A universal EDR bypass built in Windows 10
https://www.riskinsight-wavestone.com/en/2023/10/a-universal-edr-bypass-built-in-windows-10/
#EDR , #windows_internals
While studying internals of a mechanism used by all EDR software to get information about processes activities on Windows, we came across a way for malicious processes to disable the generation of some security events related to process interactions. This technique could be used to evade EDR software while performing malicious operations such as process memory dumping, code injection or process hollowing.
https://www.riskinsight-wavestone.com/en/2023/10/a-universal-edr-bypass-built-in-windows-10/
#EDR , #windows_internals
Daily linux triks and security notes from seilany ( multiple linux distrubution developer )
[ 1 ] A technique to increase the speed of Linux kernel and operating system by 25%
[ 2 ] Increase the speed of ssd memory
.
.
.
Don't miss it! 👁👇🏻
https://news.1rj.ru/str/linuxtnt
[ 1 ] A technique to increase the speed of Linux kernel and operating system by 25%
[ 2 ] Increase the speed of ssd memory
.
.
.
Don't miss it! 👁👇🏻
❤🔥7
Binary Exploitation Notes
https://ir0nstone.gitbook.io/notes
credit : Andrej Ljubic
Stack
Heap
Kernel
Browser Exploitation
https://ir0nstone.gitbook.io/notes
credit : Andrej Ljubic
Process injection techniques $
(꩜)ListPlanting ->( Mitre )
(꩜)Process Doppelganging ->( Mitre)
(꩜)Process Hollowing ->( GitHub)
(꩜)Extra Window Memory Injection -> ( Mitre )
(꩜)TLS callback ->( GitHub)
(꩜)APC injection -> ( earlybird )
(꩜) Thread Hijacking ->( GitHub )
(꩜) Transacted Hollowing (hasherezade)
(꩜) Process Ghosting (hasherezade)
(꩜) DLL hollowing (hasherezade)
(꩜) ChimeraPE (hasherezade)
(꩜) Process Overwriting (hasherezade)
(꩜) Process Chameleon (YouTube)
+Demo by hasherezade
------------------_---------------
Others:
Mockingjay
+ thread namecalling:
https://github.com/hasherezade/thread_namecalling.git
https://news.1rj.ru/str/Source_byte
#malware_dev #process_injection
(꩜)ListPlanting ->( Mitre )
(꩜)Process Doppelganging ->( Mitre)
(꩜)Process Hollowing ->( GitHub)
(꩜)Extra Window Memory Injection -> ( Mitre )
(꩜)TLS callback ->( GitHub)
(꩜)APC injection -> ( earlybird )
(꩜) Thread Hijacking ->( GitHub )
(꩜) Transacted Hollowing (hasherezade)
(꩜) Process Ghosting (hasherezade)
(꩜) DLL hollowing (hasherezade)
(꩜) ChimeraPE (hasherezade)
(꩜) Process Overwriting (hasherezade)
(꩜) Process Chameleon (YouTube)
+Demo by hasherezade
------------------_---------------
Others:
Mockingjay
+ thread namecalling:
https://github.com/hasherezade/thread_namecalling.git
https://news.1rj.ru/str/Source_byte
#malware_dev #process_injection
Process Enumeration methods $
[+] Hunting RWX trick
[+] EnumWindowsProcesses Callback
[+] Toolhelp api
[+] WTS API
[+] NTQuerySystemInformation
[+] Others
~~~~
Related:
Advanced-Process-Injection-Workshop[ GitHub ]
https://news.1rj.ru/str/Source_byte
#malware_dev #process_enumration
[+] Hunting RWX trick
[+] EnumWindowsProcesses Callback
[+] Toolhelp api
[+] WTS API
[+] NTQuerySystemInformation
[+] Others
Related:
Advanced-Process-Injection-Workshop[ GitHub ]
https://news.1rj.ru/str/Source_byte
#malware_dev #process_enumration
❤6👍1🔥1
Exploiting an io_uring Vulnerability in Ubuntu
https://blog.exodusintel.com/2024/03/27/mind-the-patch-gap-exploiting-an-io_uring-vulnerability-in-ubuntu/
#cve_analysis , #linux_internals , #CVE-2024-0582
This post discusses a use-after-free vulnerability, CVE-2024-0582, in io_uring in the Linux kernel. Despite the vulnerability being patched in the stable kernel in December 2023, it wasn’t ported to Ubuntu kernels for over two months, making it an easy 0day vector in Ubuntu during that time.
https://blog.exodusintel.com/2024/03/27/mind-the-patch-gap-exploiting-an-io_uring-vulnerability-in-ubuntu/
#cve_analysis , #linux_internals , #CVE-2024-0582
👍3
Parent pid spoofing Techniques $
[+] Via Createprocess ( iredteam )
[+] PPID Spoofing via WMI
[+] NtCreateUserProcess
[+] Pid spoofing (Methods)
-Real Example by security in bits
https://news.1rj.ru/str/Source_byte
#malware_dev #spoofing
[+] Via Createprocess ( iredteam )
[+] PPID Spoofing via WMI
[+] NtCreateUserProcess
[+] Pid spoofing (Methods)
-Real Example by security in bits
https://news.1rj.ru/str/Source_byte
#malware_dev #spoofing
❤7🔥3👍1
series on virtualization technologies and internals of various solutions (QEMU, Xen and VMWare)
Credit: @LordNoteworthy
[ 0 ] Intro: virtualization internals part 1 intro to virtualization
[ 1 ] VMWare: Virtualization Internals Part 2 - VMWare and Full Virtualization using Binary Translation
[ 2 ] Xen: Virtualization Internals Part 3 - Xen and Paravirtualization
[ 4 ] QEMU: Virtualization Internals Part 4 - QEMU
——-
related posts :
[ 0 ] Writing a simple 16 bit VM in less than 125 lines of C
[ 1 ] Write your Own Virtual Machine
[ 2 ] notes on vm and qemu escape exploit
[ 3 ] notes on VMware escape exploits by version
[ 4 ] Unpack VMProtect
#VM , #cve_analysis , #VM_internals
—-
https://news.1rj.ru/str/Source_byte
Credit: @LordNoteworthy
[ 0 ] Intro: virtualization internals part 1 intro to virtualization
[ 1 ] VMWare: Virtualization Internals Part 2 - VMWare and Full Virtualization using Binary Translation
[ 2 ] Xen: Virtualization Internals Part 3 - Xen and Paravirtualization
[ 4 ] QEMU: Virtualization Internals Part 4 - QEMU
——-
related posts :
[ 0 ] Writing a simple 16 bit VM in less than 125 lines of C
[ 1 ] Write your Own Virtual Machine
[ 2 ] notes on vm and qemu escape exploit
[ 3 ] notes on VMware escape exploits by version
[ 4 ] Unpack VMProtect
#VM , #cve_analysis , #VM_internals
—-
https://news.1rj.ru/str/Source_byte
❤6👍1😁1
Source Byte
Process Enumeration methods $ [+] Hunting RWX trick [+] EnumWindowsProcesses Callback [+] Toolhelp api [+] WTS API [+] NTQuerySystemInformation [+] Others ~~~~ Related: Advanced-Process-Injection-Workshop[ GitHub ] https://news.1rj.ru/str/Source_byte #malware_dev…
This media is not supported in your browser
VIEW IN TELEGRAM
🥰3👍1😁1
Forwarded from $ᴘ3ᴅʏʟ1👾
LSASS Memory Dumps are Stealthier than Ever Before
[+] MiniDumpWriteDump (Vitaminizing MiniDump)
[+] Comsvcs.dll
[+] Direct syscall [GitHub]
[+] Nano dump [info]
[+] Dump with trusted process
Look at all of them 1
Look at All of them 2
T1003.001 - OS Credential Dumping: LSASS Memory
Lsass for everyone [advanced]
WINDOWS SECRETS EXTRACTION: A SUMMARY by synacktiv
https://news.1rj.ru/str/Source_byte
#malware_dev #lsass
Dumping is implemented by interfacing with various external tools:
comsvcs
comsvcs_stealth
dllinject
procdump
procdump_embedded
dumpert
dumpertdll
ppldump
ppldump_embedded
mirrordump
mirrordump_embedded
wer
EDRSandBlast
nanodump
rdrleakdiag
silentprocessexit
sqldumper
[+] MiniDumpWriteDump (Vitaminizing MiniDump)
[+] Comsvcs.dll
[+] Direct syscall [GitHub]
[+] Nano dump [info]
[+] Dump with trusted process
Look at all of them 1
Look at All of them 2
T1003.001 - OS Credential Dumping: LSASS Memory
Lsass for everyone [advanced]
WINDOWS SECRETS EXTRACTION: A SUMMARY by synacktiv
https://news.1rj.ru/str/Source_byte
#malware_dev #lsass
❤5👍1🔥1
SoheilSec :
توسعه بدافزار C2
توسعه بدافزار یکی از مهارتهایی است که برای شبیه سازی حملات APT بسیار مهم و کاربردی است
طبق MITRE attack و cyber kill chain یکی مراحل C2 است.
https://attack.mitre.org/tactics/TA0011
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
برای توسعه بدافزار ابتدا نیازمند یادگیری یک زبان برنامه نویسی هستید، زبانی نیاز دارید که بتوانید توسط آن با win32 API کار کنید
زبان های پیشنهادی
c++
python
rust
کتاب ها:
https://news.1rj.ru/str/Peneter_Media/451
https://news.1rj.ru/str/Peneter_Media/452
https://news.1rj.ru/str/Peneter_Media/453
https://news.1rj.ru/str/Peneter_Media/454
دوره های توسعه بدافزار:
https://institute.sektor7.net/red-team-operator-malware-development-essentials
https://institute.sektor7.net/rto-maldev-intermediate
https://maldevacademy.com/
https://www.udemy.com/course/offensive-rust/
https://www.udemy.com/course/offensive-csharp/
قدم بدی نیازمند یادگیری win32 API هستید تا بتوانید
Process Manipulation, Memory Manipulation, Networking, DLL Injection
همچنین انواع تکنیک های injection یاد بگیرید:
DLL Injection, Process Hollowing, Reflective DLL Injection, Thread Injection, AtomBombing, APC Injection
لینک زیر ببینید:
https://github.com/RedTeamOperations/Advanced-Process-Injection-Workshop
c2 نیازمند یک protocol communication هست
http/https, DNS, ICMP
نیازمند یادگیری کار با Encryption
AES, XOR, RC4, RSA, ECC, ChaCha20
منابع توسعه بدافزار c2
https://pre.empt.blog/
https://shogunlab.gitbook.io/building-c2-implants-in-cpp-a-primer/
https://0xrick.github.io/misc/c2/
https://github.com/CodeXTF2/maldev-links
https://0xrick.github.io/misc/c2/
https://captmeelo.com/
https://www.vx-underground.org/#E:/root
بهترین c2 ها:
https://www.thec2matrix.com/
https://github.com/EmpireProject/Empire
https://github.com/HavocFramework/Havoc
https://github.com/cobbr/Covenant
https://github.com/Ne0nd0g/merlin
https://github.com/its-a-feature/Mythic
https://github.com/byt3bl33d3r/SILENTTRINITY
https://github.com/nettitude/PoshC2
https://github.com/BishopFox/sliver
https://github.com/rapid7/metasploit-framework
تکنیک های دور زدن می تونید از بلاگ ها و ریپوهای زیر دنبال کنید
https://github.com/boku7
https://trickster0.github.io/
https://github.com/S4ntiagoP
https://github.com/Cracked5pider
https://casvancooten.com/
https://github.com/chvancooten
https://mr.un1k0d3r.world/
https://und3rf10w.github.io/
https://github.com/waldo-irc
https://www.arashparsa.com/
https://passthehashbrowns.github.io/
https://www.wsast.co.uk/
https://gist.github.com/odzhan
https://modexp.wordpress.com/
https://fool.ish.wtf/
https://github.com/realoriginal
https://suspicious.actor/
https://github.com/moloch–
https://github.com/am0nsec
https://amonsec.net/about/
https://github.com/rasta-mouse
https://rastamouse.me/
https://github.com/xpn
https://blog.xpnsec.com/
https://github.com/sneakid
https://www.solomonsklash.io/
https://github.com/kyleavery
بعد از اینکه c2 خودتان را توسعه دهید تازه باید به دنبال دیباگ کردن و همچنین دور زدن Anti Virus و EDR باشید برای اینکار نیازمند تکنیک و ابزار Debugger هستید:
IDA Pro,OllyDbg and x64dbg,WinDbg,Ghidra,Immunity Debugger
https://news.1rj.ru/str/Peneter_Media/455
https://news.1rj.ru/str/Peneter_Media/456
https://news.1rj.ru/str/Peneter_Media/457
https://news.1rj.ru/str/Peneter_Media/458
برای دور زدن:
https://news.1rj.ru/str/Peneter_Media/444
https://github.com/MrEmpy/Awesome-AV-EDR-XDR-Bypass
https://medium.com/offensive-security-walk-throughs/three-techniques-for-bypassing-edr-3b4101002951
https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/
https://cydef.ca/blog/av-vs-edr-an-introduction-to-antivirus-bypass/
انتشار مقاله:
https://www.soheilsec.com/توسعه-بدافزار-c2/
سهیل هاشمی
کارشناسی ارشد شبکه | کارشناس ارشد امنیت شبکه
#c2 #malware_dev #AV
توسعه بدافزار C2
توسعه بدافزار یکی از مهارتهایی است که برای شبیه سازی حملات APT بسیار مهم و کاربردی است
طبق MITRE attack و cyber kill chain یکی مراحل C2 است.
https://attack.mitre.org/tactics/TA0011
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
برای توسعه بدافزار ابتدا نیازمند یادگیری یک زبان برنامه نویسی هستید، زبانی نیاز دارید که بتوانید توسط آن با win32 API کار کنید
زبان های پیشنهادی
c++
python
rust
کتاب ها:
https://news.1rj.ru/str/Peneter_Media/451
https://news.1rj.ru/str/Peneter_Media/452
https://news.1rj.ru/str/Peneter_Media/453
https://news.1rj.ru/str/Peneter_Media/454
دوره های توسعه بدافزار:
https://institute.sektor7.net/red-team-operator-malware-development-essentials
https://institute.sektor7.net/rto-maldev-intermediate
https://maldevacademy.com/
https://www.udemy.com/course/offensive-rust/
https://www.udemy.com/course/offensive-csharp/
قدم بدی نیازمند یادگیری win32 API هستید تا بتوانید
Process Manipulation, Memory Manipulation, Networking, DLL Injection
همچنین انواع تکنیک های injection یاد بگیرید:
DLL Injection, Process Hollowing, Reflective DLL Injection, Thread Injection, AtomBombing, APC Injection
لینک زیر ببینید:
https://github.com/RedTeamOperations/Advanced-Process-Injection-Workshop
c2 نیازمند یک protocol communication هست
http/https, DNS, ICMP
نیازمند یادگیری کار با Encryption
AES, XOR, RC4, RSA, ECC, ChaCha20
منابع توسعه بدافزار c2
https://pre.empt.blog/
https://shogunlab.gitbook.io/building-c2-implants-in-cpp-a-primer/
https://0xrick.github.io/misc/c2/
https://github.com/CodeXTF2/maldev-links
https://0xrick.github.io/misc/c2/
https://captmeelo.com/
https://www.vx-underground.org/#E:/root
بهترین c2 ها:
https://www.thec2matrix.com/
https://github.com/EmpireProject/Empire
https://github.com/HavocFramework/Havoc
https://github.com/cobbr/Covenant
https://github.com/Ne0nd0g/merlin
https://github.com/its-a-feature/Mythic
https://github.com/byt3bl33d3r/SILENTTRINITY
https://github.com/nettitude/PoshC2
https://github.com/BishopFox/sliver
https://github.com/rapid7/metasploit-framework
تکنیک های دور زدن می تونید از بلاگ ها و ریپوهای زیر دنبال کنید
https://github.com/boku7
https://trickster0.github.io/
https://github.com/S4ntiagoP
https://github.com/Cracked5pider
https://casvancooten.com/
https://github.com/chvancooten
https://mr.un1k0d3r.world/
https://und3rf10w.github.io/
https://github.com/waldo-irc
https://www.arashparsa.com/
https://passthehashbrowns.github.io/
https://www.wsast.co.uk/
https://gist.github.com/odzhan
https://modexp.wordpress.com/
https://fool.ish.wtf/
https://github.com/realoriginal
https://suspicious.actor/
https://github.com/moloch–
https://github.com/am0nsec
https://amonsec.net/about/
https://github.com/rasta-mouse
https://rastamouse.me/
https://github.com/xpn
https://blog.xpnsec.com/
https://github.com/sneakid
https://www.solomonsklash.io/
https://github.com/kyleavery
بعد از اینکه c2 خودتان را توسعه دهید تازه باید به دنبال دیباگ کردن و همچنین دور زدن Anti Virus و EDR باشید برای اینکار نیازمند تکنیک و ابزار Debugger هستید:
IDA Pro,OllyDbg and x64dbg,WinDbg,Ghidra,Immunity Debugger
https://news.1rj.ru/str/Peneter_Media/455
https://news.1rj.ru/str/Peneter_Media/456
https://news.1rj.ru/str/Peneter_Media/457
https://news.1rj.ru/str/Peneter_Media/458
برای دور زدن:
https://news.1rj.ru/str/Peneter_Media/444
https://github.com/MrEmpy/Awesome-AV-EDR-XDR-Bypass
https://medium.com/offensive-security-walk-throughs/three-techniques-for-bypassing-edr-3b4101002951
https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/
https://cydef.ca/blog/av-vs-edr-an-introduction-to-antivirus-bypass/
انتشار مقاله:
https://www.soheilsec.com/توسعه-بدافزار-c2/
سهیل هاشمی
کارشناسی ارشد شبکه | کارشناس ارشد امنیت شبکه
#c2 #malware_dev #AV
👏11👍4❤3👎2🫡2🔥1🙏1
Write Packer your own packer/protector
[+] How to write packer for windows
[+] Create a packer by frank2
[+] write packer with python and how it loads
[+] Writing a Packer From Scratch in Nim
[+] Writing a simple self-injecting packer
[+] Developing PE file packer step-by-step. Step 1-...
-Curated list executable packing
-unavailing custom Packer
https://news.1rj.ru/str/Source_byte
#packer #reverse
[+] How to write packer for windows
[+] Create a packer by frank2
[+] write packer with python and how it loads
[+] Writing a Packer From Scratch in Nim
[+] Writing a simple self-injecting packer
[+] Developing PE file packer step-by-step. Step 1-...
-Curated list executable packing
-unavailing custom Packer
https://news.1rj.ru/str/Source_byte
#packer #reverse
❤4👍2🤔1
Forwarded from Stuff for Geeks (rBHm)
یه دورهای مهندس کاظمی عزیز معرفی کردن بهم که میاد از صفر یه بوت لودر و کرنل و عملا سیستم عامل مینویسه و میره جلو
واقعا جذابه دورش بنظرم:
https://p30download.ir/fa/entry/96910/
#internals
#OS
#Programming
#course
واقعا جذابه دورش بنظرم:
https://p30download.ir/fa/entry/96910/
#internals
#OS
#Programming
#course
پی سی دانلود
دانلود udemy Developing a Multithreaded kernel From scratch - آموزش استقرار هسته چندنخی سیستم عامل
در دوره آموزشی udemy Developing a Multithreaded kernel From scratch با آموزش استقرار هسته چندنخی سیستم عامل اشنا خواهید شد.
🔥10❤2👍1🙏1