EDRSandBlast
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
https://github.com/wavestone-cdt/EDRSandblast
#lsass #dump #etw #redteam
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
https://github.com/wavestone-cdt/EDRSandblast
#lsass #dump #etw #redteam
GitHub
GitHub - wavestone-cdt/EDRSandblast
Contribute to wavestone-cdt/EDRSandblast development by creating an account on GitHub.
ntTraceControl — Powershell Event Tracing Toolbox
Want to simulate any ETW logs using powershell, even the security one?
Do you want to import any evtx files into the current eventlog session?
ntTraceControl is a set of Powershell commands to forge/generate Windows logs. Simply put, ntTraceControl supports Detection teams by simplifying the testing of detection use cases and alerts without using complex infrastructure, tools, or the testing of vulnerabilities.
https://github.com/airbus-cert/ntTraceControl
#etw #simulate #powershell #redteam #blueteam
Want to simulate any ETW logs using powershell, even the security one?
Do you want to import any evtx files into the current eventlog session?
ntTraceControl is a set of Powershell commands to forge/generate Windows logs. Simply put, ntTraceControl supports Detection teams by simplifying the testing of detection use cases and alerts without using complex infrastructure, tools, or the testing of vulnerabilities.
https://github.com/airbus-cert/ntTraceControl
#etw #simulate #powershell #redteam #blueteam
🎲 PowerShell Obfuscation
A simple and effective powershell obfuscaiton tool bypass Anti-Virus and AMSI-bypass + ETW-block.
https://github.com/H4de5-7/powershell-obfuscation
#powershell #obfuscation #amsi #etw #bypass
A simple and effective powershell obfuscaiton tool bypass Anti-Virus and AMSI-bypass + ETW-block.
https://github.com/H4de5-7/powershell-obfuscation
#powershell #obfuscation #amsi #etw #bypass
❤7👍4👎2
🥶 Freeze
Freeze.rs is a payload creation tool used for circumventing EDR security controls to execute shellcode in a stealthy manner. Freeze.rs utilizes multiple techniques to not only remove Userland EDR hooks, but to also execute shellcode in such a way that it circumvents other endpoint monitoring controls.
Research:
https://www.optiv.com/insights/source-zero/blog/sacrificing-suspended-processes
Source:
https://github.com/optiv/Freeze.rs
#av #edr #etw #windows #maldev
Freeze.rs is a payload creation tool used for circumventing EDR security controls to execute shellcode in a stealthy manner. Freeze.rs utilizes multiple techniques to not only remove Userland EDR hooks, but to also execute shellcode in such a way that it circumvents other endpoint monitoring controls.
Research:
https://www.optiv.com/insights/source-zero/blog/sacrificing-suspended-processes
Source:
https://github.com/optiv/Freeze.rs
#av #edr #etw #windows #maldev
🔥6❤1
This media is not supported in your browser
VIEW IN TELEGRAM
📄 Evading ETW Based Detections
In this post, Event Tracing for Windows (ETW) will be explored along with various evasion techniques used to evade detections based on this Windows event tracking and collection mechanism.
🔗 https://s4dbrd.com/evading-etw-based-detections/
#etw #bypass #windows
In this post, Event Tracing for Windows (ETW) will be explored along with various evasion techniques used to evade detections based on this Windows event tracking and collection mechanism.
🔗 https://s4dbrd.com/evading-etw-based-detections/
#etw #bypass #windows
👍5❤2
🔔Call and Register — Relay Attack on WinReg RPC Client
A critical vulnerability (CVE-2024-43532) has been identified in Microsoft’s Remote Registry client. This flaw allows attackers to exploit insecure fallback mechanisms in the WinReg client, enabling them to relay authentication details and make unauthorized certificate requests through Active Directory Certificate Services (ADCS).
🔗 Research:
https://www.akamai.com/blog/security-research/winreg-relay-vulnerability
🔗 RPC Visibility Tool:
https://github.com/akamai/akamai-security-research/tree/main/rpc_toolkit/rpc_visibility
🔗 PoC:
https://github.com/akamai/akamai-security-research/tree/main/PoCs/cve-2024-43532
#ad #adcs #rpc #ntlm #relay #etw #advapi
A critical vulnerability (CVE-2024-43532) has been identified in Microsoft’s Remote Registry client. This flaw allows attackers to exploit insecure fallback mechanisms in the WinReg client, enabling them to relay authentication details and make unauthorized certificate requests through Active Directory Certificate Services (ADCS).
🔗 Research:
https://www.akamai.com/blog/security-research/winreg-relay-vulnerability
🔗 RPC Visibility Tool:
https://github.com/akamai/akamai-security-research/tree/main/rpc_toolkit/rpc_visibility
🔗 PoC:
https://github.com/akamai/akamai-security-research/tree/main/PoCs/cve-2024-43532
#ad #adcs #rpc #ntlm #relay #etw #advapi
1🔥9👍6❤2