Zombie Ant Farm: A Kit For Playing Hide and Seek with Linux EDRs
https://github.com/dsnezhkov/zombieant
#linux #bypass #evasion
https://github.com/dsnezhkov/zombieant
#linux #bypass #evasion
GitHub
GitHub - dsnezhkov/zombieant: Zombie Ant Farm: Primitives and Offensive Tooling for Linux EDR evasion.
Zombie Ant Farm: Primitives and Offensive Tooling for Linux EDR evasion. - GitHub - dsnezhkov/zombieant: Zombie Ant Farm: Primitives and Offensive Tooling for Linux EDR evasion.
Shikata ga nai (仕方がない) encoder ported into go with several improvements
SGN is a polymorphic binary encoder for offensive security purposes such as generating statically undetecable binary payloads. It uses a additive feedback loop to encode given binary instructions similar to LSFR. This project is the reimplementation of the original Shikata ga nai in golang with many improvements.
https://github.com/EgeBalci/sgn
#golang #tools #evasion #bypass
SGN is a polymorphic binary encoder for offensive security purposes such as generating statically undetecable binary payloads. It uses a additive feedback loop to encode given binary instructions similar to LSFR. This project is the reimplementation of the original Shikata ga nai in golang with many improvements.
https://github.com/EgeBalci/sgn
#golang #tools #evasion #bypass
GitHub
GitHub - EgeBalci/sgn: Shikata ga nai (仕方がない) encoder ported into go with several improvements
Shikata ga nai (仕方がない) encoder ported into go with several improvements - EgeBalci/sgn
Extracting credentials from a remote Windows system - Living off the Land
Recently we performed a red teaming engagement where we wanted to dump the credentials from a remote host. We got the credentials of a user which has administrative privileges on the victim host and wanted to get more credentials from that host. Because we felt that the blue team was closely observing the environment this needed to be done in a stealthy manner and preferably only involving native Windows tooling. That is when we came up with the following approach in order to obtain a remote system’s SYSTEM, SECURITY and SAM files from %SystemRoot%\System32\Config making use of WMI and SMB. This approach can also be used to obtain the ntds.dit file from a Domain Controller in order to obtain the credentials of the complete organization.
https://bitsadm.in/blog/extracting-credentials-from-remote-windows-system
#windows #redteaming #pentest #evasion
Recently we performed a red teaming engagement where we wanted to dump the credentials from a remote host. We got the credentials of a user which has administrative privileges on the victim host and wanted to get more credentials from that host. Because we felt that the blue team was closely observing the environment this needed to be done in a stealthy manner and preferably only involving native Windows tooling. That is when we came up with the following approach in order to obtain a remote system’s SYSTEM, SECURITY and SAM files from %SystemRoot%\System32\Config making use of WMI and SMB. This approach can also be used to obtain the ntds.dit file from a Domain Controller in order to obtain the credentials of the complete organization.
https://bitsadm.in/blog/extracting-credentials-from-remote-windows-system
#windows #redteaming #pentest #evasion
NetLoader
Loads any C# binary in mem, patching AMSI and bypassing Windows Defender
The binaries in this repo SHOULD be all clean and newly compiled from their respective GitHub repos, but feel free to compile / host your own. (Don't consider running binaries from this repo good OPSEC)
Latest update / Signature fix was 28.05.2020, pretty much clean as a whistle Currently doing 24/7 signature checks, so let's see how long it takes this time
https://github.com/Flangvik/NetLoader
#evasion #redteaming #windows #amsi
Loads any C# binary in mem, patching AMSI and bypassing Windows Defender
The binaries in this repo SHOULD be all clean and newly compiled from their respective GitHub repos, but feel free to compile / host your own. (Don't consider running binaries from this repo good OPSEC)
Latest update / Signature fix was 28.05.2020, pretty much clean as a whistle Currently doing 24/7 signature checks, so let's see how long it takes this time
https://github.com/Flangvik/NetLoader
#evasion #redteaming #windows #amsi
GitHub
GitHub - Flangvik/NetLoader: Loads any C# binary in mem, patching AMSI + ETW.
Loads any C# binary in mem, patching AMSI + ETW. . Contribute to Flangvik/NetLoader development by creating an account on GitHub.
APPDOMAINMANAGER INJECTION AND DETECTION
Microsoft .NET framework is being heavily utilized by threat actors and red teams for defense evasion and staying off the radar during operations. Every .NET binary contains application domains where assemblies are loaded in a safe manner. The AppDomainManager object can be used to create new ApplicationDomains inside a .NET process.
https://pentestlaboratories.com/2020/05/26/appdomainmanager-injection-and-detection/
#windows #redteaming #evasion #bypass #sysmon
Microsoft .NET framework is being heavily utilized by threat actors and red teams for defense evasion and staying off the radar during operations. Every .NET binary contains application domains where assemblies are loaded in a safe manner. The AppDomainManager object can be used to create new ApplicationDomains inside a .NET process.
https://pentestlaboratories.com/2020/05/26/appdomainmanager-injection-and-detection/
#windows #redteaming #evasion #bypass #sysmon
Pentest Laboratories
AppDomainManager Injection and Detection
Microsoft .NET framework is being heavily utilized by threat actors and red teams for defense evasion and staying off the radar during operations. Every .NET binary contains application domains whe…
Hiding your .NET - COMPlus_ETWEnabled
The process of disabling ETW is something that I first looked at back in March after trying to figure out just how some defenders were detecting in-memory Assembly loads (https://blog.xpnsec.com/hiding-your-dotnet-etw/). There have since been several other posts with clever and improved methods of bypassing this kind of detection from some awesome researchers including Cneeliz, BatSec and modexp. Each method relies on manipulating the ETW subsytem itself, from intercepting and manipulating calls to the usermode function EtwEventWrite or the kernel function NtTraceEvent, and even parsing and manipulating the ETW registration table to avoid any code patching.
https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/
#redteaming #dotnet #windows #bypass #evasion
The process of disabling ETW is something that I first looked at back in March after trying to figure out just how some defenders were detecting in-memory Assembly loads (https://blog.xpnsec.com/hiding-your-dotnet-etw/). There have since been several other posts with clever and improved methods of bypassing this kind of detection from some awesome researchers including Cneeliz, BatSec and modexp. Each method relies on manipulating the ETW subsytem itself, from intercepting and manipulating calls to the usermode function EtwEventWrite or the kernel function NtTraceEvent, and even parsing and manipulating the ETW registration table to avoid any code patching.
https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/
#redteaming #dotnet #windows #bypass #evasion
XPN InfoSec Blog
@_xpn_ - Hiding your .NET - ETW
In this post we will focus on Event Threading for Windows (ETW), how it is used to surface events on .NET assemblies, and how we can evade this kind of detection.
Red Team: Using SharpChisel to exfil internal network
During many Red Team Assessment, we use multiple agents to connect to our target network infrastructure. These agents connect to different C2 servers such as Cobalt Strike, Metasploit Framework, Empire, SharpC2 (recent C2 Framework by Rasta Mouse), etc. One of the critical features of these C2 agents is to provide a tunnel to the target network. The latency to tunnels through these beacons or agents is quite high. Also, we generally have to make these agents interactive to make these tunnels work, which increases the risk of detection.
https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49
#redteaming #windows #exfiltration #bypass #evasion
During many Red Team Assessment, we use multiple agents to connect to our target network infrastructure. These agents connect to different C2 servers such as Cobalt Strike, Metasploit Framework, Empire, SharpC2 (recent C2 Framework by Rasta Mouse), etc. One of the critical features of these C2 agents is to provide a tunnel to the target network. The latency to tunnels through these beacons or agents is quite high. Also, we generally have to make these agents interactive to make these tunnels work, which increases the risk of detection.
https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49
#redteaming #windows #exfiltration #bypass #evasion
Medium
Red Team: Using SharpChisel to exfil internal network
During many Red Team Assessment, we use multiple agents to connect to our target network infrastructure. These agents connect to different…
Bring your own .NET Core Garbage Collector
This blog post explains how it is possible to abuse a legitimate feature of .Net Core, and exploit a directory traversal bug to achieve application whitelisting bypass.
https://www.contextis.com/us/blog/bring-your-own-.net-core-garbage-collector
#windows #bypass #evasion #dotnet
This blog post explains how it is possible to abuse a legitimate feature of .Net Core, and exploit a directory traversal bug to achieve application whitelisting bypass.
https://www.contextis.com/us/blog/bring-your-own-.net-core-garbage-collector
#windows #bypass #evasion #dotnet
Context Information Security US
Bring your own .NET Core Garbage Collector | Context Information Security US
This blog post explains how it is possible to abuse a legitimate feature of .Net Core, and exploit a directory traversal bug to achieve application whitelisting bypass.
Evasor
The Evasor is an automated security assessment tool which locates existing executables on the Windows operating system that can be used to bypass any Application Control rules. It is very easy to use, quick, saves time and fully automated which generates for you a report including description, screenshots and mitigations suggestions, suites for both blue and red teams in the assessment of a post-exploitation phase.
https://github.com/cyberark/Evasor/
#tools #evasion #bypass #windows #redteaming
The Evasor is an automated security assessment tool which locates existing executables on the Windows operating system that can be used to bypass any Application Control rules. It is very easy to use, quick, saves time and fully automated which generates for you a report including description, screenshots and mitigations suggestions, suites for both blue and red teams in the assessment of a post-exploitation phase.
https://github.com/cyberark/Evasor/
#tools #evasion #bypass #windows #redteaming
GitHub
GitHub - cyberark/Evasor: A tool to be used in post exploitation phase for blue and red teams to bypass APPLICATIONCONTROL policies
A tool to be used in post exploitation phase for blue and red teams to bypass APPLICATIONCONTROL policies - cyberark/Evasor
Windows Process Injection: EM_GETHANDLE, WM_PASTE and EM_SETWORDBREAKPROC
https://modexp.wordpress.com/2020/07/07/wpi-wm-paste/
#windows #exploitation #evasion #bypass
https://modexp.wordpress.com/2020/07/07/wpi-wm-paste/
#windows #exploitation #evasion #bypass
modexp
Windows Process Injection: EM_GETHANDLE, WM_PASTE and EM_SETWORDBREAKPROC
Introduction Edit Controls Writing CP-1252 Compatible Code Initialization Set RAX to 0 Set RAX to 1 Set RAX to -1 Load and Store Data Two Byte Instructions Prefix Codes Generating Shellcode Injecti…
Fuzzing the Windows API for AV Evasion
https://winternl.com/fuzzing-the-windows-api-for-av-evasion/
#evasion #bypass #av #windows
https://winternl.com/fuzzing-the-windows-api-for-av-evasion/
#evasion #bypass #av #windows
Fun with PowerShell Payload Execution and Evasion
In this article, we’re going to learn how to use COM objects and PowerShell in Windows to execute shell commands with a couple of techniques for evading some endpoint security.
https://medium.com/swlh/fun-with-powershell-payload-execution-and-evasion-f5051fd149b2
#windows #powershell #evasion #obfuscation
In this article, we’re going to learn how to use COM objects and PowerShell in Windows to execute shell commands with a couple of techniques for evading some endpoint security.
https://medium.com/swlh/fun-with-powershell-payload-execution-and-evasion-f5051fd149b2
#windows #powershell #evasion #obfuscation
Medium
Fun with PowerShell Payload Execution and Evasion
Evade endpoint security by creating your own encryption routines and utilizing COM objects for shell execution.
Weaponizing Mapping Injection with Instrumentation Callback for stealthier process injection
I'm going to release and detail a stealthy process injection technique that uses a combination of two functions to achieve allocation primitive (that i have already described some time ago) CreateFileMapping() and MapViewOfFile2() ( well i have made some updates to use a stealthier version called MapViewOfFile3() ) and chain a very powerful execution primitive through the call NtSetInformationProcess().
https://splintercod3.blogspot.com/p/weaponizing-mapping-injection-with.html
#windows #injection #bypass #evasion #redteaming
I'm going to release and detail a stealthy process injection technique that uses a combination of two functions to achieve allocation primitive (that i have already described some time ago) CreateFileMapping() and MapViewOfFile2() ( well i have made some updates to use a stealthier version called MapViewOfFile3() ) and chain a very powerful execution primitive through the call NtSetInformationProcess().
https://splintercod3.blogspot.com/p/weaponizing-mapping-injection-with.html
#windows #injection #bypass #evasion #redteaming
Hiding PE Imports
You’ve spent the last hour cheffing up a spicy, homemade, Windows executable just right for your target. Go to compile it and, sweet, there are no errors. Fire up the isolated VM and give it a few test runs and it’s working great. That ASCII art is looking mighty clean I must say. Time to send it downrange. Upload completes and you can see it on the file system.
https://roblehesa.com/posts/hiding-pe-imports/
#windows #internals #redteaming #malware #evasion
You’ve spent the last hour cheffing up a spicy, homemade, Windows executable just right for your target. Go to compile it and, sweet, there are no errors. Fire up the isolated VM and give it a few test runs and it’s working great. That ASCII art is looking mighty clean I must say. Time to send it downrange. Upload completes and you can see it on the file system.
https://roblehesa.com/posts/hiding-pe-imports/
#windows #internals #redteaming #malware #evasion
Roblehesa
Hiding PE Imports
You’ve spent the last hour cheffing up a spicy, homemade, Windows executable just right for your target. Go to compile it and, sweet, there are no errors. Fire up the isolated VM and give it a few test runs and it’s working great. That ASCII art is looking…
Content-Type Research
Did you know that browsers support multiple Content-Type in HTTP response header?
https://github.com/BlackFan/content-type-research
#web #appsec #bugbounty #evasion
Did you know that browsers support multiple Content-Type in HTTP response header?
https://github.com/BlackFan/content-type-research
#web #appsec #bugbounty #evasion
GitHub
GitHub - BlackFan/content-type-research: Content-Type Research
Content-Type Research. Contribute to BlackFan/content-type-research development by creating an account on GitHub.
GoPurple
This project is a simple collection of various shell code injection techniques, aiming to streamline the process of endpoint detection evaluation, beside challenging myself to get into Golang world.
https://github.com/sh4hin/GoPurple
#evasion #bypass #redteaming #tools #golang
This project is a simple collection of various shell code injection techniques, aiming to streamline the process of endpoint detection evaluation, beside challenging myself to get into Golang world.
https://github.com/sh4hin/GoPurple
#evasion #bypass #redteaming #tools #golang
GitHub
GitHub - sh4hin/GoPurple: Yet another shellcode runner consists of different techniques for evaluating detection capabilities of…
Yet another shellcode runner consists of different techniques for evaluating detection capabilities of endpoint security solutions - sh4hin/GoPurple
Bypass AMSI by manual modification
This is my very first blog post. Its about how to manually change AMSI signatures/triggers to bypass it.
https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/
#redteaming #bypass #evasion #windows
This is my very first blog post. Its about how to manually change AMSI signatures/triggers to bypass it.
https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/
#redteaming #bypass #evasion #windows
s3cur3th1ssh1t.github.io
Bypass AMSI by manual modification | S3cur3Th1sSh1t
This is my very first blog post. Its about how to manually change AMSI signatures/triggers to bypass it.
Bypass AMSI by manual modification part II - Invoke-Mimikatz
This blog post will cover some lets say more advanced AMSI triggers. I decided to build a custom Invoke-Mimikatz script without AMSI trigger. I will also cover some information how Invoke-Mimikatz basically works for those who did not know it before.
https://s3cur3th1ssh1t.github.io/Bypass-AMSI-by-manual-modification-part-II/
#windows #redteaming #bypass #evasion #amsi
This blog post will cover some lets say more advanced AMSI triggers. I decided to build a custom Invoke-Mimikatz script without AMSI trigger. I will also cover some information how Invoke-Mimikatz basically works for those who did not know it before.
https://s3cur3th1ssh1t.github.io/Bypass-AMSI-by-manual-modification-part-II/
#windows #redteaming #bypass #evasion #amsi
s3cur3th1ssh1t.github.io
Bypass AMSI by manual modification part II - Invoke-Mimikatz | S3cur3Th1sSh1t
This blog post will cover some lets say more advanced AMSI triggers. I decided to build a custom Invoke-Mimikatz script without AMSI trigger. I will also cov...
Building a custom Mimikatz binary
This post will cover how to build a custom Mimikatz binary by doing source code modification to get past AV/EDR software.
https://s3cur3th1ssh1t.github.io/Building-a-custom-Mimikatz-binary/
#tools #windows #mimikatz #redteaming #evasion
This post will cover how to build a custom Mimikatz binary by doing source code modification to get past AV/EDR software.
https://s3cur3th1ssh1t.github.io/Building-a-custom-Mimikatz-binary/
#tools #windows #mimikatz #redteaming #evasion
s3cur3th1ssh1t.github.io
Building a custom Mimikatz binary | S3cur3Th1sSh1t
This post will cover how to build a custom Mimikatz binary by doing source code modification to get past AV/EDR software.