Loader Dev. 4 - AMSI and ETW

1.0cirosechttps://cirosec.de/en/Loader Dev. 4 - AMSI and ETW - cirosecrich600338<blockquote class="wp-embedded-content" data-secret="QfSM0hNDD5"><a href="https://cirosec.de/en/news/loader-dev-4-amsi-and-etw/">Loader Dev. 4 – AMSI and ETW</a></blockquote><iframe sandbox="allow-scripts" security="restricted" src="https://cirosec.de/en/news/loader-dev-4-amsi-and-etw/embed/#?secret=QfSM0hNDD5" width="600" height="338" title="“Loader Dev. 4 – AMSI and ETW” — cirosec" data-secret="QfSM0hNDD5" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" class="wp-embedded-content"></iframe><script> /*! This file is auto-generated */ !function(d,l){"use strict";l.querySelector&&d.addEventListener&&"undefined"!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!/[^a-zA-Z0-9]/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll('iframe[data-secret="'+t.secret+'"]'),o=l.querySelectorAll('blockquote[data-secret="'+t.secret+'"]'),c=new RegExp("^https?:$","i"),i=0;i<o.length;i++)o[i].style.display="none";for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute("style"),"height"===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):"link"===t.message&&(r=new URL(s.getAttribute("src")),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener("message",d.wp.receiveEmbedMessage,!1),l.addEventListener("DOMContentLoaded",function(){for(var e,t,s=l.querySelectorAll("iframe.wp-embedded-content"),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute("data-secret"))||(t=Math.random().toString(36).substring(2,12),e.src+="#?secret="+t,e.setAttribute("data-secret",t)),e.contentWindow.postMessage({message:"ready",secret:t},"*")},!1)))}(window,document); //# sourceURL=https://cirosec.de/wp-includes/js/wp-embed.min.js </script> https://cirosec.de/wp-content/uploads/2024/02/web-applikationen-portale-services.jpg15001013April 30, 2024 - In the last post, we discussed how we can get rid of any hooks placed into our process by an EDR solution. However, there are also other mechanisms provided by Windows, which could help to detect our payload. Two of these are ETW and AMSI. Author: Kolja Grassmann