Introducing Early Cascade Injection: From Windows Process Creation to Stealthy Injection
https://www.outflank.nl/blog/2024/10/15/introducing-early-cascade-injection-from-windows-process-creation-to-stealthy-injection/
https://www.outflank.nl/blog/2024/10/15/introducing-early-cascade-injection-from-windows-process-creation-to-stealthy-injection/
DLL Sideloading is a technique that enables the attacker to execute custom malicious code from within legitimate – maybe even signed – windows binaries/processes.
https://www.r-tec.net/r-tec-blog-dll-sideloading.html
https://www.r-tec.net/r-tec-blog-dll-sideloading.html
www.r-tec.net
r-tec Blog | DLL Sideloading
The post describes DLL Sideloading, a technique that allows attackers to execute custom malicious code from within legitimate windows binaries/processes.
Ghost is a shellcode loader project designed to bypass multiple detection capabilities that are usually implemented by an EDR
https://github.com/cpu0x00/Ghost
#edr #bypass #loader
https://github.com/cpu0x00/Ghost
#edr #bypass #loader
Hannibal is a x64 Windows Agent written in fully position independent C (plus a tiny bit of C++). It is based off the Stardust template created by C5pider.
https://github.com/MythicAgents/Hannibal
Articles:
• https://silentwarble.com/posts/making-monsters-1/
• https://silentwarble.com/posts/making-monsters-2/
• https://silentwarble.com/posts/making-monsters-3/
#redteam #agent #pic
https://github.com/MythicAgents/Hannibal
Articles:
• https://silentwarble.com/posts/making-monsters-1/
• https://silentwarble.com/posts/making-monsters-2/
• https://silentwarble.com/posts/making-monsters-3/
#redteam #agent #pic
GitHub
GitHub - MythicAgents/Hannibal: A Mythic Agent written in PIC C.
A Mythic Agent written in PIC C. Contribute to MythicAgents/Hannibal development by creating an account on GitHub.
A curated list of resources to analyse and study malware techniques.
https://github.com/fr0gger/Awesome_Malware_Techniques
https://github.com/fr0gger/Awesome_Malware_Techniques
GitHub
GitHub - fr0gger/Awesome_Malware_Techniques: This is a repository of resource about Malware techniques
This is a repository of resource about Malware techniques - fr0gger/Awesome_Malware_Techniques
Real world malware delivery and initial access techniques (red teaming). Good source of inspiration.
Top 50 Techniques & Procedures
https://blog.redteamguides.com/top-50-techniques-proceduresrtc0019
#redteam
Top 50 Techniques & Procedures
https://blog.redteamguides.com/top-50-techniques-proceduresrtc0019
#redteam
Chinese hackers use Visual Studio Code tunnels for remote access
https://www.bleepingcomputer.com/news/security/chinese-hackers-use-visual-studio-code-tunnels-for-remote-access
#news
https://www.bleepingcomputer.com/news/security/chinese-hackers-use-visual-studio-code-tunnels-for-remote-access
#news
BleepingComputer
Chinese hackers use Visual Studio Code tunnels for remote access
Chinese hackers targeting large IT service providers in Southern Europe were seen abusing Visual Studio Code (VSCode) tunnels to maintain persistent access to compromised systems.
The Art of Linux Kernel Rootkits
An advanced and deep introduction about Linux kernel mode rookits, how to detect, what are hooks and how it works.
https://inferi.club/post/the-art-of-linux-kernel-rootkits
#linux #rootkit
An advanced and deep introduction about Linux kernel mode rookits, how to detect, what are hooks and how it works.
https://inferi.club/post/the-art-of-linux-kernel-rootkits
#linux #rootkit
inferi.club
The Art of Linux Kernel Rootkits
An advanced and deep introduction about Linux kernel mode rookits, how to detect, what are hooks and how it works.
New blog on using CLR customizations to improve the OPSEC of your .NET execution harness. This includes a novel AMSI bypass that identified by author in 2023. By taking control of CLR assembly loads, we can load assemblies from memory with no AMSI scan.
https://securityintelligence.com/x-force/being-a-good-clr-host-modernizing-offensive-net-tradecraft/
Proof-of-concept for the AMSI bypass and an implementation of a CLR memory manager is on GitHub. We can implement custom memory routines and track all allocations made by the CLR.
https://github.com/passthehashbrowns/Being-A-Good-CLR-Host
#redteam #net #clr
https://securityintelligence.com/x-force/being-a-good-clr-host-modernizing-offensive-net-tradecraft/
Proof-of-concept for the AMSI bypass and an implementation of a CLR memory manager is on GitHub. We can implement custom memory routines and track all allocations made by the CLR.
https://github.com/passthehashbrowns/Being-A-Good-CLR-Host
#redteam #net #clr
Security Intelligence
Being a good CLR host – Modernizing offensive .NET tradecraft
Learn how red teams can modernize their use of .NET assemblies using CLR customizations.
In case if you wonder what broke #ProcessHollowing on Windows 11 24H2
https://hshrzd.wordpress.com/2025/01/27/process-hollowing-on-windows-11-24h2/
https://hshrzd.wordpress.com/2025/01/27/process-hollowing-on-windows-11-24h2/
hasherezade's 1001 nights
Process Hollowing on Windows 11 24H2
Process Hollowing (a.k.a. RunPE) is probably the oldest, and the most popular process impersonation technique (it allows to run a malicious executable under the cover of a benign process). It is us…
GitHub - bytecode77/r77-rootkit: Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.
https://github.com/bytecode77/r77-rootkit
https://github.com/bytecode77/r77-rootkit
GitHub
GitHub - bytecode77/r77-rootkit: Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections…
Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc. - bytecode77/r77-rootkit