”ALEXANDRU IOAN CUZA” UNIVERSITY OF IAS ¸I FACULTY OF COMPUTER SCIENCE BACHELOR’S THESIS Insert fancy name here proposed by Bogdan Gospodaru Session:… [607822]

”ALEXANDRU IOAN CUZA” UNIVERSITY OF IAS ¸I
FACULTY OF COMPUTER SCIENCE
BACHELOR’S THESIS
Insert fancy name here
proposed by
Bogdan Gospodaru
Session: july, 2019
Scientific coordinator
Conf. Dr. Gavrilut ,Dragos ,

”ALEXANDRU IOAN CUZA” UNIVERSITY OF IAS ¸I
FACULTY OF COMPUTER SCIENCE
Insert fancy name here
Bogdan Gospodaru
Session: july, 2019
Scientific coordinator
Conf. Dr. Gavrilut ,Dragos ,

Contents
Abstract 2
Motivation 3
Introduction 4
1 Endpoint detection and response 6
1.1 What is EDR? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2 Title section 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2 Penetration testing 8
2.1 Exploitation frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2 Post-exploitation frameworks . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.3 Red teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.4 Blue teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.5 Importance in cyber security . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3 Advanced persistent threat 12
3.1 Stages of an APT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.1.1 Initial Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.1.2 Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.1.3 Persistence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.1.4 Privilege Escalation . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.1.5 Defense Evasion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.1.6 Credential Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.1.7 Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.1.8 Lateral Movement . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.1.9 Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3.1.10 Command and Control . . . . . . . . . . . . . . . . . . . . . . . . 14
3.1.11 Exfiltration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.1.12 Impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2 APT groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2.1 APT29 – The Dukes . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2.2 APT37 – Reaper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4 Types of attacks 17
4.1 Social engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.1.1 Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.1.2 Spear phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.2 Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.3 Man-in-the-Middle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.4 Denial-of-Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.5 Brute-Force . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Conclusions 19
Bibliography 20
1

Abstract
Automation of different types of attacks in order to speed up the process of test-
ing EDR (Endpoint Detection and Response) products and not having a general post-
exploitation framework that supports custom scenarios is a problem which doesn’t
hold numerous open-source solutions.
This paper presents a detailed view on EDR technology, motivations behind the
need of a post-exploitation tool that is capable of automating attacks and the impor-
tance of open-source solutions inside the white hat community. Technological details
used in this project will be shortly described. The paper aims to cover some imple-
mentational details of using Lua to write custom attacks, an exposed API that makes it
possible for the user to configure threat-based scenarios and, most importantly, fileless
technique used in post-exploitation frameworks to inject malicious agents in memory
without them ever being physically present on the machine.
This thesis comes forward in presenting a complex tool that aggregates solutions
to the aforementioned problem that may aid the community in further preventing cy-
ber attacks and improving current approaches in combating them.
2

Motivation
The broad scope of the techniques often used in enterprises attacks and cyber
threats has resulted in the creation of a new solution in the world of advanced threat
protection referred to as EDR (Endpoint Detection and Response). To be able to suc-
cessfully implement such a system and to block any threats that may occur on an end-
point, a post-exploitation agent that has the capability to also automate any number of
complex attacks is a great addition to the white hat’s arsenal.
Having experienced creating and running different scenarios, I noticed how diffi-
cult and time consuming it is to prepare your environment every time and to manually
execute the attack and collect different types of information from the affected machine,
such as logs.
My research indicates that a post-exploitation tool with an easy to use API for
writing custom attacks has a major impact in reducing the time spent on setting up
the environment and executing the scenarios (regardless of their complexity), which,
in turn, makes it possible to deliver faster and better prevention techniques to mitigate
any threat on a machine.
3

Introduction
Current post-exploitation frameworks are highly effective for helping the com-
munity in their fight against threat actors. Much of their success is based on the sim-
ilarity of the techniques used in order to achieve control of victim machine, to the
approach used by malicious users. These procedures are often utilized in complex sce-
narios, known as APT (Advanced Persistent threat). An APT is a coverted computer
network attack in which a group successfully gains unauthorized access to accom-
plish specific goals (e.g. password or document theft). The ”advanced” component
refers to complex and sophisticated approaches used to exploit vulnerabilities in ma-
chines connected to the attacked network. The ”persistent” component specifies that
the malicious agent process runs at all times in the system, continuously monitoring
and extracting data through an external C2 (command and control) server.
A fully working post-exploitation scenario could have the following workflow:
create a stager (a script or an executable file that establishes the connection with
the C2 server)
execute the stager on the victim’s machine (the connection to the malicious server
is now installed, the agent can receive commands)
execute initial discovery commands (ipconfig, whoami, qprocess etc.)
execute a privilege escalation exploit
steal credentials using Mimikatz (an utility to dump passwords via process in-
jection into lsass.exe , the process responsible for enforcing the security policy
on the system)
execute persistence commands (e.g. run a batch file which creates a .lnk file in
the.Startup folder to start malware at reboot)
4

The available post-exploitation frameworks provide the capability of reproduc-
ing different APTs. However, due to the numerous steps involved in successful APT
scenarios, the community lacks an efficient and task oriented tool, with which an user
could automate the entire process. It is beneficial for red teams to spend less time
manually running commands and more time creating complex scenarios after which
detection and prevention systems could improve.
5

Chapter 1
Endpoint detection and response
Endpoint detection and response term was first formulated by Anton Chuvakin
in 20131, where he emphasized the need of a new approach in the security domain. By
that time, malware creators were already familiar with anti-virus evasion techniques
(fileless attacks) to achieve execution of code without writing any files to the user’s
machine, thus making it hard for vendors to implement memory scanning modules or
prevention mechanisms, and exploits of different vulnerabilities.
1.1 What is EDR?
Endpoint detection and response, or EDR (will refer to it as EDR from this point
forward), is a relatively new technology that aims to help in the fight against the com-
plex attack scenarios (data breaches) and techniques adopted by various ill-intentioned
communities. Before this approach was introduced, companies would usually hire ex-
pensive Incident Response teams to research and analyze a compromised network of
endpoints (computers). Numerous tools were created to gather data about the attack in
order to help the analyst figure out the storyline of the compromisation, while other ap-
plications were designed to deliver a visual representation (a node graph). This raised
the need of a system that could potentially contain all of the functionalities described
above. EDR is a complex application that, once installed on the computer, gathers vari-
ous data about the operating system, connections, file-writes, executed commands etc.
in the form of events, stores them in a database and displays the most relevant entries
in a graphical console/web application installed on the server.
1https://blogs.gartner.com/anton-chuvakin/2013/07/26/named-endpoint-threat-detection-
response/
6

¡insert example image of event¿
¡insert example image of console¿
The visual representation of the events gathered from an endpoint makes it easy
to identify suspicious activity and potentially dangerous objects. A system adminis-
trator could, for example, spot unsafe behavior on an employee’s machine, and signal
it further to the vendor for analysis, in case EDR did not flag it as a RCA (root cause
analysis). RCA represents a mechanism to identify and prevent malicious movement,
by using event correlation (a technique which uses a large data set of events to analyse
and determine a specific behavior between multiple entities).
1.2 Title section 2
7

Chapter 2
Penetration testing
A penetration test (also known as pentest) is an organized simulated attack on a
machine to reveal vulnerabilities, weaknesses and potential exposed risk to unautho-
rized access to sensitive data. It also covers the robustness of the endpoint, thus pro-
viding a full overview of the system in terms of security stability. Companies usually
hire specialists in the pentesting domain to undergo tests on their product/network
infrastructure (endpoints), build a report and suggest mitigations in order to further
enhance the security.
2.1 Exploitation frameworks
Exploitation frameworks are security software projects that are fully capable of
gaining control over a company’s network infrastructure, stealing data, passwords,
source-code, delivering other malicious applications (ransomwares). Currently, the
most widely used exploitation framework is Metasploit (MSF)1, an open-source soft-
ware for developing and testing exploits, and undergoing complex scenarios. Its mod-
ularity provides an easy to use API for integrating new common vulnerabilities and
exposures (CVE), besides an already huge gallery of features. The framework makes
it possible for security teams to stay ahead of the black hat groups by creating new
prevention mechanisms in order to stop any malicious attempt. The exploitation of a
system is just the starting point in a compromisation scenario.
¡insert workflow image here¿
Besides having numerous exploits that are constantly kept up to date, Metasploit
1https://www.metasploit.com/
8

is equipped with auxiliary modules and sophisticated payloads. Auxiliary modules
are a delightful addition to the framework, allowing the user to create his own port
scanners or configure the software to act as a SMTP/FTP/HTTP server, amongst other
features. Payloads are the sample of data that is transmitted to the attacked endpoint
and executed, establishing a connection to the MSF or installing malicious applications.
Meterpreter is the most complex payload available in the MSF. It communicates over
a socket connection (on a port defined by the attacker) and offers an extensive client-
side API. The attacker can interact using the API in the MSF console with the memory
injected payload and execute commands, upload files, gain unauthorized access, steal
data and numerous other tasks. At this point, the threat actor has acquired full control
over the compromised endpoint.
2.2 Post-exploitation frameworks
Similar to exploitation frameworks, the post-exploitation stage includes mecha-
nisms which control the attacked machine. Post-exploitation refers to the steps of the
operation involved after the compromisation of an endpoint. These phases often incor-
porate persistence or data stealing techniques, the goal behind it being manipulation
of the computer’s data. To gain access to a machine, the user needs to execute a stager.
A stager is a script or executable file that downloads a payload from the C2 server (ma-
licious threat actor) and executes it, thus establishing a connection with the C2 server,
with which the attackers could manipulate the victim’s system by sending commands
or executing other threats. One of the leading solutions in the post-exploitation world,
is PowerShell Empire1. It is described as
a pure PowerShell post-exploitation agent built on cryptologically-secure commu-
nications and a flexible architecture. Empire implements the ability to run Power-
Shell agents without needing powershell.exe, rapidly deployable post-exploitation
modules ranging from key loggers to Mimikatz, and adaptable communications to
evade network detection, all wrapped up in a usability-focused framework.
(http://www.powershellempire.com/)
PowerShell2is a shell for Windows developed by Microsoft, initially developed
for task automation and computer management. It consists of a scripting language
1https://github.com/EmpireProject/Empire
2https://docs.microsoft.com/en-us/powershell/scripting/overview?view=powershell-6
9

and a command-line interface, resulting in a powerful tool in the system administra-
tor’s tool kit, as well as the preferred shell in the cyber attacks performed world-wide.
Its integration with a post-exploitation framework denotes the importance of creating
mitigation techniques in the security domain.
Mimikatz3is a security tool widely used by pentesting teams that is capable of
collecting plaintext passwords and hashes amongst other features.
2.3 Red teams
Commonly referred to as a red team are the external teams of cyber security ana-
lysts or penetration testers that are conducting an attack scenario against a company in
order to evaluate its product or network security. A red team’s goal is to successfully
infiltrate a company, continuously monitoring its state and providing a detailed view
of the found weaknesses and strengths. The company is responsible for taking action
in preventing these vulnerabilities and further enhance its security.
2.4 Blue teams
Blue teams are the internal teams responsible for protection against real world at-
tackers (APT groups or hackers), as well as against red teams. Their focus is improving
the security score and prevention mechanisms, by collecting various data provided by
the red teams or supervised internal tests. As in the case of a red team, a blue team
analyses real world threats and creates similar scenarios to help cyber analysts in their
fight to prevent malicious activity.
2.5 Importance in cyber security
Penetration testing teams and the existence of various tools that make use of nu-
merous tactics that imitate real-world threats are a huge benefit in the cyber security
world. They provide useful information and disclose vulnerabilities or lack of protec-
tion, which can be used to remediate such problems and come up with new prevention
techniques.
3https://github.com/gentilkiwi/mimikatz
10

A red or blue team is crucial in aiding development of new detection methods in
a EDR product. Using exploitation or post-exploitation frameworks and custom tools
that try to reproduce APT’s scenarios, helps teams and cyber analysts to stay ahead of
the hackers and prevent attacks.
The available tools are also open-source, which consolidates another strong fea-
ture. The importance of open-source software in cyber security is about helping ev-
eryone in their fight against real-world threats. The community is also active on social
media platforms (Twitter, Facebook) where they constantly share zero-day vulnerabil-
ities and exploits, undetected malware or hacked websites.
11

Chapter 3
Advanced persistent threat
Advanced persistent threat is an organized attack campaign in which the intrud-
ers manage to gain access to a network by establishing a connection that remains un-
detected for a prolonged period of time. APT’s main goal after a thorough analysis
of the victim, which usually is a government or a large enterprise, is to continuously
extract sensitive data and network activity. This approach is considered to be more
dangerous than sabotaging a company or government because they have constant ac-
cess to their network, collecting classified information regularly through unauthorized
and undiscovered access.
3.1 Stages of an APT
An APT generally consists of several stages in which the attackers perform vari-
ous techniques in order to achieve their goal. MITRE ATT&CK, portrayed as
a globally-accessible knowledge base of adversary tactics and techniques based on
real-world observations. The ATT&CK knowledge base is used as a foundation for
the development of specific threat models and methodologies in the private sector,
in government, and in the cybersecurity product and service community,
(https://attack.mitre.org/)
catalogues them in twelve phases, each containing specific techniques and methodolo-
gies used by APT actors.
12

3.1.1 Initial Access
Initial Access is the name of the first category of an attack, in which the intruders
infiltrate gain unauthorized access to an endpoint or a network of endpoints, with the
use of different techniques, such as spear phishing attacks or zero-day vulnerabilities.
3.1.2 Execution
This tactic refers to attackers executing malware or installing custom built RATs
(remote administration tool). The purpose of a backdoor is to allow the cyber criminals
to remotely control the machine.
3.1.3 Persistence
One problem that may arise is the loss of connection to the C2 server of the in-
stalled backdoor through ethernet issues, computer restarts or any other action that
could seize attacker’s activity. As such, intruders modify the machine’s configuration
in order to achieve persistence (system registry keys, start-up folders).
3.1.4 Privilege Escalation
Some actions that the attackers could accomplish require administrator access.
Privilege Escalation encapsulates the techniques used in acquiring elevated permis-
sions on a system or a network of systems.
3.1.5 Defense Evasion
An adversary adopts tactics to evade detection and remain undiscovered for a
prolonged period of time. These techniques are categorized as Defense Evasion.
3.1.6 Credential Access
Intruders attempt to steal credentials from user or administrator accounts grant-
ing them the ability to impersonate an employee. A consequence of this tactic is that
defenders may have a more difficult time in detecting the attackers.
13

3.1.7 Discovery
Adversaries use various tools to learn about the system or network, in order to
successfully identify and target locations which store valuable data. Usually, the op-
erating system’s built in mechanisms benefits the intruders in achieving this crucial
step.
3.1.8 Lateral Movement
Lateral Movement tactic permits the infiltrators to access and control remote de-
vices or services. Techniques used involve reconnaissance and execution of persistent
actions.
3.1.9 Collection
According to MITRE,
Collection consists of techniques used to identify and gather information, such as
sensitive files, from a target network prior to exfiltration. This category also covers
locations on a system or network where the adversary may look for information to
exfiltrate.
(https://attack.mitre.org/)
3.1.10 Command and Control
Command and Control tactic defines how intruders communicate with a system
or network. For the whole duration of the attack, infiltrators will send commands
and extract data through the connection established between the backdoor and the C2
server. To further enhance their stealthiness, attackers have the capability to utilize
proxy servers or custom built network packets.
3.1.11 Exfiltration
Another crucial step involved in an attack is exfiltration of unauthorized and
sensitive data, through the use of various techniques, including automated exfiltration,
encryption or compression of various data.
14

3.1.12 Impact
Techniques related to data manipulation, data destruction, denial of service (DoS)
network attacks or firmware corruption (where adversaries corrupt the system’s BIOS)
are catalogued as being part of the impact tactic.
3.2 APT groups
Throughout the history there have been multiple groups of cyber criminals that
conducted attacks against governments or large companies. Some of them persisted
for almost a decade, while others still remain undetected, continuously gathering data.
An APT group can have ties to a country’s government to steal data in their favor and
help them in various sectors such as military or health. Two groups that have ties
with a government are APT29, backed by the Russian Federation, and APT37, who is
believed to have ties with the North Korean government.
3.2.1 APT29 – The Dukes
APT29, or also known as The Dukes, is a group composed of highly skilled cyber
espionage hackers that have been associated to the Russian government, have been
operating since at least 2008 (https://attack.mitre.org/groups/G0016/) and are con-
sidered to be one of the most advanced and flexible faction, constantly updating their
toolkit to remain undetected and to further strike targets. The Russian Federation is
believed to have provided the group of cyber criminals with legal protection and sub-
stantial funding. Because of the Russians’ implications, the hackers developed a series
of custom tools that would eventually help them in conducting attacks against numer-
ous targets in the United States, Europe and Asia. According to a paper released by
F-Secure1their malware arsenal includes, in chronological order, PinchDuke (2008 –
2010), GeminiDuke (2009 – 2012), CosmicDuke (2010 – 2015), MiniDuke (2010-2015),
CozyDuke (2010 – 2015, also known as CozyBear), OnionDuke (2013 – 2015), SeaDuke
(2014 – 2015), HammerDuke (2015, alias HAMMERTOSS), CloudDuke (2015), hence
the name ”The Dukes”.
In recent past, the group has been known for an attack against the Democratic
1https://www.f-secure.com/documents/996508/1030745/dukes whitepaper.pdf
15

National Committee in 20162. It is a widely held view that the group’s goal was to
help Donald Trump win the elections. AIVD (Dutch intelligence service) provided the
FBI (Federal Bureau of Investigation) with essential data regarding the attack against
the Democratic Party3.
3.2.2 APT37 – Reaper
APT37, tracked as Reaper, is a North Korean cyber espionage group, first spotted
in 2012. Their main targets were victims from South Korea, but have also aimed attacks
in Romania and other countries of the Middle East1. The group is known for exploiting
zero-day vulnerabilities and its ties to the North Korean government ”given malware
development artifacts and targeting that aligns with North Korean state interests” ac-
cording to FireEye2.
Their malware toolset consists of various techniques focusing on stealing sensi-
tive data and automation of exfiltration from the victim. They conducted an attack
against the South Korean government in 2017, in which they used a backdoor known
as DOGCALL and a malware capable of compromising a system’s MBR (Master Boot
Record) rendering it unable to boot, known as RUHAPPY4.
Numerous motives lead to believe that the group is based in North Korea, such as
the time of compilation of their custom malware, their repetitive attacks against South
Korean victims and information about an IP address from North Korea revealed by a
hacker who is believed to have been part of developing tools from the group’s arsenal.
2https://widesecurity.net/random/apt29/
3https://www.volkskrant.nl/wetenschap/dutch-agencies-provide-crucial-intel-about-russia-s-
interference-in-us-elections b4f8111b/
1https://attack.mitre.org/groups/G0067/
2https://www.fireeye.com/current-threats/apt-groups.html#apt37
4https://www2.fireeye.com/rs/848-DID-242/images/rpt APT37.pdf
16

Chapter 4
Types of attacks
The hacking community and APT groups are constantly researching new ways to
evade detections and infiltrate networks through different types of attacks. Although
researching is part of developing competent threats, their goal is to hack their way
into these endpoints without reinventing the wheel, a handful number of techniques
having proved themselves to be highly effective.
4.1 Social engineering
Social engineering is a term used by cyber security analysts and hackers to define
the workflow required in successfully completing a human interaction attack. A social
engineering scenario can contain multiple steps, starting with identifying the victim,
investigation and gathering information. After the attacker gains the person’s trust it
becomes easily exploitable in favor of the perpetrator.
4.1.1 Phishing
Phishing is a social engineering attack aimed at a large number of targets, a tech-
nique which does not require a highly effective investigation of the victims. Phishing
attacks could be deployed in form of an advert or emails. They are unrefined and
contain spelling mistakes that easily reveals their malicious intent.
4.1.2 Spear phishing
Unlike phishing, a spear phishing attack is targeted at a specific enterprise or
organization and suitable reconnaissance is needed in order for it to be successful.
17

These attacks usually consist of specially crafted emails that are sent to employees,
and are harder to detect because of their credibility and smaller target group. As in any
social engineering attack, this relies on human error rather than sophisticated exploits
and vulnerabilities.
4.2 Malware
Malware is a software constructed to perform actions on a computer without the
user’s authorization. These can include ransomwares, spywares, RATs, but they are
categorized into three different types that behave differently. A trojan is implanted in
a software to make it look believing, so that the user will execute it without suspecting
anything. A virus is based on code injecting into other legitimate applications on the
user’s system. Worm is the third type of malware that can attack and infect other
endpoints from the same network as the compromised system.
4.3 Man-in-the-Middle
Man-in-the-Middle is a technique which allows the attackers to eavesdrop on
a connection between two hosts. This includes packet sniffing (capture and inspect
packets through specific wireless devices), packet injection (inject malicious data after
sniffing a packet), session hijacking (attackers can steal the user’s authentication to-
ken from a web application by sniffing packets) and SSL stripping (intercept HTTPS
packets and change their destination to a HTTP server, stripping the packet of its en-
cryption).
4.4 Denial-of-Service
4.5 Brute-Force
18

Conclusions
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor
incididunt ut labore et dolore magna aliqua. Nunc mattis enim ut tellus elementum
sagittis vitae et. Placerat in egestas erat imperdiet sed euismod. Urna id volutpat la-
cus laoreet non curabitur gravida. Blandit turpis cursus in hac habitasse platea. Eget
nunc lobortis mattis aliquam faucibus. Est pellentesque elit ullamcorper dignissim cras
tincidunt lobortis feugiat. Viverra maecenas accumsan lacus vel facilisis volutpat est.
Non odio euismod lacinia at quis risus sed vulputate odio. Consequat ac felis donec
et odio pellentesque diam volutpat commodo. Etiam sit amet nisl purus in. Tortor
condimentum lacinia quis vel eros donec. Phasellus egestas tellus rutrum tellus pel-
lentesque eu tincidunt. Aliquam id diam maecenas ultricies mi eget mauris pharetra.
Enim eu turpis egestas pretium.
19

Bibliography
https://en.wikipedia.org/wiki/Event_correlation/
https://en.wikipedia.org/wiki/Root_cause_analysis/
https://www.sentinelone.com/blog/short-history-of-edr/
https://danielmiessler.com/study/red-blue-purple-teams/
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.
html
https://businessinsights.bitdefender.com/bitdefender-edr
https://enterprise.comodo.com/blog/what-is-endpoint-detection-response/
https://www.sentinelone.com/blog/short-history-of-edr/
https://en.wikipedia.org/wiki/Advanced_persistent_threat
https://buffered.io/posts/staged-vs-stageless-handlers/
https://www.imperva.com/learn/application-security/apt-advanced-persistent-threat/
https://searchsecurity.techtarget.com/definition/advanced-persistent-threat-APT
https://attack.mitre.org/
https://news.softpedia.com/news/the-dukes-apt29-one-of-russia-s-cyber-espionage-hacking-squads-492021.
shtml
https://miguelbigueur.com/2017/10/20/russian-apt-analysis-apt29-aka-the-dukes/
https://www.imperva.com/learn/application-security/spear-phishing/
https://www.imperva.com/learn/application-security/social-engineering-attack/
20