🎯 Meterpreter vs Modern EDR
This blog post explains how making minor adjustments to the Meterpreter shellcode dropper can effectively evade modern EDRs. Three modifications are employed on the Meterpreter reference dropper. These modifications involve encrypting the Meterpreter shellcode using the XOR algorithm, incorporating valid metadata via a manifest file, and relocating the Meterpreter shellcode from the .text section to the .data section.
https://redops.at/en/blog/meterpreter-vs-modern-edrs-in-2023
#av #edr #meterpreter #xor #cpp
This blog post explains how making minor adjustments to the Meterpreter shellcode dropper can effectively evade modern EDRs. Three modifications are employed on the Meterpreter reference dropper. These modifications involve encrypting the Meterpreter shellcode using the XOR algorithm, incorporating valid metadata via a manifest file, and relocating the Meterpreter shellcode from the .text section to the .data section.
https://redops.at/en/blog/meterpreter-vs-modern-edrs-in-2023
#av #edr #meterpreter #xor #cpp
RedOps - English
Meterpreter vs Modern EDR(s) - RedOps
👍11🔥2
⚙️ MultiDump
This is a post-exploitation tool written in C for dumping and extracting LSASS memory discreetly. MultiDump supports LSASS dump via ProcDump.exe or Comsvc.dll, it offers two modes: a local mode that encrypts and stores the dump file locally, and a remote mode that sends the dump to a handler for decryption and analysis
🔗 https://github.com/Xre0uS/MultiDump
#lsass #remote #cpp #python
This is a post-exploitation tool written in C for dumping and extracting LSASS memory discreetly. MultiDump supports LSASS dump via ProcDump.exe or Comsvc.dll, it offers two modes: a local mode that encrypts and stores the dump file locally, and a remote mode that sends the dump to a handler for decryption and analysis
🔗 https://github.com/Xre0uS/MultiDump
#lsass #remote #cpp #python
🔥14❤🔥5👎3
This media is not supported in your browser
VIEW IN TELEGRAM
Abusing Windows fork API and OneDrive.exe process to inject the malicious shellcode without allocating new RWX memory region. This technique is finding RWX region in already running processes in this case OneDrive.exe and Write shellcode into that region and execute it without calling VirtualProtect, VirtualAllocEx, VirtualAlloc.
🚀 Steps:
— Find the OneDrive.exe in running processes;
— Get the handle of OneDrive.exe;
— Query remote process memory information;
— look for RWX memory regions;
— Write shellcode into found region of OneDrive.exe;
— Fork OneDrive.exe into a new process;
— Set the forked process's start address to the cloned shellcode;
— Terminate the cloned process after execution.
🔗 https://github.com/Offensive-Panda/RWX_MEMEORY_HUNT_AND_INJECTION_DV
#winapi #onedrive #injection #maldev #cpp
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥11👍5
This media is not supported in your browser
VIEW IN TELEGRAM
🌀Voidgate
A technique that can be used to bypass AV/EDR memory scanners. This can be used to hide well-known and detected shellcodes by performing on-the-fly decryption of individual encrypted assembly instructions, thus rendering memory scanners useless for that specific memory page.
🔗 Source
https://github.com/vxCrypt0r/Voidgate
#av #edr #evasion #hwbp #cpp
A technique that can be used to bypass AV/EDR memory scanners. This can be used to hide well-known and detected shellcodes by performing on-the-fly decryption of individual encrypted assembly instructions, thus rendering memory scanners useless for that specific memory page.
🔗 Source
https://github.com/vxCrypt0r/Voidgate
#av #edr #evasion #hwbp #cpp
❤12🔥5👍4❤🔥3👎1
⚙️ Remote Session Enumeration
The blog post explores how to enumerate remote user sessions on Windows using undocumented Windows APIs, specifically focusing on the implementation and usage of the WinStation API.
🔗 Research:
https://0xv1n.github.io/posts/sessionenumeration/
🔗 Source:
https://github.com/0xv1n/RemoteSessionEnum/blob/main/main.cpp
#windows #qwinsta #session #winapi #cpp
The blog post explores how to enumerate remote user sessions on Windows using undocumented Windows APIs, specifically focusing on the implementation and usage of the WinStation API.
🔗 Research:
https://0xv1n.github.io/posts/sessionenumeration/
🔗 Source:
https://github.com/0xv1n/RemoteSessionEnum/blob/main/main.cpp
#windows #qwinsta #session #winapi #cpp
👍8