Zombie Ant Farm: A Kit For Playing Hide and Seek with Linux EDRs

https://github.com/dsnezhkov/zombieant
#linux #bypass #evasion

Shikata ga nai (仕方がない) encoder ported into go with several improvements

SGN is a polymorphic binary encoder for offensive security purposes such as generating statically undetecable binary payloads. It uses a additive feedback loop to encode given binary instructions similar to LSFR. This project is the reimplementation of the original Shikata ga nai in golang with many improvements.

https://github.com/EgeBalci/sgn
#golang #tools #evasion #bypass

Extracting credentials from a remote Windows system - Living off the Land

Recently we performed a red teaming engagement where we wanted to dump the credentials from a remote host. We got the credentials of a user which has administrative privileges on the victim host and wanted to get more credentials from that host. Because we felt that the blue team was closely observing the environment this needed to be done in a stealthy manner and preferably only involving native Windows tooling. That is when we came up with the following approach in order to obtain a remote system’s SYSTEM, SECURITY and SAM files from %SystemRoot%\System32\Config making use of WMI and SMB. This approach can also be used to obtain the ntds.dit file from a Domain Controller in order to obtain the credentials of the complete organization.

https://bitsadm.in/blog/extracting-credentials-from-remote-windows-system
#windows #redteaming #pentest #evasion

NetLoader

Loads any C# binary in mem, patching AMSI and bypassing Windows Defender

The binaries in this repo SHOULD be all clean and newly compiled from their respective GitHub repos, but feel free to compile / host your own. (Don't consider running binaries from this repo good OPSEC)

Latest update / Signature fix was 28.05.2020, pretty much clean as a whistle Currently doing 24/7 signature checks, so let's see how long it takes this time

https://github.com/Flangvik/NetLoader
#evasion #redteaming #windows #amsi

APPDOMAINMANAGER INJECTION AND DETECTION

Microsoft .NET framework is being heavily utilized by threat actors and red teams for defense evasion and staying off the radar during operations. Every .NET binary contains application domains where assemblies are loaded in a safe manner. The AppDomainManager object can be used to create new ApplicationDomains inside a .NET process.

https://pentestlaboratories.com/2020/05/26/appdomainmanager-injection-and-detection/
#windows #redteaming #evasion #bypass #sysmon

Hiding your .NET - COMPlus_ETWEnabled

The process of disabling ETW is something that I first looked at back in March after trying to figure out just how some defenders were detecting in-memory Assembly loads (https://blog.xpnsec.com/hiding-your-dotnet-etw/). There have since been several other posts with clever and improved methods of bypassing this kind of detection from some awesome researchers including Cneeliz, BatSec and modexp. Each method relies on manipulating the ETW subsytem itself, from intercepting and manipulating calls to the usermode function EtwEventWrite or the kernel function NtTraceEvent, and even parsing and manipulating the ETW registration table to avoid any code patching.

https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/

#redteaming #dotnet #windows #bypass #evasion

Red Team: Using SharpChisel to exfil internal network

During many Red Team Assessment, we use multiple agents to connect to our target network infrastructure. These agents connect to different C2 servers such as Cobalt Strike, Metasploit Framework, Empire, SharpC2 (recent C2 Framework by Rasta Mouse), etc. One of the critical features of these C2 agents is to provide a tunnel to the target network. The latency to tunnels through these beacons or agents is quite high. Also, we generally have to make these agents interactive to make these tunnels work, which increases the risk of detection.

https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49
#redteaming #windows #exfiltration #bypass #evasion

Hiding In Plain Sight

https://blog.huntresslabs.com/hiding-in-plain-sight-556469e0a4e
#windows #malware #re #evasion #bypass

Bring your own .NET Core Garbage Collector

This blog post explains how it is possible to abuse a legitimate feature of .Net Core, and exploit a directory traversal bug to achieve application whitelisting bypass.

https://www.contextis.com/us/blog/bring-your-own-.net-core-garbage-collector

#windows #bypass #evasion #dotnet

Evasor

The Evasor is an automated security assessment tool which locates existing executables on the Windows operating system that can be used to bypass any Application Control rules. It is very easy to use, quick, saves time and fully automated which generates for you a report including description, screenshots and mitigations suggestions, suites for both blue and red teams in the assessment of a post-exploitation phase.

https://github.com/cyberark/Evasor/
#tools #evasion #bypass #windows #redteaming

Windows Process Injection: EM_GETHANDLE, WM_PASTE and EM_SETWORDBREAKPROC

https://modexp.wordpress.com/2020/07/07/wpi-wm-paste/
#windows #exploitation #evasion #bypass

Fuzzing the Windows API for AV Evasion

https://winternl.com/fuzzing-the-windows-api-for-av-evasion/
#evasion #bypass #av #windows

Fun with PowerShell Payload Execution and Evasion

In this article, we’re going to learn how to use COM objects and PowerShell in Windows to execute shell commands with a couple of techniques for evading some endpoint security.

https://medium.com/swlh/fun-with-powershell-payload-execution-and-evasion-f5051fd149b2
#windows #powershell #evasion #obfuscation

Weaponizing Mapping Injection with Instrumentation Callback for stealthier process injection

I'm going to release and detail a stealthy process injection technique that uses a combination of two functions to achieve allocation primitive (that i have already described some time ago) CreateFileMapping() and MapViewOfFile2() ( well i have made some updates to use a stealthier version called MapViewOfFile3() ) and chain a very powerful execution primitive through the call NtSetInformationProcess().

https://splintercod3.blogspot.com/p/weaponizing-mapping-injection-with.html
#windows #injection #bypass #evasion #redteaming

Hiding PE Imports

You’ve spent the last hour cheffing up a spicy, homemade, Windows executable just right for your target. Go to compile it and, sweet, there are no errors. Fire up the isolated VM and give it a few test runs and it’s working great. That ASCII art is looking mighty clean I must say. Time to send it downrange. Upload completes and you can see it on the file system.

https://roblehesa.com/posts/hiding-pe-imports/
#windows #internals #redteaming #malware #evasion

Content-Type Research

Did you know that browsers support multiple Content-Type in HTTP response header?

https://github.com/BlackFan/content-type-research
#web #appsec #bugbounty #evasion

GoPurple

This project is a simple collection of various shell code injection techniques, aiming to streamline the process of endpoint detection evaluation, beside challenging myself to get into Golang world.

https://github.com/sh4hin/GoPurple
#evasion #bypass #redteaming #tools #golang

Bypass AMSI by manual modification

This is my very first blog post. Its about how to manually change AMSI signatures/triggers to bypass it.

https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/
#redteaming #bypass #evasion #windows

Bypass AMSI by manual modification part II - Invoke-Mimikatz

This blog post will cover some lets say more advanced AMSI triggers. I decided to build a custom Invoke-Mimikatz script without AMSI trigger. I will also cover some information how Invoke-Mimikatz basically works for those who did not know it before.

https://s3cur3th1ssh1t.github.io/Bypass-AMSI-by-manual-modification-part-II/
#windows #redteaming #bypass #evasion #amsi

Building a custom Mimikatz binary

This post will cover how to build a custom Mimikatz binary by doing source code modification to get past AV/EDR software.

https://s3cur3th1ssh1t.github.io/Building-a-custom-Mimikatz-binary/
#tools #windows #mimikatz #redteaming #evasion