A blueprint for evading industry leading endpoint protection in 2022
In this post, I’d like to lay out a collection of techniques that together can be used to bypassed industry leading enterprise endpoint protection solutions. This is purely for educational purposes for (ethical) red teamers and alike, so I’ve decided not to publicly release the source code. The aim for this post is to be accessible to a wide audience in the security industry, but not to drill down to the nitty gritty details of every technique. Instead, I will refer to writeups of others that deep dive better than I can:
https://vanmieghem.io/blueprint-for-evading-edr-in-2022/
#av #edr #evasion #research
In this post, I’d like to lay out a collection of techniques that together can be used to bypassed industry leading enterprise endpoint protection solutions. This is purely for educational purposes for (ethical) red teamers and alike, so I’ve decided not to publicly release the source code. The aim for this post is to be accessible to a wide audience in the security industry, but not to drill down to the nitty gritty details of every technique. Instead, I will refer to writeups of others that deep dive better than I can:
https://vanmieghem.io/blueprint-for-evading-edr-in-2022/
#av #edr #evasion #research
This media is not supported in your browser
VIEW IN TELEGRAM
KernelCallbackTable Injection
KernelCallbackTable which could be abused to inject shellcode in a remote process. This method of process injection was used by FinFisher/FinSpy and Lazarus.
https://captmeelo.com/redteam/maldev/2022/04/21/kernelcallbacktable-injection.html
#edr #bypass #injection #cpp #maldev
KernelCallbackTable which could be abused to inject shellcode in a remote process. This method of process injection was used by FinFisher/FinSpy and Lazarus.
https://captmeelo.com/redteam/maldev/2022/04/21/kernelcallbacktable-injection.html
#edr #bypass #injection #cpp #maldev
🛠 API Unhooking with Perun's Fart
An article about a new method of avoiding AV/EDR by creating a process in a suspended state and getting a copy of the ntdll from the new process before it is hijacked by AV/EDR.
Research:
https://dosxuz.gitlab.io/post/perunsfart/
PoC:
https://github.com/dosxuz/PerunsFart
#av #edr #evasion #api #unhooking #resarch
An article about a new method of avoiding AV/EDR by creating a process in a suspended state and getting a copy of the ntdll from the new process before it is hijacked by AV/EDR.
Research:
https://dosxuz.gitlab.io/post/perunsfart/
PoC:
https://github.com/dosxuz/PerunsFart
#av #edr #evasion #api #unhooking #resarch
dosxuz.gitlab.io
API Unhooking with Perun's Fart
Pre-requisites To fully understand this topic, one needs to have some knowledge about the following concepts:
Little bit of C++ programming Some knowledge of API hooking by AV/EDR software Basic understanding of the PE structures Basic knowledge about Win32…
Little bit of C++ programming Some knowledge of API hooking by AV/EDR software Basic understanding of the PE structures Basic knowledge about Win32…
🦠 Mangle
Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL). Mangle can remove known Indicators of Compromise (IoC) based strings and replace them with random characters, change the file by inflating the size to avoid EDRs, and can clone code-signing certs from legitimate files. In doing so, Mangle helps loaders evade on-disk and in-memory scanners.
https://github.com/optiv/Mangle
#av #edr #memory #evasion #redteam
Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL). Mangle can remove known Indicators of Compromise (IoC) based strings and replace them with random characters, change the file by inflating the size to avoid EDRs, and can clone code-signing certs from legitimate files. In doing so, Mangle helps loaders evade on-disk and in-memory scanners.
https://github.com/optiv/Mangle
#av #edr #memory #evasion #redteam
GitHub
GitHub - optiv/Mangle: Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from…
Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs - optiv/Mangle
❤🔥7
🔔 TamperingSyscalls
This is a 2 part novel project consisting of argument spoofing and syscall retrival which both abuse EH in order to subvert EDRs. This project consists of both of these projects in order to provide an alternative solution to direct syscalls.
Research:
🔗 https://fool.ish.wtf/2022/08/feeding-edrs-false-telemetry.html
Source:
🔗 https://github.com/rad9800/TamperingSyscalls
#edr #evasion #maldev #syscall #tampering
This is a 2 part novel project consisting of argument spoofing and syscall retrival which both abuse EH in order to subvert EDRs. This project consists of both of these projects in order to provide an alternative solution to direct syscalls.
Research:
🔗 https://fool.ish.wtf/2022/08/feeding-edrs-false-telemetry.html
Source:
🔗 https://github.com/rad9800/TamperingSyscalls
#edr #evasion #maldev #syscall #tampering
👍3🔥1
APT
EDRSandBlast EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland…
😈 EDRSandBlast: Update
— User-mode (API hooking) evasion;
— Kernel-mode (callbacks and ETW ThreatIntel events) evasion;
— Successively tested on market-leading EDR products.
https://github.com/wavestone-cdt/EDRSandblast/tree/DefCon30Release
#maldev #edr #lsass #evasion #redteam
— User-mode (API hooking) evasion;
— Kernel-mode (callbacks and ETW ThreatIntel events) evasion;
— Successively tested on market-leading EDR products.
https://github.com/wavestone-cdt/EDRSandblast/tree/DefCon30Release
#maldev #edr #lsass #evasion #redteam
GitHub
GitHub - wavestone-cdt/EDRSandblast at DefCon30Release
Contribute to wavestone-cdt/EDRSandblast development by creating an account on GitHub.
👍3
⚔️ Microsoft Teams C2 — Covert Attack Chain Utilizing GIFShell
Seven different insecure design elements/vulnerabilities present in Microsoft Teams, can be leveraged by an attacker, to execute a reverse shell between an attacker and victim, where no communication is directly exchanged between an attacker and a victim, but is entirely piped through malicious GIFs sent in Teams messages, and Out of Bounds (OOB) lookups of GIFs conducted by Microsoft’s own servers. This unique C2 infrastructure can be leveraged by sophisticated threat actors to avoid detection by EDR and other network monitoring tools. Particularly in secure network environments, where Microsoft Teams might be one of a handful of allowed, trusted hosts and programs, this attack chain can be particularly devastating.
Source:
https://medium.com/@bobbyrsec/gifshell-covert-attack-chain-and-c2-utilizing-microsoft-teams-gifs-1618c4e64ed7
#c2 #teams #gifshell #edr #redteam
Seven different insecure design elements/vulnerabilities present in Microsoft Teams, can be leveraged by an attacker, to execute a reverse shell between an attacker and victim, where no communication is directly exchanged between an attacker and a victim, but is entirely piped through malicious GIFs sent in Teams messages, and Out of Bounds (OOB) lookups of GIFs conducted by Microsoft’s own servers. This unique C2 infrastructure can be leveraged by sophisticated threat actors to avoid detection by EDR and other network monitoring tools. Particularly in secure network environments, where Microsoft Teams might be one of a handful of allowed, trusted hosts and programs, this attack chain can be particularly devastating.
Source:
https://medium.com/@bobbyrsec/gifshell-covert-attack-chain-and-c2-utilizing-microsoft-teams-gifs-1618c4e64ed7
#c2 #teams #gifshell #edr #redteam
Medium
“GIFShell” — Covert Attack Chain and C2 Utilizing Microsoft Teams GIFs
Table of Contents
🔥6👍1
⚔️ Mangle — EDR Bypass
This is a tool that manipulates aspects of compiled executables (.exe or DLL). Mangle can remove known Indicators of Compromise (IoC) based strings and replace them with random characters, change the file by inflating the size to avoid EDRs, and can clone code-signing certs from legitimate files. In doing so, Mangle helps loaders evade on-disk and in-memory scanners.
https://github.com/optiv/Mangle
#edr #bypass #inflate #certificate
This is a tool that manipulates aspects of compiled executables (.exe or DLL). Mangle can remove known Indicators of Compromise (IoC) based strings and replace them with random characters, change the file by inflating the size to avoid EDRs, and can clone code-signing certs from legitimate files. In doing so, Mangle helps loaders evade on-disk and in-memory scanners.
https://github.com/optiv/Mangle
#edr #bypass #inflate #certificate
👍8
💉 Dirty Vanity — A New Approach to Code injection & EDR bypass
A POC for the new injection technique, abusing windows fork API to evade EDRs.
Source:
https://github.com/deepinstinct/Dirty-Vanity
Research:
https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Nissan-DirtyVanity.pdf
#av #edr #bypass #injection #fork #api
A POC for the new injection technique, abusing windows fork API to evade EDRs.
Source:
https://github.com/deepinstinct/Dirty-Vanity
Research:
https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Nissan-DirtyVanity.pdf
#av #edr #bypass #injection #fork #api
GitHub
GitHub - deepinstinct/Dirty-Vanity: A POC for the new injection technique, abusing windows fork API to evade EDRs. https://www…
A POC for the new injection technique, abusing windows fork API to evade EDRs. https://www.blackhat.com/eu-22/briefings/schedule/index.html#dirty-vanity-a-new-approach-to-code-injection--edr-bypass...
👍6❤1
⚛️ AtomLdr
A DLL loader with advanced evasive.
Features:
• DLL unhooking from \KnwonDlls\ directory, with no RWX sections
• The encrypted payload is saved in the resource section and retrieved via custom code
• AES256-CBC Payload encryption using custom no table/data-dependent branches using ctaes; this is one of the best custom AES implementations I've encountered
• Indirect syscalls, utilizing HellHall with ROP gadgets
• Payload injection using APC calls - alertable thread
• Api hashing using two different implementations of the CRC32 string hashing algorithm
• The total Size is 17kb
https://github.com/NUL0x4C/AtomLdr
#loader #dll #edr #evasion #redteam
A DLL loader with advanced evasive.
Features:
• DLL unhooking from \KnwonDlls\ directory, with no RWX sections
• The encrypted payload is saved in the resource section and retrieved via custom code
• AES256-CBC Payload encryption using custom no table/data-dependent branches using ctaes; this is one of the best custom AES implementations I've encountered
• Indirect syscalls, utilizing HellHall with ROP gadgets
• Payload injection using APC calls - alertable thread
• Api hashing using two different implementations of the CRC32 string hashing algorithm
• The total Size is 17kb
https://github.com/NUL0x4C/AtomLdr
#loader #dll #edr #evasion #redteam
🔥7👍3