Update 12 has been released with the following modules and challenges:
Updated syllabus:
- Exploiting EDRs For Evasion - Finding Internal Exclusion List
- Introduction To Sleep Obfuscation
- Introduction to Ekko and Zilean Sleep Obfuscation
-
Dumping LSASS against CrowdStrike:
We frequently receive feedback from our users highlighting their success in engagements and how Maldev Academy contributed.
Today, we received a message detailing their effective use of New Modules 23, 25, and 38 to successfully bypass
September update is out. This one is heavy on AV & EDR evasion.
- Introduction to Havoc C&C
- Building an evasive DLL payload loader
- Introduction to DLL sideloading
- Practical DLL sideloading example
- DLL sideloading for EDR evasion
- Bring your own vulnerable driver (BYOVD)
We’ve launched Maldev Academy Code Search!
We’ve built two projects with the help of this service and posted the code and videos to the GitHub repository below:
Ghostly Hollowing + Tampered Syscalls Via Hardware Breakpoints: Utilizing hardware breakpoints to spoof syscall arguments while implementing Ghostly Hollowing PE Injection technique
These two techniques were covered in the recent course updates.
PeFluctuation is a technique designed to hide PE files in memory.
The images show PeFluctuation in action, hiding Mimikatz in memory and evading both pe-sieve and moneta.
PeFluctuation module will be included in update 6.
Maldev Academy DLL Loader vs Crowdstrike
The DLL loader is for Maldev members. But we're also publishing an EXE version of the loader on our GitHub for anyone to use.
Maldev Academy Code Search:
We’re very happy to announce the creation of a new code search service that will ease the learning and maldev experience for users.
The site currently has over 7000+ lines, 300+ snippets in total with new snippets being added every month.
All
LSASS Dump BOF Challenge: Build a BOF for Havoc to dump LSASS by using existing handles to the lsass.exe process.
The challenge and code solution will be available next week!
Malware development is about to become more fun!
This is a snippet of a longer video where we use the new Maldev Academy Code Search service to create a loader in less than 10 minutes.
Service launch date: February 19th, 2024
We will be doing giveaways so keep an eye out for
The upcoming Maldev Academy update will showcase a module that explains the process of developing a 'Shellcode Reflective DLL' builder.
This builder converts your DLL payload into position-independent shellcode, allowing you to load any DLL reflectively.
New Module 27 - Bring Your Own Vulnerable Driver (BYOVD)
Learn to inject C2 shellcode into the Microsoft Defender process (MsMpEng.exe) by exploiting a vulnerable driver.
Update 9 has been finalized and QA’d. It will be pushed out tonight:
Modules:
[1] Ghost Process Injection
[2] Ghostly Hollowing
[3] Herpaderping Process Injection
[4] Herpaderply Hollowing
[5] Shellcode Reflective DLL Injection
Challenges:
[1] Remote Module Stomping
[2] Process
Update 6 has been posted. These are pretty large and complex modules.
- Local PE Execution
- Reflective DLL Injection
- PeFluctuation (in-memory encryption)
- Building a PE Packer
Update 7 tentatively for November is:
- DLL Proxying
- Utilizing Fibers For Payload Execution
-
We're proud to announce that
@C5pider
will be joining the Maldev Academy Team this month in developing practical challenges for our users that will aid their malware development journey and reinforce what they've learned throughout the course.
New Module 46: Exploiting EDRs For Evasion - Preventing EDR From Taking Action
This module demonstrates a logic vulnerability in an EDR. Setting the "Read-Only" attribute on a malicious file prevents it from being quarantined or deleted.
We exploit this vulnerability to
Update 4 Out Now:
1. AMSI Intro
2. AMSI Bypass Via Byte Patching
3. Patchless AMSI Bypass Via Hardware Breakpoints
4. Building a DRM-Equipped Malware
Update 5 - September (Tentatively):
1. Building An Evasive DLL Payload Loader
2. EDR Evasion Via DLL Sideloading
3. Bring Your
Update 3 out now:
- Event Tracing for Windows - Introduction
- Event Tracing For Windows - ETW Tools
- Event Tracing For Windows - ETW Bypass Via Byte Patching
- Event Tracing for Windows - Better Patching
- Event Tracing for Windows - Patchless ETW
By the end of the "Shellcode Reflective DLL Injection" module, you'll be able to create a custom shellcode builder that converts your DLL payload into shellcode.
Learn how to build a custom PE packer from scratch with the "Building A PE Packer" module. The generated packed payloads are capable of bypassing memory scanning tools such as Moneta and PeSieve.
Update 1 out now!
- More C fundamentals for beginners
- Binary Metadata Modification
- Thread Enumeration via NtQuerySystemInformation
- Custom WinAPI Functions
- Exploiting EDRs For Evasion
- Introduction To MASM Assembly
Updated Syllabus:
DRMBinViaOrdinalImports - Create Anti-Copy DRM Malware:
Prevent a binary from successfully running on other machines by modifying the IAT and replacing the imported function names with their corresponding ordinals.
In update 1 we released our first "Exploiting EDRs For Evasion" module. We're planning to showcase more weaknesses with the following modules:
1. Exploiting EDRs For Evasion - Preventing EDR From Taking Action
2. Exploiting EDRs For Evasion - Finding Internal Exclusions
3.
An interesting AV/EDR research is to test whether the name of a file can impact the behavior of the security solution.
In our upcoming "Exploiting EDRs For Evasion" module, we demonstrate this concept against two EDR products.
The code search database is being updated in the upcoming week. Some of the new snippets include:
- Network Interaction Functions
- LSASS Dumping
- Lateral Movement
- Token Manipulation
- User Enumeration & Manipulation
- Anti-Analysis Techniques
All ready for use through
The Code Search database has been updated with nearly 100 new snippets. Copy-paste-invoke compile.
Some of the new snippets include:
- LSASS Dump Via Seclogon Race Condition
- LSASS Dump Via Duplication & Process Forking
- LSASS Dump Via
New Module 45 - Tampered Syscalls Via Hardware Breakpoints:
This new module discusses an advanced technique to bypass userland hooks while simultaneously spoofing the invoked syscall's arguments.
New Module 5: Introduction to MASM Assembly
A large module that covers the foundational understanding of the assembly programming language. This knowledge becomes useful in later modules and challenges where we work with functional shellcodes.
We have another 5 tickets to giveaway for
@HackSpaceCon
We believe this is an excellent learning opportunity for anyone in the cyber security industry.
All you need to do to qualify is comment on this post. We will select 5 winners on Saturday.
One of our more experienced users
@inbits_sec
released an obfuscation tool "CSSHide" inspired by the obfuscation modules in the course.
It's always great to see students going above and beyond and building their own projects💪
The upcoming hooking module is 🔥
The modules teaches you to utilize hardware breaking points to perform patchless hooks. It’s capable of copying installed hooks into new threads, as shown in the images.
Update 11 has been pushed along with the challenge solutions:
1. Process Hypnosis (Credits:
@H0udini_13
)
2. Introduction To Object Files
3. Writing Beacon Object Files
4. Object File Loading
5. Anti-Analysis: IP Whitelisting (Challenge)
6. Domain Registration Kill Switch
The upcoming update includes utilization of TLS callbacks for anti-analysis purposes. If the binary detects it's being debugged, it will overwrite its main function with 0xFF bytes.
Image 1 - Normal execution
Image 2 - Attempt to execute during debugging fails
We've uploaded the final batch of code snippets for this month's update to our Malware Dev Database:
- Hardware Breakpoint Threadless Injection (Existing Process)
- Hardware Breakpoint Threadless Injection (New Process)
- PeFluctuation
- Process Hypnosis
- Syscalls Tampering
-
On Friday we pushed our 13th update which included the following modules:
- Token Manipulation
- Library Proxy Loading
- Heap Encryption With Ekko Sleep Obfuscation
We will also add 12 new challenges in the following week along with new snippets to the code database.
@k3nundrum
sharing his usage of our latest "Bring Your Own Vulnerable Driver" module and receiving a Havoc callback from Microsoft Defender's process (MsMpEng.exe) with no detection.
Some of the new snippets being added next month:
SCCM NAA Credential Dump
Wi-Fi Passwords Dump
Module Overloading
PE Injection
ETW Provider Session Hijacking
Copy-paste, invoke and compile.
Our latest module shows the implementation of Digital Rights Management (DRM) within the malware.
Once executed on a machine, the malware will not execute on any other machine.
This can potentially be effective against AV/EDR automatic sample submission.
Following last month's introduction to Beacon Object Files, these newly released challenges provide a great opportunity to test your knowledge:
- Threadless Shellcode Injection via Hardware Breakpoints BOF
- LSASS Dump BOF
Be sure to give them a try!
We've added 3 new challenges courtesy of
@C5pider
. Solutions will be posted this week.
- Anti-Analysis: IP Whitelisting
- Domain Registration Kill Switch (WannaCry Style)
- Malware Working Hours
Due to the success of our private red team channel, we launched a second round of submissions yesterday. Within the first hour, we received more than 100 submissions.
We will be reviewing these submissions and approving qualified applicants over the coming days.
Our next update will demonstrate how we can make EDRs behave unexpectedly against certain files names and attributes.
The update will provide information that can allow further vulnerability research against security solutions.
We're creating an exclusive channel on our Discord server for red teamers.
The admission form can be found in our Discord announcements channel. We will stop accepting responses at midnight (EDT).
We currently have over 150 submissions from some very highly qualified
Yesterday marked the 12th update of our Malware Development Course. An update almost every month since the launch of Maldev Academy!
We have a lot more updates coming. Stay tuned.
What happens Gartner's 100% Detection/Prevent EDRs get put up against
@MalDevAcademy
's code search? Had a blast getting one of the modules to dump lsass tonight 😅
Close to 200 Nim snippets have been added to our code database.
Database updates:
Reminder to anyone that subscribed prior to this week that your subscription does not expire anymore.
Last week’s challenge was to implement a “kill date” for a malware.
The solution has been posted now!
As a reminder you can submit your challenge to be featured in the upcoming weeks.
Some changes made over the weekend to our Malware Development Database:
1. Single Sign On implementation on search[.]maldevacademy[.]com for better integration with the course material.
2. Pricing for search[.]maldevacademy[.]com has changed from a subscription payment to a
New challenges uploaded:
- Ekko With Control Flow Guard (CFG) Enabled
- Ekko With Restored File Section Protections
- Ekko Using RtlEncryptMemory And RtlDecryptMemory
Perform limited directory encryption/decryption with the snippets found in our database.
These snippets can be used for ransomware simulation to validate defense mechanisms against directory and file encryption.
Last week's challenge was to update the course's custom implementation of GetProcAddress to support forwarded functions.
The solution was posted last night on our Discord channel. It will be posted on the website soon.
Thanks to
@C5pider
for developing this challenge.
Make sure to give this week’s challenge by
@C5pider
a shot. The challenge is regarding PE image base relocation. A great start for people wanting to write their own loaders.
The challenge can be found on our Discord server and the solution will be posted next week!