Mimikatz Overview, Defenses and Detection

#paper

In-memory Obfuscation
cerdit : Djordje Atlialp


https://oldboy21.github.io/posts/2024/05/swappala-why-change-when-you-can-hide/

🔴 ویدیوهای کنفرانس OffensiveCon24 در یوتیوب منتشر شده که میتونید از این لیست پخش بهشون دسترسی داشته باشید.

برای دسترسی به اسلایدها (فعلا 4 موردش پابلیک شده)، میتونید از این لینک استفاده کنید.

#کنفرانس

🆔 @onhex_ir
➡️ ALL Link

Important warning to people who have anonymous activity - on Twitter, Telegram, etc. Don't put a hamster link! Although it only shows the subcategories in the bot, and apparently the person himself does not have the ability to see the account that invited him, but in practice, by checking the api requests, we see that the identity of the inviting person is also known!

credit : Ali , Mohammad Zarchi

source :
https://x.com/ali_r7h/status/1798103831244636261 ,

https://x.com/mhzarchi/status/1798365439262867689

Avoiding Memory Scanners
credit : Kyle Avery

https://kyleavery.com/posts/avoiding-memory-scanners/

hopper 5.15.6 fully cracked for macOS

Heavenly.exe

is the main process that generates the anti-killing loader. It reports viruses normally and does not contain malicious code. To ensure anti-killing performance, the source code is not open. It will be updated to 2.0 later.

GitHub

#kill_AV

Windows PE权威指南
(The Definitive Guide to Windows PE)
#pe #windows

It is in Chinese so if you can translate it i will appreciate @Ke3rNel

Windows PE权威指南
#book

IDA Pro Version 8.3 (with tools, sdk + keygen for x86_x64, ARM, ARM64, PPC, PPC64, and MIPS decompilers! )

#ida
#reverse

Assembly for Hackers from Reza Rashidi

Table of contents
Syntax
Comments
Assembly Language Statements
Syntax of Assembly Language Statements
Example: Hello World Program in Assembly
Compiling and Linking
Sections
Processor Registers
System Calls
Strings
String Instructions
Repetition Prefixes
Numbers
BCD Representation
Instructions:
Conditions
CMP Instruction
Conditional Jump Instructions (Signed Data)
Conditional Jump Instructions (Unsigned Data)
Special Conditional Jump Instructions
Addressing Modes
MOV Instruction
File Handling
Example: Reading from a File
Stack and Memory
Stack and Memory
Tools for Analysis
Code Injection Attack
DLL Injection
APC Injection
Valid Accounts
System Binary Proxy Execution: Rundll32
Reflective code loading
Modify Registry
Process Injection
Mark-Of-The-Web (MOTW) Bypass
Access Token Manipulation
Hijack Execution Flow
Resources

https://redteamrecipe.com/assembly-for-hackers

#assembly
#reverse

Hello everyone,

I've made a somehow big update in the HyperDbg. Now, it utilizes a dedicated HOST IDT and HOST GDT, different than the Windows IDT/GDT. This update will address a specific category of bypasses for HyperDbg, although there are still many bypasses to address. This change influences the handling of interrupts, especially NMIs for halting cores in VMX root-mode. lt may introduce instability issues in various systems, potentially leading to crashes. If you're using HyperDbg, please switch to the 'dev' branch and re-build and test it to help us identify any problems. Currently, it works well on my 12th Gen machine, but I'm uncertain if it's universally stable. If you encounter any crashes or BSODs, please notify me before the release of v0.9 (the next version). The best way to test it is using events (EPT hooks) with a high rate of execution (e.g., using !epthook on nt!ExAllocatePoolWithTag and meanwhile pause the debuggee).

The 'dev' branch:
https://github.com/HyperDbg/HyperDbg/tree/dev

GitHub built artifact for those who can't build:
https://github.com/HyperDbg/HyperDbg/actions/runs/9384856535

fuzzer-internals from One of my lovely friends
https://blog.reodus.com/posts/fuzzer-internals-part1/

#fuzzer
#internals

Malware Development, Analysis and DFIR Series PART III
credit : Nithin Chenthur Prabhu

Delve into Windows Memory Internals! Explore virtual address spaces, process internals and memory models for a deeper understanding of memory forensics & malware analysis!

https://azr43lkn1ght.github.io/Malware Development, Analysis and DFIR Series

SWAPPALA and Reflective DLL
credit : Kyle Avery

https://oldboy21.github.io/posts/2024/06/sleaping-issues-swappala-and-reflective-dll-friends-forever/

چند تا write-up درباره باگ‌هایی که از کرنل Linux/Windows/macOS گزارش دادم و چگونه فازر کردنشون
رو تو وبلاگم 👇 اینجا نوشتم. پست جدیدم رو هم به زودی همینجا مینویسم.
R00tkitSMM -> میثم فیروزی


https://r00tkitsmm.github.io/?s=09

Year : 2024
Pages : 401 Edition : null
#programming
#RUST

Into the Rabbit Hole – Offensive DNS Tunneling Rootkits
Dns Tunneling

#Tunneling #exfiltration #DNS #Rootkit

A Detailed Analysis of The Last Version of REvil Ransomware
Prepared by: Vlad Pasca
Senior Malware and Threat Analyst

Table of contents
Executive summary 2
Analysis and findings 2
Thread activity – sub_1282EA7 function 37
Thread activity – sub_1287677 function 37
Thread activity – sub_1284468 function 41
Thread activity – sub_12841D3 function 44
Running with the -smode parameter 48
Running with the -silent parameter 51
Running with the -path parameter 51
Running with the -nolan parameter 51
Running with the -nolocal parameter 51
Running with the -fast parameter 51
Running with the -full parameter 51
Indicators of Compromise 51
Appendix 52

#REvil #malware_analysis