LightsOut - Generate An Obfuscated DLL That Will Disable AMSI And ETW

LightsOut will generate an obfuscated DLL that will disable AMSI & ETW while trying to evade AV. This is done by randomizing all WinAPI functions used, xor encoding strings, and utilizing basic sandbox checks. Mingw-w64 is used to compile the obfuscated C code into a DLL that can be loaded into a...

NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security

A previously undetected attack method called NoFilter has been found to abuse the Windows Filtering Platform WFP to achieve privilege escalation in the Windows operating system. "If an attacker has the ability to execute code with admin privilege and the target is to perform LSASS Shtinkering,...

Inside Raccoon Stealer V2

Raccoon Stealer is back on the news again. US officials arrested Mark Sokolovsky, one of the malware actors behind this program. In July 2022, after several months of the shutdown, a Raccoon Stealer V2 went viral. Last week, the Department of Justice's press release stated that the malware...

Scemu - X86 32bits Emulator, For Securely Emulating Shellcodes

x86 32bits emulator, for securely emulating shellcodes. Features  rust safety, good for malware. All dependencies are in rust. zero unsafe blocks. very fast emulation much faster than unicorn 3,000,000 instructions/second 100,000 instructions/second printing every instruction -vv. powered by...

ThreadBoat - Program Uses Thread Execution Hijacking To Inject Native Shell-code Into A Standard Win32 Application

Program uses Thread Hijacking to Inject Native Shellcode into a Standard Win32 Application. About I developed this small project to continue my experiences of different code injection methods and to allow RedTeam security professionals to utilize this method as a unique way to perform software...

NetProfiler

On .NET 4, the CLSID must be defined via the HKCR\CLSIDGUID\InprocServer32 registry key containing the path to the profiling DLL. On recent versions, the CLR uses the CORPROFILERPATH environment variable to find the DLL – and falls back to using the CLSID if CORPROFILERPATH is not defined. Author...

ThreadBoat - Program Uses Thread Execution Hijacking To Inject Native Shellcode Into A Standard Win32 Application

Program uses Thread Hijacking to Inject Native Shellcode into a Standard Win32 Application. With Thread Hijacking, it allows the hijacker.exe program to suspend a thread within the target.exe program allowing us to write shellcode to a thread. Usage int main System sys; Interceptor incp; Exceptio...

Plurox: Modular backdoor

In February this year, a curious backdoor passed across our virtual desk. The analysis showed the malware to have a few quite unpleasant features. It can spread itself over a local network via an exploit, provide access to the attacked network, and install miners and other malicious software on...

SynAck targeted ransomware uses the Doppelgänging technique

The Process Doppelgänging technique was first presented in December 2017 at the BlackHat conference. Since the presentation several threat actors have started using this sophisticated technique in an attempt to bypass modern security solutions. In April 2018, we spotted the first ransomware...

Symantec Endpoint Protection 12.1.6 Tamper Protection Bypass

Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-6331-SYMANTEC-ENDPOINT-PROTECTION-TAMPER-PROTECTION-BYPASS.txt + ISR: ApparitionSec Vendor: ======= www.symantec.com Product: =========== Symantec Endpoint...

Symantec Endpoint Protection 12.1 - Tamper-Protection Bypass

Symantec Endpoint Protection 12.1 - Tamper-Protection Bypass + Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-6331-SYMANTEC-ENDPOINT-PROTECTION-TAMPER-PROTECTION-BYPASS.txt + ISR: ApparitionSec Vendor: =======...

Symantec Endpoint Protection 12.1 - Tamper-Protection Bypass

Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-6331-SYMANTEC-ENDPOINT-PROTECTION-TAMPER-PROTECTION-BYPASS.txt + ISR: ApparitionSec Vendor: ======= www.symantec.com Product: =========== Symantec Endpoint...

Pentesting Active Directory Environments: CrackMapExec

Pentesting Active Directory Environments: CrackMapExec CrackMapExec a.k.a CME is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of “Living off the Land”: abusing built-in Active Directory...

WinAPI User Hunter: hunter

WinAPI User Hunter During Red Team engagements it is common to track/hunt specific users. Assuming we already have access to a desktop as a normal user no matter how, always “assume compromise” in a Windows Domain and we want to spread laterally. We want to know where the user is logged on, if he...

Generate TCP/UDP Outbound Traffic On Multiple Ports

This module generates TCP or UDP traffic across a sequence of ports, and is useful for finding firewall holes and egress filtering. It only generates traffic on the port range you specify. It is up to you to run a responder or packet capture tool on a remote endpoint to determine which ports are...

Основы написания Win-шеллкода

В этой статье речь пойдет о написании простого шеллкода под Windows платформу. Статья является начальным этапом цикла статей, которые я, опираясь на материалы и труды зарубежных специалистов в данной области, планирую написать. Эта статья не насыщена всеобъемлющей информацией, однако её цель -...