EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Notify Routine callbacks, Object Callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

https://github.com/wavestone-cdt/EDRSandblast/

#tool #redteam #edr #bypass

This is a new bypass technique for memory scanners. It is useful in hiding problematic code that will be flagged by the antivirus vendors.

This is basically an improved version of Voidgate, but without all of the previous limitations.

This technique is compatible with all C2 beacons, it handles multithreaded payloads and it can handle executables generated by tools such as pe_to_shellcode, thus allowing it to run virtually any non .NET executables.

https://github.com/vxCrypt0r/Voidmaw

#tool #redteam #bypass

A new technique that can be used to bypass memory scanners. This can be useful in hiding problematic code (such as reflective loaders implemented by C2 beacons) or other problematic executables that will be flagged by the antimalware programs(such as mimikatz).

https://github.com/vxCrypt0r/Voidmaw

Introducing Early Cascade Injection: From Windows Process Creation to Stealthy Injection

https://www.outflank.nl/blog/2024/10/15/introducing-early-cascade-injection-from-windows-process-creation-to-stealthy-injection/

From C to shellcode (simple way)

https://print3m.github.io/blog/from-c-to-shellcode

DLL Sideloading is a technique that enables the attacker to execute custom malicious code from within legitimate – maybe even signed – windows binaries/processes.

https://www.r-tec.net/r-tec-blog-dll-sideloading.html

Ghost is a shellcode loader project designed to bypass multiple detection capabilities that are usually implemented by an EDR

https://github.com/cpu0x00/Ghost

#edr #bypass #loader

Hannibal is a x64 Windows Agent written in fully position independent C (plus a tiny bit of C++). It is based off the Stardust template created by C5pider.

https://github.com/MythicAgents/Hannibal

Articles:
• https://silentwarble.com/posts/making-monsters-1/
• https://silentwarble.com/posts/making-monsters-2/
• https://silentwarble.com/posts/making-monsters-3/

#redteam #agent #pic

A curated list of resources to analyse and study malware techniques.

https://github.com/fr0gger/Awesome_Malware_Techniques

Real world malware delivery and initial access techniques (red teaming). Good source of inspiration.

Top 50 Techniques & Procedures
https://blog.redteamguides.com/top-50-techniques-proceduresrtc0019

#redteam

Chinese hackers use Visual Studio Code tunnels for remote access

https://www.bleepingcomputer.com/news/security/chinese-hackers-use-visual-studio-code-tunnels-for-remote-access

#news

The Art of Linux Kernel Rootkits

An advanced and deep introduction about Linux kernel mode rookits, how to detect, what are hooks and how it works.

https://inferi.club/post/the-art-of-linux-kernel-rootkits

#linux #rootkit

New blog on using CLR customizations to improve the OPSEC of your .NET execution harness. This includes a novel AMSI bypass that identified by author in 2023. By taking control of CLR assembly loads, we can load assemblies from memory with no AMSI scan.

https://securityintelligence.com/x-force/being-a-good-clr-host-modernizing-offensive-net-tradecraft/

Proof-of-concept for the AMSI bypass and an implementation of a CLR memory manager is on GitHub. We can implement custom memory routines and track all allocations made by the CLR.

https://github.com/passthehashbrowns/Being-A-Good-CLR-Host

#redteam #net #clr

In case if you wonder what broke #ProcessHollowing on Windows 11 24H2

https://hshrzd.wordpress.com/2025/01/27/process-hollowing-on-windows-11-24h2/

GitHub - bytecode77/r77-rootkit: Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.
https://github.com/bytecode77/r77-rootkit