of this executable directly from the file system, load it to memory and execute it. It's probably also possible to do something similar with a PowerShell command or maybe even the good old command prompt...
Using YML files for an antivirus!?!?!? How about a virus just go ahead and change the rules inside lol. Not having your own closed binary format is BIG mistake. That way any virus can just change the rules inside yaml and not have the files deleted. In a closed format, that is not reverse engineered, the only option a virus has, is to delete the files that have the antivirus settings. This is just an additional attack vector, that you get just because you decided to use YML, an open format lol....
"Regarding the use of YAML files in Aurora-Agent EDR, the concern raised about vulnerabilities tied to open formats like YAML is valid to an extent. However, the Aurora-Agent team provides mechanisms to mitigate such risks. Although YAML files can be more accessible for manual rule configuration, there are measures like rule encryption available to safeguard these files. Aurora offers an option to encrypt its signatures, reducing the risk of tampering with configuration files. Additionally, when managed through the ASGARD Management Center, there are further security controls in place that centralize and secure the management of rules, reducing the likelihood of unauthorized modifications." Moreover, the team has acknowledged potential gaps in self-defense mechanisms in the past, but they continue to work on improvements, as mentioned in their documentation and training resources
on Linux ? Do you anything about your pc in Docker container, somebody else control it, and hack you all day long? This is Government type of work, and local internet providers.
Windows is crappy 😂 .. im sorry, the only use for windows is to reverse malmware 🤣🤣🤣🤣 but for US, windows will keep the cybersecurity market growing.. thank you MS ❤ .. Mac and Linux owns me all … 😅
(This video was recorded months ago but didn't end up being uploaded.)
8 hours ago
We forgive you John!
Even better old new videos makes me feels cool
Thanks for this!
Slackin! 😂 jk thnx for the upload & the honesty lol
As a person who's been developing and analyzing malware for a couple of years now. On the more sophisticated side of malware it will be more evasive and hide itself better then the typical python grabber you see from github. Some don't even drop files, It just pads 0x90 (-x86-64 nopcode) and executes payloads that connect u to a backdoor etc... But most commonly, yes you will find the common malware hiding in these directory's.
How does fileless malware persist? Or can it? If it's not on disk can it survive reboot? Actually asking I do not know and I'm curious.
@@ThisIsJustADrillBitCompletly fileless idk. But Most "fileless" maleware is hiding in the registry. Extremly difficult to find
@@ThisIsJustADrillBit Okay I'm going to answer this in a couple of parts. Malware does not always need to drop another file (example: you run "Main-Malware.exe" and it drops "Dropped-malware.exe"), You can simply make something that when ran it will execute payloads gathering system information or what ever you desire. If you were to restart your pc, the payloads are already executed and sent everything to a c2 server or how ever you developed it. You could also just develop the file to run on startup if that's what you're asking. It could also hide in the reg-keys, bios etc.. Plenty of different ways malware could hide its self, The video john made just goes for the more common types of malware. Hope this made sense.
(sorry for the late response, this hurricane fucked my power xd)
using python as malware for non linux os is dumb lol
In these directory's what?
Great Content John!
It's awesome that you released a "pay what you can" course, some people - especially where the currency isn't strong - struggle to deal with the US$/€ "standard" price labels.
Cheers!
I saw a john hammond ad before this video.
Hi John, love your channel. I have a request, could you please do a similar video for Mac OS? Also I would request please do more videos targeting Mac OS
Great new video john, Really like your video :) but im confused this is 8 hours ago and only 8k view i think you deserve more for this content.
Hey John, the reason that your rule is not triggering is because your image doesn’t really contain \Users\*\. Instead you should consider making it more generic by adding just the \AppData\Local\Temp part, which is indeed part of the image and this will make it trigger for every user’s temp directory:)
The reason appdata isn't often considered, is because a lot of valid applications (like chome) will install there if the user chooses to install for "this user only".
I think the rule you tried to wildcard might likely need to use their form of string matching ie: [^\\"]{1,20} (you can see an example of this in the dash @7:05)
%temp% or %appdata% some go to the register as well
Just to say that the Windows context menu is absolutely appalling. Why on earth they need you to click "More Options" just to rename is beyond me. The old menu was fine and worked well.
P.S. I know you can amend things to back to this, but it shouldn't have been changed in any case
I wonder if some of those directories are excluded from the rules because there would be too many false positives.
This looks like a test. John knows the answer, but is waiting for someone to respond why it didn't work.
Please tell me what your keyboard model is!! Looks sick!
perhaps you need a trailing \ at the end of that string?
john if you post more low level stuff (i.e. shellcode execution) i think it would be interesting
I'm wondering if the directory rule requires a trailing backslash, given all other rules had one
You didn't end the dirs with slashes whereas all the other rules ended them with [back] shlashes?
Hey John, love your videos. I don't think this one was very informative, I believe it's better to check where does malwares drop their files if you know what I mean.
a threat actor here, just finished developing a malware and was wondering where it can go, thanks for the video John (:
Blud is not a malware developer if he doesn’t know where to store it (also file less is so much better)
Haha ati wewe ni threat actor? 😂😂
In place of the username you should have %user%. So \Users\%user%\AppData\Local\Temp would use the current users temp file
obviously lol thats generally how every program ever that uses temp folder works
1:29 explorer.exe shouldn't run out of System32, but from C:\Windows 😅, little correction. (love your videos John!)
Can you not just add into the sus.yaml file the entry - '%TEMP%' ?
temp folder gets cleared occasionally or the file could be overwritten if its not unique enough so its not ideal
i was wondering what is the best antivirus to use
6:28 he finally figured out that maybe it's just the name.
Funny now OWROWRA doesn't even check file name history... And just gives up.
Also not even having a hash of the raw exe of a known virus in a database? Not checking for it? This whole video feels like it's made for toddlers...
Wonder if he renamed calculator to memekatz if that would trigger
maybe the program that detects it runs from that location and fires of a notification so they removed it doubt it tho they could surely whitelist themselves!
my OCD is screaming at the repetitive use of *.exe ... so much string duplication
Why is this an ad?
ADS and a long key in the registry.
@_JohnHammond, thank for ur dose of skill eveyday i hear u i sleep less fool
btw can a file malware be customised to be inputted where it task it
John what about your osee cert
Who tf running a program from recycle bin?
that impossible
@@AlexTsaava nothing is impossible with computers:)
@@AlexTsaava
How is that impossible?
The easiest way I can think of is probably to code a loader that would get the data of this executable directly from the file system, load it to memory and execute it. It's probably also possible to do something similar with a PowerShell command or maybe even the good old command prompt...
ohhh never though of that
How do you get the virtual machines to run so smooth?
What's your hardware
@@TracksWithDax hp victcus 15.6 2050
thanks baby john hammond
Registration button not working
Your videos are always great. ❤
Using YML files for an antivirus!?!?!?
How about a virus just go ahead and change the rules inside lol.
Not having your own closed binary format is BIG mistake.
That way any virus can just change the rules inside yaml and not have the files deleted.
In a closed format, that is not reverse engineered, the only option a virus has, is to delete the files that have the antivirus settings.
This is just an additional attack vector, that you get just because you decided to use YML, an open format lol....
"Regarding the use of YAML files in Aurora-Agent EDR, the concern raised about vulnerabilities tied to open formats like YAML is valid to an extent. However, the Aurora-Agent team provides mechanisms to mitigate such risks. Although YAML files can be more accessible for manual rule configuration, there are measures like rule encryption available to safeguard these files. Aurora offers an option to encrypt its signatures, reducing the risk of tampering with configuration files. Additionally, when managed through the ASGARD Management Center, there are further security controls in place that centralize and secure the management of rules, reducing the likelihood of unauthorized modifications."
Moreover, the team has acknowledged potential gaps in self-defense mechanisms in the past, but they continue to work on improvements, as mentioned in their documentation and training resources
on Linux ?
Do you anything about your pc in Docker container, somebody else control it, and hack you all day long?
This is Government type of work, and local internet providers.
You Love For India ❤
Windows is so trash on websites with certification windows defender is not blocking Downloads from the websites 😊😊😊
"sigma based edr" 🗿
My Malware brings his own SMB Server and defeats moslty all AV.
My malware beings all the boys to the yard, damn right, it's better than yours... I can teach you, but I'll have to charge...
It's called a "DASH" ... "tac tac dashboard".
You have to be kidding.
Great video
bro watched the video in one minute
I'm used to this kind of stuff,,,,so skipped to watch the over side explanation😊
malware goes in your voice darlinks,, its so annoying
Hello!
:JohnKekw:
Hammond you sodding tictac
Damn, Im so lost in this 😂😂
Dont even know where to begin learning this type of studf
😃👍
I start reading if john like my comment
I do my all homework if he reply on my comment 😊😊😊😊😊
😮p9o kll
Bro WHAT is this video 😂😂😂😂😂
Windows is crappy 😂 .. im sorry, the only use for windows is to reverse malmware 🤣🤣🤣🤣 but for US, windows will keep the cybersecurity market growing.. thank you MS ❤ .. Mac and Linux owns me all … 😅
Linux and Mac are just as vulnerable to malware as Windows
Brother please in hindi language me videos