И ещё с DefCon'a:
https://github.com/wavestone-cdt/EDRSandblast/tree/DefCon30Release
EDR bypass:
* Kernel callbacks removal;
* Deactivation of the ETW TI provider;
* Uerland hooking bypass;
+ RunAsPPL bypass;
+ Credential Guard bypass;
#redteam #maldev #bypass
https://github.com/wavestone-cdt/EDRSandblast/tree/DefCon30Release
EDR bypass:
* Kernel callbacks removal;
* Deactivation of the ETW TI provider;
* Uerland hooking bypass;
+ RunAsPPL bypass;
+ Credential Guard bypass;
#redteam #maldev #bypass
Только опубликовано крутое исследование по обходу методов анализа EDR на основе трассировки стека
https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/
#redteam #maldev
https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/
#redteam #maldev
0xdarkvortex.dev
Hiding In PlainSight - Proxying DLL Loads To Hide From ETWTI Stack Tracing
Dark Vortex provides various cybersecurity trainings, products and other services.
И ещё одно крутое исследование по обходу EDR!
(По утверждению автора: всех EDR)
https://0xdarkvortex.dev/hiding-in-plainsight/
#redteam #maldev
(По утверждению автора: всех EDR)
https://0xdarkvortex.dev/hiding-in-plainsight/
#redteam #maldev
0xdarkvortex.dev
Hiding In PlainSight - Indirect Syscall is Dead! Long Live Custom Call Stacks
Dark Vortex provides various cybersecurity trainings, products and other services.
StackCrypt: Create a new thread that will suspend every thread and encrypt its stack, then going to sleep , then decrypt the stacks and resume threads
https://github.com/TheD1rkMtr/StackCrypt/tree/main
#bypass #maldev #redteam
https://github.com/TheD1rkMtr/StackCrypt/tree/main
#bypass #maldev #redteam
GitHub
GitHub - SaadAhla/StackCrypt: Create a new thread that will suspend every thread and encrypt its stack, then going to sleep , then…
Create a new thread that will suspend every thread and encrypt its stack, then going to sleep , then decrypt the stacks and resume threads - SaadAhla/StackCrypt
Кому интересно погрузиться в обнаружение аномалий на хосте вот описание одной из самых действенных техник. По стеку вызовов действительно можно определить нагрузки большинства популярных фреймворков)
https://www.elastic.co/security-labs/peeling-back-the-curtain-with-call-stacks
#redteam #blueteam #maldev
https://www.elastic.co/security-labs/peeling-back-the-curtain-with-call-stacks
#redteam #blueteam #maldev
www.elastic.co
Peeling back the curtain with call stacks — Elastic Security Labs
In this article, we'll show you how we contextualize rules and events, and how you can leverage call stacks to better understand any alerts you encounter in your environment.
В ресерче описана техника инъекции в процессы, которая позволяет обходить некоторые EDR (без создания удалённого потока).
Ресерч: https://www.riskinsight-wavestone.com/en/2023/10/process-injection-using-ntsetinformationprocess/
PoC: https://github.com/OtterHacker/SetProcessInjection
#pentest #redteam #evasion #bypass #maldev
Ресерч: https://www.riskinsight-wavestone.com/en/2023/10/process-injection-using-ntsetinformationprocess/
PoC: https://github.com/OtterHacker/SetProcessInjection
#pentest #redteam #evasion #bypass #maldev
RiskInsight
Process Injection using NtSetInformationProcess - RiskInsight
Process injection is a family of malware development techniques allowing an attacker to execute a malicious payload into legitimate addressable memory space of a legitimate process. These techniques are interesting because the malicious payload is executed…
Если кто-то не совсем разобрался с техникой DLL Hijacking, или может совсем не в курсе, что это такое, советую данный материал. Очень хорошая работа!
https://elliotonsecurity.com/perfect-dll-hijacking/
So today, we're doing 100% original research reverse engineering the Windows library loader to not just cleanly workaround Loader Lock but, in the end, disable it outright. Plus, coming up with some stable mitigation & detection mechanisms defenders can use to help guard against DLL hijacking.
#maldev #redteam
https://elliotonsecurity.com/perfect-dll-hijacking/
So today, we're doing 100% original research reverse engineering the Windows library loader to not just cleanly workaround Loader Lock but, in the end, disable it outright. Plus, coming up with some stable mitigation & detection mechanisms defenders can use to help guard against DLL hijacking.
#maldev #redteam
Elliot on Security
Elliot on Security - Perfect DLL Hijacking
Disengaging Loader Lock to do anything directly from DLLMain...
От имени любого пользователя можно аварийно завершить службу журнала событий Windows.
https://github.com/floesen/EventLogCrasher
#redteam #bypass #maldev
https://github.com/floesen/EventLogCrasher
#redteam #bypass #maldev
GitHub
GitHub - floesen/EventLogCrasher
Contribute to floesen/EventLogCrasher development by creating an account on GitHub.
Аналог
https://github.com/WKL-Sec/FuncAddressPro
#redteam #maldev #evasion
GetProcAddress, но написан на ассемблере. Гуд... https://github.com/WKL-Sec/FuncAddressPro
#redteam #maldev #evasion
GitHub
GitHub - WKL-Sec/FuncAddressPro: A stealthy, assembly-based tool for secure function address resolution, offering a robust alternative…
A stealthy, assembly-based tool for secure function address resolution, offering a robust alternative to GetProcAddress. - WKL-Sec/FuncAddressPro
Список DLL, которые использует группа Lazarus:
Missing DLL:
spoolsv.exe ➡️ ualapi.dll
Side-loaded:
mobsync.exe ➡️ propsys.dll
MDEServer.exe ➡️ winmde.dll
ComcastVNC.exe ➡️ version.dll
colorcpl.exe ➡️ colorui.dll
presentationhost.exe ➡️ mscoree.dll
CameraSettingsUIHost.exe ➡️ DUI70.dll
wsmprovhost.exe ➡️ mi.dll
SgrmLpac.exe ➡️ winhttp.dll
TieringEngineService.exe ➡️ ESENT.dll
WmiApSrv.exe ➡️ wbemcomn.dll
dfrgui.exe ➡️ SXSHARED.dll
SyncHost.exe ➡️ WinSync.dll
wmiprvse.exe ➡️ ncobjapi.dll
wmiprvse.exe ➡️ wbem\sspicli.dll
wmiprvse.exe ➡️ wbem\wmiclnt.dll
svchost.exe(IKEEXT) ➡️ wlbsctrl.dll
#apt #redteam #dllhijack #maldev
Missing DLL:
spoolsv.exe ➡️ ualapi.dll
Side-loaded:
mobsync.exe ➡️ propsys.dll
MDEServer.exe ➡️ winmde.dll
ComcastVNC.exe ➡️ version.dll
colorcpl.exe ➡️ colorui.dll
presentationhost.exe ➡️ mscoree.dll
CameraSettingsUIHost.exe ➡️ DUI70.dll
wsmprovhost.exe ➡️ mi.dll
SgrmLpac.exe ➡️ winhttp.dll
TieringEngineService.exe ➡️ ESENT.dll
WmiApSrv.exe ➡️ wbemcomn.dll
dfrgui.exe ➡️ SXSHARED.dll
SyncHost.exe ➡️ WinSync.dll
wmiprvse.exe ➡️ ncobjapi.dll
wmiprvse.exe ➡️ wbem\sspicli.dll
wmiprvse.exe ➡️ wbem\wmiclnt.dll
svchost.exe(IKEEXT) ➡️ wlbsctrl.dll
#apt #redteam #dllhijack #maldev
@Michaelzhm прислал статейку) Нового ничего нет, но если кто не знал про данную технику из категории Blind EDR, то вам понравится... Достигается путём изменения значения альтитуды минифильтра и перекрытия коллбэков EDR.
https://tierzerosecurity.co.nz/2024/03/27/blind-edr.html
#bypass #evasion #edr #redteam #maldev
https://tierzerosecurity.co.nz/2024/03/27/blind-edr.html
#bypass #evasion #edr #redteam #maldev
Tier Zero Security
Information Security Services. Offensive Security, Penetration Testing, Mobile and Application, Purple Team, Red Team
Forwarded from Threat Hunt
#maldev #redteam
Инструмент для имитации поведения AV/EDR. Утилита позволяет оттачивать навыки обхода средств защиты при создании своих загрузчиков.
1. Собираем проект
2. Создаём файл ioc.json с паттернами шелл-кода
3. Запускаем инструмент, указываем идентификатор вредоносного процесса:
https://github.com/Helixo32/CrimsonEDR
Инструмент для имитации поведения AV/EDR. Утилита позволяет оттачивать навыки обхода средств защиты при создании своих загрузчиков.
1. Собираем проект
./compile.sh2. Создаём файл ioc.json с паттернами шелл-кода
3. Запускаем инструмент, указываем идентификатор вредоносного процесса:
.\CrimsonEDRPanel.exe -d C:\Temp\CrimsonEDR.dll -p 1234https://github.com/Helixo32/CrimsonEDR
GitHub
GitHub - Helixo32/CrimsonEDR: Simulate the behavior of AV/EDR for malware development training.
Simulate the behavior of AV/EDR for malware development training. - Helixo32/CrimsonEDR