DLL Hollowing

Deep dive into a stealthier DLL hollowing/memory allocation variant.

https://www.secforce.com/blog/dll-hollowing-a-deep-dive-into-a-stealthier-memory-allocation-variant/

#malware #dll #hollowing

OffensiveRust — Rust Weaponization for Red Team Engagements.

Examples in this repo:

• Allocate_With_Syscalls — It uses NTDLL functions directly with the ntapi Library
• Create_DLL — Creates DLL and pops up a msgbox, Rust does not fully support this so things might get weird since Rust DLL do not have a main function
• DeviceIoControl — Opens driver handle and executing DeviceIoControl
• EnableDebugPrivileges — Enable SeDebugPrivilege in the current process
• Shellcode_Local_inject — Executes shellcode directly in local process by casting pointer
• Execute_With_CMD — Executes cmd by passing a command via Rust
• ImportedFunctionCall — It imports minidump from dbghelp and executes it
• Kernel_Driver_Exploit — Kernel Driver exploit for a simple buffer overflow
• Named_Pipe_Client — Named Pipe Client
• Named_Pipe_Server — Named Pipe Server
• Process_Injection_CreateThread — Process Injection in remote process with CreateRemoteThread
• Unhooking — Unhooking calls
• asm_syscall — Obtaining PEB address via asm
• base64_system_enum — Base64 encoding/decoding strings
• http-https-requests — HTTP/S requests by ignoring cert check for GET/POST
• patch_etw — Patch ETW
• ppid_spoof — Spoof parent process for created process
• tcp_ssl_client — TCP client with SSL that ignores cert check (Requires openssl and perl to be installed for compiling)
• tcp_ssl_server — TCP Server, with port parameter(Requires openssl and perl to be installed for compiling)
• wmi_execute — Executes WMI query to obtain the AV/EDRs in the host
• Windows.h+ Bindings — This file contains structures of Windows.h plus complete customized LDR,PEB,etc.. that are undocumented officially by Microsoft, add at the top of your file include!("../bindings.rs");
• UUID_Shellcode_Execution — Plants shellcode from UUID array into heap space and uses EnumSystemLocalesA Callback in order to execute the shellcode.

https://github.com/trickster0/OffensiveRust

#rust #redteam #malware

Picky PPID Spoofing

Parent Process ID (PPID) Spoofing is one of the techniques employed by malware authors to blend in the target system. This is done by making the malicious process look like it was spawned by another process. This helps evade detections that are based on anomalous parent-child process relationships.

https://capt-meelo.github.io//redteam/maldev/2021/11/22/picky-ppid-spoofing.html

#pid #spoofing #redteam #maldev #malware

Design Issues Of Modern EDRs: Bypassing ETW-Based Solutions

https://www.binarly.io/posts/Design_issues_of_modern_EDRs_bypassing_ETW-based_solutions/index.html

#etw #redteam #blueteam #malware

Quick & Lazy Malware Development

https://capt-meelo.github.io//redteam/maldev/2021/12/15/lazy-maldev.html

#malware #av #evasion #redteam

Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign

StellarParticle, an adversary campaign associated with COZY BEAR, was active throughout 2021 leveraging novel tactics and techniques in supply chain attacks observed by CrowdStrike incident responders

https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/

#threatintel #dfir #blueteam #malware

😈 [ fr0gger_, Thomas Roccia 🤘 ]

New EDR/AV evasion technique added to the #UnprotectProject by @Praetorian_GRD "Unloading Module Using FreeLibrary". Check out the detailed description, code snippet and CAPA rule👇 #cybersecurity #malware #infosec cf: @DarkCoderSc

https://t.co/Td7ogFwVcZ

🔗 https://unprotect.it/technique/unloading-module-with-freelibrary/

🐥 [ tweet ]