/DefenseEvasionTechniques

This comprehensive and central repository is designed for cybersecurity enthusiasts, researchers, and professionals seeking to stay ahead in the field. It provides a valuable resource for those dedicated to improving their skills in malware development, malware research, offensive security, security defenses and measures.

Primary LanguageC++

MYSETUP

Defense Evasion Techniques

This collection offers advanced methods to bypass sophisticated security measures in Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) systems. This comprehensive and central repository is designed for cybersecurity enthusiasts, researchers, and professionals seeking to stay ahead in the field. It provides a valuable resource for those dedicated to improving their skills, security defenses and measures. This repository includes strategies for manipulating system calls, obfuscating code, managing memory to evade detection and other advanced evasion techniques. By leveraging these methods, experts can enhance penetration testing, red teaming, malware analysis, and develop more resilient defenses.

Open Source Work

Blog Detail Blog Link
BYOVD A Kernel Attack: Stealthy Threat to Endpoint Security https://medium.com/@merasor07/byovd-a-kernel-attack-stealthy-threat-to-endpoint-security-ec809272e505
Arsenal 2.0: Elevating Malware Stealth Tactics to bypass static detection https://medium.com/@merasor07/arsenal-2-0-elevating-malware-stealth-tactics-to-bypass-static-detection-5238c573ab02
PEB Walk: Avoid API function calls inspection in IAT by analyst and also bypass static detection of AV/EDR https://medium.com/@merasor07/peb-walk-avoid-api-calls-inspection-in-iat-by-analyst-and-bypass-static-detection-of-1a2ef9bd4c94
Arsenal: Bypass EDR’s/XDR’s and make malware analysis harder https://medium.com/system-weakness/arsenal-bypass-edrs-xdr-s-and-make-malware-analysis-harder-6fde3e2884a5
On-Disk Detection: Bypass AV’s/EDR’s using syscalls with legacy instruction, series of instructions and random nop instructions https://medium.com/system-weakness/on-disk-detection-bypass-avs-edr-s-using-syscalls-with-legacy-instruction-series-of-instructions-5c1f31d1af7d
EASE POST-EXPLOITATION: Getting elevated reverse shell using DLL Hijacking and Mock Directories https://medium.com/system-weakness/ease-post-exploitation-getting-elevated-reverse-shell-using-dll-hijacking-and-mock-directories-2fc2c7a3cdae
AV/EDR Evasion Using Direct System Calls (User-Mode vs kernel-Mode) https://medium.com/@merasor07/av-edr-evasion-using-direct-system-calls-user-mode-vs-kernel-mode-fad2fdfed01a
Bypass “Mimikatz” using the Process Injection Technique https://medium.com/system-weakness/bypass-mimikatz-using-process-injection-technique-6d2a8415fcd6

Top Posts

Post Detail Post Link
Dirty vanity implementaion using direct syscalls Post Link
Mokingjay Technique Implementaion to avoid RWX region detection Post Link
Combining Unhooking and ETW patching to dump lsass.exe memory Post Link
Direct syscalls to dump lsass.exe memory and offline dumping Post Link
Remote Template Injection Post Link
Mark-of-the-Web for Red Team Post Link
Memory dump using outflank dumpert and Windows process injection Post Link
Nt-Authority Shell using Fodhelper Post Link
RWX-Memory hunt and injection with CreateRemoteThread Post Link
EDR Terminator (call it killer) Post Link
Lsass.exe memory dumping using multiple techniques [𝐋𝐚𝐠𝐨𝐬 𝐈𝐬𝐥𝐚𝐧𝐝 𝐌𝐞𝐭𝐡𝐨𝐝 (𝐚.𝐤.𝐚 𝐑𝐞𝐟𝐥𝐞𝐜𝐭𝐢𝐯𝐞𝐋𝐨𝐚𝐝𝐢𝐧𝐠), 𝐖𝐢𝐧𝐝𝐨𝐰𝐬 𝐏𝐫𝐨𝐜𝐞𝐬𝐬 𝐈𝐧𝐣𝐞𝐜𝐭𝐢𝐨𝐧: 𝐂𝐨𝐧𝐬𝐨𝐥𝐞𝐖𝐢𝐧𝐝𝐨𝐰𝐂𝐥𝐚𝐬𝐬, 𝐖𝐢𝐧𝐝𝐨𝐰𝐬 𝐅𝐨𝐫𝐤𝐢𝐧𝐠] Post Link
UAC Bypass Using .NET profiler DLL Loading Vulnerability Post Link
Remove EDR callbacks using vulnerable driver Post Link
Privileges Escalation using Vulnerable Driver Post Link

Github Repo

Project Link
"D3MPSEC" lsass.exe memory dumping. https://github.com/Offensive-Panda/D3MPSEC
Combination of multiple evasion techniques to evade defenses (Dirty Vanity). https://github.com/Offensive-Panda/DV_NEW
Deploy Honeypots and Decoys to Gather Threat Intelligence https://github.com/Offensive-Panda/Collect_Threat_Intel_AND_Malware_Using_Honeypots
Persistence and Anti-Sandox Techniques https://github.com/Offensive-Panda/Persistence_AND_Anti_Sandbox
Bypass Malware Static Analysis https://github.com/Offensive-Panda/on-disk-detection-bypass
Get elevated shell on C2 server with DLL Hijacking https://github.com/Offensive-Panda/C2_Elevated_Shell_DLL_Hijcking
Rwx Hunting and Injection using Fork API https://github.com/Offensive-Panda/RWX_MEMEORY_HUNT_AND_INJECTION_DV
WriteProcessMemory Magic and Injection (Address of Entry Point) https://github.com/Offensive-Panda/WPM-MAJIC-ENTRY-POINT-INJECTION
PEB Walk and API Obfuscation to bypass AV/EDR static analysis https://github.com/Offensive-Panda/PEB_WALK_AND_API_OBFUSCATION_INJECTION
.NET Profiler DLL Loading UAC Bypass https://github.com/Offensive-Panda/.NET_PROFILER_DLL_LOADING
BYOVD to escalate privileges to SYSTEM https://github.com/Offensive-Panda/NT-AUTHORITY-SYSTEM-CONTEXT-RTCORE

Evasion Techniques

Technique Description
Direct and Indirect Syscalls Strategies for making direct and indirect function calls to evade detection mechanisms.
API Hashing Techniques for obfuscating and altering API calls to avoid detection.
API Imports Obfuscation Methods to obfuscate code and make it harder to analyze.
Payload Encryption Use of encryption to bypass static analysis of EDRs.
Egg Hunting Syscall Instruction In-memory patching to bypass static detection.
Random Instructions and Prototypes Use random NOP instructions and name of API, prototypes to avoid static analysis.
Mokingjay Use of vulnerable dll to avoid detection of RWX memory region creation.
Forking Technique Memory Dumps Use of windows fork API to clone parent process after injecting shellcode, avoid detection of CreateRemoteThread.
API Unhooking Unhooking EDRs user mode hooks using clean copy of dll, raw copy from remote server, suspended process to bypass EDRs.
ETW Patching Applying ETW patching to avoid event based detection.
PEB Lookup Resolving SSN and Native API's on run-time using PEB lookup for 32bits & 64bits.
RWX Memory Block Hunt Hunt for already created RWX region to write and execute shellcode. This technique remove the dependencies of vulnerable DLL with RWX and API to allocate RWX.
BYOVD Bring your own vulnerable driver which involves deploying drivers that are legitimately signed and can be successfully loaded into Windows systems to execute code in kernel context.

Disclaimer

The content, techniques, and tools provided in this repository are intended solely for educational and research purposes within the cybersecurity community. I explicitly disclaim any responsibility for the misuse or unlawful use of the provided materials. Any actions taken based on the information are done so at the user's own risk.

Demo

The following GIF showing the main page of defense evasion series. Demo


Contact

For any inquiries or contributions, feel free to reach out to the ME.