Today, we have released a brand new lab on identifying indicators of compromise to do with a new persistence mechanism on Windows! You will understand how the technique works and do some threat hunting for a malware that has used it!
TypeLib is a file that contains metadata describing the interfaces, methods, properties, and events that a COM component exposes. This file is registered to a process through a registry key. On October 23, 2024, a persistence technique was researched and reported in which an attacker could abuse Typelib's functionality to identify registry keys to achieve persistence. If exploited, this allows attackers to persist on a machine and set up further attacks.
Why have we created this content?
Given that this technique is quite new, this content was created to educate users on how the Windows registry can be abused to allow attackers to maintain persistence on a victim machine while also being able to deploy malware. Attacks that abuse legitimate processes are often the most dangerous, as security tooling often isn't configured to detect these kinds of changes, such as registry key modifications.
What are we publishing?
All customers on a CyberPro License have immediate access to the new lab.
Who is this content for?
These labs are focused on upskilling and increasing the defensive capabilities of the following roles:
- SOC Analysts
- Incident Responders
- Threat Hunters
- Malware Analysts
Immerser