Приведено описание метода обхода Windows Defender:
http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
#malware #bypass #av
http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
#malware #bypass #av
И ещё с DefCon'a:
https://github.com/wavestone-cdt/EDRSandblast/tree/DefCon30Release
EDR bypass:
* Kernel callbacks removal;
* Deactivation of the ETW TI provider;
* Uerland hooking bypass;
+ RunAsPPL bypass;
+ Credential Guard bypass;
#redteam #maldev #bypass
https://github.com/wavestone-cdt/EDRSandblast/tree/DefCon30Release
EDR bypass:
* Kernel callbacks removal;
* Deactivation of the ETW TI provider;
* Uerland hooking bypass;
+ RunAsPPL bypass;
+ Credential Guard bypass;
#redteam #maldev #bypass
Довольно интересная статья, как обходить EDR с помощью python)))
https://www.naksyn.com/edr%20evasion/2022/09/01/operating-into-EDRs-blindspot.html
#redteam #pentest #bypass
https://www.naksyn.com/edr%20evasion/2022/09/01/operating-into-EDRs-blindspot.html
#redteam #pentest #bypass
На Source Zero Con 2022 представили данный инструмент. Если кратко: кидаете скомпилированный бинарь, тулза из бинаря убирает известные IoC строки, подписывает сертом из другого бинаря, ну и помогает EDR обходить (за счёт увеличения размера файла)
https://github.com/optiv/Mangle
#redteam #pentest #bypass
https://github.com/optiv/Mangle
#redteam #pentest #bypass
Просто свежий список хуков для продуктов CrowdStrike, SentinelOne и TrendMicro.
https://github.com/VirtualAlllocEx/AV-EPP-EDR-Windows-API-Hooking-List
#edr #bypass #redteam
https://github.com/VirtualAlllocEx/AV-EPP-EDR-Windows-API-Hooking-List
#edr #bypass #redteam
StackCrypt: Create a new thread that will suspend every thread and encrypt its stack, then going to sleep , then decrypt the stacks and resume threads
https://github.com/TheD1rkMtr/StackCrypt/tree/main
#bypass #maldev #redteam
https://github.com/TheD1rkMtr/StackCrypt/tree/main
#bypass #maldev #redteam
GitHub
GitHub - SaadAhla/StackCrypt: Create a new thread that will suspend every thread and encrypt its stack, then going to sleep , then…
Create a new thread that will suspend every thread and encrypt its stack, then going to sleep , then decrypt the stacks and resume threads - SaadAhla/StackCrypt
Ralf Hacker Channel
Для дампа памяти процессов, защищённых PPL. Работает с Windows 11 25346.1001 (April 2023). https://github.com/gabriellandau/PPLFault #creds #git #soft
А вот и анонсированный ранее BOF
https://github.com/trustedsec/PPLFaultDumpBOF
#bof #creds #bypass #redteam #pentest
https://github.com/trustedsec/PPLFaultDumpBOF
#bof #creds #bypass #redteam #pentest
GitHub
GitHub - trustedsec/PPLFaultDumpBOF
Contribute to trustedsec/PPLFaultDumpBOF development by creating an account on GitHub.
Ну вот как можно спать, когда публикуют такие ресерчи🥺
Если кратко, то рассмотрены методы Initial Access через ClickOnce с рекомендациями "как при этом не быть сожженным EDR'ами".
https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
#initial #redteam #pentest #bypass #dev
Если кратко, то рассмотрены методы Initial Access через ClickOnce с рекомендациями "как при этом не быть сожженным EDR'ами".
https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
#initial #redteam #pentest #bypass #dev
Medium
Less SmartScreen More Caffeine: (Ab)Using ClickOnce for Trusted Code Execution
The contents of this blogpost was written by Nick Powers (@zyn3rgy) and Steven Flores (@0xthirteen), and is a written version of the…
Forwarded from APT
This media is not supported in your browser
VIEW IN TELEGRAM
🔨KRBUACBypass
By adding a
Research:
https://www.tiraniddo.dev/2022/03/bypassing-uac-in-most-complex-way.html
Source:
https://github.com/wh0amitz/KRBUACBypass
#ad #kerberos #uac #bypass
By adding a
KERB-AD-RESTRICTION-ENTRY
to the service ticket, but filling in a fake MachineID, we can easily bypass UAC and gain SYSTEM privileges.Research:
https://www.tiraniddo.dev/2022/03/bypassing-uac-in-most-complex-way.html
Source:
https://github.com/wh0amitz/KRBUACBypass
#ad #kerberos #uac #bypass
В ресерче описана техника инъекции в процессы, которая позволяет обходить некоторые EDR (без создания удалённого потока).
Ресерч: https://www.riskinsight-wavestone.com/en/2023/10/process-injection-using-ntsetinformationprocess/
PoC: https://github.com/OtterHacker/SetProcessInjection
#pentest #redteam #evasion #bypass #maldev
Ресерч: https://www.riskinsight-wavestone.com/en/2023/10/process-injection-using-ntsetinformationprocess/
PoC: https://github.com/OtterHacker/SetProcessInjection
#pentest #redteam #evasion #bypass #maldev
RiskInsight
Process Injection using NtSetInformationProcess - RiskInsight
Process injection is a family of malware development techniques allowing an attacker to execute a malicious payload into legitimate addressable memory space of a legitimate process. These techniques are interesting because the malicious payload is executed…
Довольно интересное чтиво про Remote Browser Isolation и способы обхода для выполнения нагрузки
https://posts.specterops.io/calling-home-get-your-callbacks-through-rbi-50633a233999
#redteam #pentest #rbi #bypass
https://posts.specterops.io/calling-home-get-your-callbacks-through-rbi-50633a233999
#redteam #pentest #rbi #bypass
Medium
Calling Home, Get Your Callbacks Through RBI
Authored By: Lance B. Cain and Alexander DeMine
От имени любого пользователя можно аварийно завершить службу журнала событий Windows.
https://github.com/floesen/EventLogCrasher
#redteam #bypass #maldev
https://github.com/floesen/EventLogCrasher
#redteam #bypass #maldev
GitHub
GitHub - floesen/EventLogCrasher
Contribute to floesen/EventLogCrasher development by creating an account on GitHub.
Forwarded from APT
This media is not supported in your browser
VIEW IN TELEGRAM
A little lifehack if you, like me, come across paid articles from Medium. These sites allow you to read paid Medium articles for free:
🔗 https://freedium.cfd/<URL>
🔗 https://medium-forall.vercel.app/
#medium #premium #bypass
Please open Telegram to view this post
VIEW IN TELEGRAM
Полезное исследование методов сбора информации в домене Active Directory и способов их обнаружения.
https://www.mdsec.co.uk/2024/02/active-directory-enumeration-for-red-teams/
#redteam #ad #pentest #bypass
https://www.mdsec.co.uk/2024/02/active-directory-enumeration-for-red-teams/
#redteam #ad #pentest #bypass
MDSec
Active Directory Enumeration for Red Teams - MDSec
The Directory Service is the heart and soul of many organisations, and whether its Active Directory, OpenLDAP or something more exotic, as a source of much knowledge it often acts...
@Michaelzhm прислал статейку) Нового ничего нет, но если кто не знал про данную технику из категории Blind EDR, то вам понравится... Достигается путём изменения значения альтитуды минифильтра и перекрытия коллбэков EDR.
https://tierzerosecurity.co.nz/2024/03/27/blind-edr.html
#bypass #evasion #edr #redteam #maldev
https://tierzerosecurity.co.nz/2024/03/27/blind-edr.html
#bypass #evasion #edr #redteam #maldev
Tier Zero Security
Information Security Services. Offensive Security, Penetration Testing, Mobile and Application, Purple Team, Red Team
CLI tool (python) for managing Cortex XDR
* changing rules
* restarting the XDR process
* disabling the local analysis engine
* inserting any python code to run
https://github.com/SafeBreach-Labs/CortexVortex
#edr #redteam #bypass
* changing rules
* restarting the XDR process
* disabling the local analysis engine
* inserting any python code to run
https://github.com/SafeBreach-Labs/CortexVortex
#edr #redteam #bypass
GitHub
GitHub - SafeBreach-Labs/CortexVortex
Contribute to SafeBreach-Labs/CortexVortex development by creating an account on GitHub.