🔔 TamperingSyscalls
This is a 2 part novel project consisting of argument spoofing and syscall retrival which both abuse EH in order to subvert EDRs. This project consists of both of these projects in order to provide an alternative solution to direct syscalls.
Research:
🔗 https://fool.ish.wtf/2022/08/feeding-edrs-false-telemetry.html
Source:
🔗 https://github.com/rad9800/TamperingSyscalls
#edr #evasion #maldev #syscall #tampering
This is a 2 part novel project consisting of argument spoofing and syscall retrival which both abuse EH in order to subvert EDRs. This project consists of both of these projects in order to provide an alternative solution to direct syscalls.
Research:
🔗 https://fool.ish.wtf/2022/08/feeding-edrs-false-telemetry.html
Source:
🔗 https://github.com/rad9800/TamperingSyscalls
#edr #evasion #maldev #syscall #tampering
👍3🔥1
This media is not supported in your browser
VIEW IN TELEGRAM
💉ClipboardInject
Abusing the clipboard to inject code into remote processes
This PoC uses the clipboard to copy a payload into a remote process, eliminating the need for
#maldev #injection #clipboard #redteam
Abusing the clipboard to inject code into remote processes
This PoC uses the clipboard to copy a payload into a remote process, eliminating the need for
VirtualAllocEx/WriteProcessMemory
https://www.x86matthew.com/view_post?id=clipboard_inject#maldev #injection #clipboard #redteam
👍9
📌 Save the Environment
Many applications appear to rely on Environment Variables such as
By changing these variables on process level, it is possible to let a legitimate program load arbitrary DLLs.
Research:
https://www.wietzebeukema.nl/blog/save-the-environment-variables
Source Code:
https://github.com/wietze/windows-dll-env-hijacking
#maldev #dll #hijacking #environment
Many applications appear to rely on Environment Variables such as
%SYSTEMROOT% to load DLLs from protected locations. By changing these variables on process level, it is possible to let a legitimate program load arbitrary DLLs.
Research:
https://www.wietzebeukema.nl/blog/save-the-environment-variables
Source Code:
https://github.com/wietze/windows-dll-env-hijacking
#maldev #dll #hijacking #environment
👍9
APT
EDRSandBlast EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland…
😈 EDRSandBlast: Update
— User-mode (API hooking) evasion;
— Kernel-mode (callbacks and ETW ThreatIntel events) evasion;
— Successively tested on market-leading EDR products.
https://github.com/wavestone-cdt/EDRSandblast/tree/DefCon30Release
#maldev #edr #lsass #evasion #redteam
— User-mode (API hooking) evasion;
— Kernel-mode (callbacks and ETW ThreatIntel events) evasion;
— Successively tested on market-leading EDR products.
https://github.com/wavestone-cdt/EDRSandblast/tree/DefCon30Release
#maldev #edr #lsass #evasion #redteam
GitHub
GitHub - wavestone-cdt/EDRSandblast at DefCon30Release
Contribute to wavestone-cdt/EDRSandblast development by creating an account on GitHub.
👍3
⚙️ Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection
If you utilise API hashing in your malware or offensive security tooling. Try rotating your API hashes. This can have a significant impact on detection rates and improve your chances of remaining undetected by AV/EDR.
Blog:
https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection
Source:
https://github.com/matthewB-huntress/APIHashReplace
#maldev #evasion #hinvoke #cobaltstrike #redteam
If you utilise API hashing in your malware or offensive security tooling. Try rotating your API hashes. This can have a significant impact on detection rates and improve your chances of remaining undetected by AV/EDR.
Blog:
https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection
Source:
https://github.com/matthewB-huntress/APIHashReplace
#maldev #evasion #hinvoke #cobaltstrike #redteam
🔥7👍3
🛠 DynamicSyscalls
This is a library written in .net resolves the syscalls dynamically (Has nothing to do with hooking/unhooking).
https://github.com/Shrfnt77/DynamicSyscalls
#maldev #csharp #syscall #library
This is a library written in .net resolves the syscalls dynamically (Has nothing to do with hooking/unhooking).
https://github.com/Shrfnt77/DynamicSyscalls
#maldev #csharp #syscall #library
GitHub
GitHub - Shrfnt77/DynamicSyscalls: DynamicSyscalls is a library written in .net resolves the syscalls dynamically (Has nothing…
DynamicSyscalls is a library written in .net resolves the syscalls dynamically (Has nothing to do with hooking/unhooking) - Shrfnt77/DynamicSyscalls
👍2🔥1
🥷 PNG Steganography Hides Backdoor
Malware authors rely on LSB encoding to hide malicious payload in the PNG pixel data, more specifically in LSB of each color channel (Red, Green, Blue, and Alpha).
https://decoded.avast.io/martinchlumecky/png-steganography/
#maldev #steganography #png
Malware authors rely on LSB encoding to hide malicious payload in the PNG pixel data, more specifically in LSB of each color channel (Red, Green, Blue, and Alpha).
https://decoded.avast.io/martinchlumecky/png-steganography/
#maldev #steganography #png
🔥5
💤 laZzzy
This is a shellcode loader, developed using different open-source libraries, that demonstrates different execution techniques.
Features:
— Direct syscalls and native functions;
— Import Address Table (IAT) evasion;
— Encrypted payload (XOR and AES);
— PPID spoofing;
— Blocking of non-Microsoft-signed DLLs;
— etc.
https://github.com/capt-meelo/laZzzy
#maldev #loader #cpp #redteam
This is a shellcode loader, developed using different open-source libraries, that demonstrates different execution techniques.
Features:
— Direct syscalls and native functions;
— Import Address Table (IAT) evasion;
— Encrypted payload (XOR and AES);
— PPID spoofing;
— Blocking of non-Microsoft-signed DLLs;
— etc.
https://github.com/capt-meelo/laZzzy
#maldev #loader #cpp #redteam
👍5