@0xAlexei Do you have any ideas on reverse-engineering the behavior detection definitions in Defender? Like Win32/MpTamperAddRegKeySpynetReport.A
Thank you!
-
-
Replying to @SwiftOnSecurity
Hmmm, I do not. My research mainly focused on the dynamic analysis subsystems built into Defender, I have not looked at the signatures. I think
@mattifestation did some work on the sigs though2 replies 0 retweets 1 like
I looked at some, various subsystems (eg emulator, interpreters, unpackers) can set flags or properties, and then rules can query them (eg if flag1 & flag2, then signature = foo). There are millions, like DividesByZero, IsPacked, MakesSyscall, ReadsTSC, etc, etc.
0 replies
1 retweet
5 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.