-
Notifications
You must be signed in to change notification settings - Fork 15
/
Copy pathindex.html
684 lines (634 loc) · 39.2 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
---
layout: default
---
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Open Source Work</title>
<style>
body {
font-family: Arial, sans-serif;
background-color: #000;
color: #fff;
margin: 0;
padding: 0;
}
header {
text-align: center;
padding: 50px 0;
background-color: #333;
color: white;
}
.content-section {
width: 90%;
max-width: 1200px;
margin: 20px auto;
padding: 20px;
}
.content-section h2 {
color: #fff;
border-bottom: 2px solid #fff;
padding-bottom: 10px;
margin-bottom: 20px;
}
.content-section p {
line-height: 1.6;
color: #ccc;
}
/* Card Container Styling */
.card-container {
display: flex;
flex-wrap: wrap;
gap: 20px;
justify-content: center; /* Center cards on the page */
padding: 20px; /* Add some padding around the cards */
}
/* Individual Card Styling */
.card {
display: flex;
flex-direction: row; /* Change to row for horizontal layout */
width: 100%;
max-width: 900px;
border: 1px solid #ddd;
border-radius: 8px;
overflow: hidden;
transition: transform 0.3s, box-shadow 0.3s;
background-color: #fff;
}
/* Left Part Styling (Image) */
.card-image {
width: 90%; /* Adjust width as needed */
padding: 10px;
display: flex;
justify-content: center; /* Center image horizontally */
}
.card-image img {
width: 100%;
height: auto;
object-fit: cover;
}
/* Right Part Styling (Heading and Description) */
.card-content {
width: 100%; /* Adjust width as needed */
padding: 10px;
display: flex;
flex-direction: column;
justify-content: center; /* Center content vertically */
}
/* Heading Styling */
.card-content h3 {
margin: 0;
font-size: 1.2em;
margin-bottom: 8px; /* Space between heading and description */
color: #000;
}
/* Description Styling */
.card-content p {
margin: 0;
font-size: 0.9em;
color: #555;
}
.card:hover {
transform: scale(1.05);
}
.heatmap {
display: grid;
grid-template-columns: repeat(4, 1fr);
gap: 10px;
max-width: 1200px;
margin: 0 auto;
}
.heatmap-item {
background-color: #fff;
color: #000;
border: 1px solid #ddd;
border-radius: 5px;
padding: 10px;
text-align: center;
position: relative;
transition: background-color 0.3s, color 0.3s;
}
.heatmap-item:hover {
background-color: #f0f0f0;
color: #000;
}
.heatmap-item::after {
content: attr(data-tooltip);
position: absolute;
bottom: 100%;
left: 50%;
transform: translateX(-50%);
background-color: #333;
color: #fff;
padding: 5px;
border-radius: 3px;
white-space: nowrap;
opacity: 0;
transition: opacity 0.3s;
font-size: 14px;
}
.heatmap-item:hover::after {
opacity: 1;
}
/* Color coding for heatmap items */
.low-intensity { background-color: #ffcccc; } /* Light Red */
.medium-intensity { background-color: #ff9966; } /* Medium Orange */
.high-intensity { background-color: #ff6600; } /* Dark Orange */
.very-high-intensity { background-color: #cc0000; } /* Dark Red */
.iframe-container {
border: 2px solid #ccc; /* Border around iframes */
border-radius: 10px; /* Rounded corners */
overflow: hidden;
background-color: #fff; /* Background color of container */
box-shadow: 0 2px 5px rgba(0,0,0,0.1); /* Subtle shadow */
padding: 10px; /* Space inside the border */
max-width: 2000px; /* Maximum width for large screens */
box-sizing: border-box; /* Include padding and border in the element's total width and height */
}
iframe {
width: 100%;
height: 750px; /* Fixed height for all iframes */
border: none; /* Remove default border */
}
</style>
</head>
<body>
<div align="center">
<img width="400px" src="Assets/MD.jpg" alt="Evasion Series" />
</div>
<div class="content-section">
<h2>C:\Users\Offensive-Panda>whoami</h2>
<p><B>Usman Sikander</B> (a.k.a Offensive-Panda) is a seasoned security professional passionate to identifying and researching advanced evasion techniques, to develop a comprehensive understanding of threat tactics, techniques, and procedures (TTPs) through in-depth analysis of real-world attack scenarios, prominent Advanced Persistent Threat (APT) campaigns, and emerging evasion tactics for validating security postures through emulations. With a proven track record in developing exploits aligned with MITRE ATT&CK tactics and automating exploit processes, I excel in conducting comprehensive simulations within controlled environments that include all security controls. My primary objective is to identify the weaknesses, mis-configuration, vulnerabilities, validate the security controls, incident response capabilities and identify areas for improvement, deliver detailed threat analysis for proactive threat hunting, providing adversary attack paths, indicators of attack (IOAs), indicators of compromise (IOCs), and actionable mitigation strategies to strengthen and enhance an organisation's detection engineering capabilities.</p>
<h2>Purpose</h2>
<p>This collection offers advanced methods to bypass sophisticated security measures in Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) systems. This comprehensive and central repository is designed for cybersecurity enthusiasts, researchers, and professionals seeking to stay ahead in the field. It provides a valuable resource for those dedicated to improving their skills, security defenses and measures. This repository includes strategies for manipulating system calls, obfuscating code, managing memory to evade detection and other advanced evasion techniques. By leveraging these methods, experts can enhance penetration testing, red teaming, malware analysis, and develop more resilient defenses.</p>
<h2>Evasion Techniques Heatmap</h2>
<div class="heatmap">
<div class="heatmap-item very-high-intensity" data-tooltip="Strategies for making direct and indirect function calls to evade detection mechanisms.">Direct and Indirect Syscalls</div>
<div class="heatmap-item medium-intensity" data-tooltip="Techniques for obfuscating and altering API calls to avoid detection.">API Hashing</div>
<div class="heatmap-item medium-intensity" data-tooltip="Methods to obfuscate code and make it harder to analyze.">API Imports Obfuscation</div>
<div class="heatmap-item high-intensity" data-tooltip="Use of encryption to bypass static analysis of EDRs.">Payload Encryption</div>
<div class="heatmap-item high-intensity" data-tooltip="Syscall Instruction In-memory patching to bypass static detection.">Egg Hunting</div>
<div class="heatmap-item high-intensity" data-tooltip="A technique to circumvent User Account Control (UAC) prompts to gain elevated privileges without user consent.">Privileges Escalation BYOVD</div>
<div class="heatmap-item high-intensity" data-tooltip="A .NET technique that leverages the COR_PROFILER environment variable to load a profiler DLL, which can be used to manipulate or monitor .NET applications.">COR_PROFILER UAC Bypass</div>
<div class="heatmap-item high-intensity" data-tooltip="Use random NOP instructions and name of API, prototypes to avoid static analysis.">Random Instructions and Prototypes (Static Bypass)</div>
<div class="heatmap-item very-high-intensity" data-tooltip="Use of vulnerable dll to avoid detection of RWX memory region creation.">Mokingjay</div>
<div class="heatmap-item very-high-intensity" data-tooltip="Use of windows fork API to clone parent process after injecting shellcode, avoid detection of CreateRemoteThread.">Forking Technique Memory Dumps</div>
<div class="heatmap-item very-high-intensity" data-tooltip="Unhooking EDRs user mode hooks using clean copy of dll, raw copy from remote server, suspended process to bypass EDRs.">API Unhooking</div>
<div class="heatmap-item medium-intensity" data-tooltip="Applying ETW patching to avoid event based detection.">ETW Patching</div>
<div class="heatmap-item medium-intensity" data-tooltip="Resolving SSN and Native API's on run-time using PEB lookup for 32bits & 64bits.">PEB Lookup</div>
<div class="heatmap-item high-intensity" data-tooltip="Techniques that involve disabling or tampering with security tools or monitoring systems ">Disable and Modify Tools</div>
<div class="heatmap-item very-high-intensity" data-tooltip="Lagos Island, also known as Reflective Loading, is a sophisticated technique for loading a Dynamic Link Library (DLL) directly into a process’s memory space">Lagos Island (Reflective Loading)</div>
<div class="heatmap-item high-intensity" data-tooltip="Hunt for already created RWX region to write and execute shellcode. This technique remove the dependencies of vulnerable DLL with RWX and API to allocate RWX.">RWX Memory Block Hunt</div>
<div class="heatmap-item very-high-intensity" data-tooltip="Bring your own vulnerable driver which involves deploying drivers that are legitimately signed and can be successfully loaded into Windows systems to execute code in kernel context.">BYOVD Techniques</div>
<div class="heatmap-item very-high-intensity" data-tooltip="Leverages direct syscalls to create a native dump with essential streams for offline parsing, perfect for low-noise operations.">Native Dump with Direct Syscalls</div>
</div>
</div>
<h2>Check Out My Articles</h2>
<div class="card-container">
<!-- Card 1 -->
<div class="card">
<div class="card-image">
<img src="Assets/BYOVD_AI.png" alt="BYOVD A Kernel Attack">
</div>
<div class="card-content">
<h3>BYOVD A Kernel Attack: Stealthy Threat to Endpoint Security</h3>
<p>Delve into the intricacies of BYOVD attacks, exploring how malicious actors exploit this technique to blind, terminate, and manipulate endpoint detection and response (EDR) solutions. We will dissect the mechanisms used to obtain NT Authority context and remove EDR callbacks, providing practical demonstrations of these attacks.</p>
<a href="https://medium.com/@merasor07/byovd-a-kernel-attack-stealthy-threat-to-endpoint-security-ec809272e505" target="_blank" class="card-link">Read More</a>
</div>
</div>
<!-- Card 2 -->
<div class="card">
<div class="card-image">
<img src="Assets/static_AI.jpg" alt="Arsenal 2.0">
</div>
<div class="card-content">
<h3>Arsenal 2.0: Elevating Malware Stealth Tactics to Bypass Static Detection</h3>
<p>Diving into advanced techniques for malware to evade static detection by EDR/XDR solutions. This blog is an extension of my previous post, "Arsenal: Bypass EDR’s/XDR’s and make malware analysis harder".</p>
<a href="https://medium.com/@merasor07/arsenal-2-0-elevating-malware-stealth-tactics-to-bypass-static-detection-5238c573ab02" target="_blank" class="card-link">Read More</a>
</div>
</div>
<!-- Card 3 -->
<div class="card">
<div class="card-image">
<img src="Assets/IAT_AI.jpg" alt="PEB Walk">
</div>
<div class="card-content">
<h3>PEB Walk: Avoid API function calls inspection in IAT by analyst and also bypass static detection of AV/EDR</h3>
<p>Techniques to evade static detection methods used by AV/EDR solutions. We divide our arsenal preparation into 4 main stages, we try to hide strings, API imports by obfuscating them, resolve API using different ways such as dynamically.</p>
<a href="https://medium.com/@merasor07/peb-walk-avoid-api-calls-inspection-in-iat-by-analyst-and-bypass-static-detection-of-1a2ef9bd4c94" target="_blank" class="card-link">Read More</a>
</div>
</div>
<!-- Card 4 -->
<div class="card">
<div class="card-image">
<img src="Assets/Arsenal_AI.jpg" alt="Arsenal">
</div>
<div class="card-content">
<h3>Arsenal: Bypass EDR’s/XDR’s and make malware analysis harder</h3>
<p>An exploration of methods to bypass modern EDR/XDR. Multiple techniques to bypass AV/EDR/XDR security solutions. As a red teamer and security guy, I always try to explore new methods and approaches to bypass security controls.</p>
<a href="https://medium.com/system-weakness/arsenal-bypass-edrs-xdr-s-and-make-malware-analysis-harder-6fde3e2884a5" target="_blank" class="card-link">Read More</a>
</div>
</div>
<!-- Card 5 -->
<div class="card">
<div class="card-image">
<img src="Assets/Disk_AI.jpg" alt="On-Disk Detection">
</div>
<div class="card-content">
<h3>On-Disk Detection: Bypass AV’s/EDR’s using syscalls with legacy instruction, series of instructions and random nop instructions</h3>
<p>Techniques to bypass AV/EDR’s static as well as dynamic detection. The main focus is to bypass on-disk detection of binary which is using direct syscalls.</p>
<a href="https://medium.com/system-weakness/on-disk-detection-bypass-avs-edr-s-using-syscalls-with-legacy-instruction-series-of-instructions-5c1f31d1af7d" target="_blank" class="card-link">Read More</a>
</div>
</div>
<!-- Card 6 -->
<div class="card">
<div class="card-image">
<img src="Assets/Post_AI.jpg" alt="EASE POST-EXPLOITATION">
</div>
<div class="card-content">
<h3>EASE POST-EXPLOITATION: Getting elevated reverse shell using DLL Hijacking and Mock Directories</h3>
<p>DLL Hijacking and Mock directories technique to bypass Windows UAC security feature and getting high-level privileged reverse shell.</p>
<a href="https://medium.com/system-weakness/ease-post-exploitation-getting-elevated-reverse-shell-using-dll-hijacking-and-mock-directories-2fc2c7a3cdae" target="_blank" class="card-link">Read More</a>
</div>
</div>
<!-- Card 7 -->
<div class="card">
<div class="card-image">
<img src="Assets/Sys_AI.jpg" alt="AV/EDR Evasion Using Direct System Calls">
</div>
<div class="card-content">
<h3>AV/EDR Evasion Using Direct System Calls (User-Mode vs Kernel-Mode)</h3>
<p>Hooking is a method used by AV/EDRs to intercept a function call and redirect the code flow to a controlled environment where they can analyze the call and decide whether or not it is malicious.</p>
<a href="https://medium.com/@merasor07/av-edr-evasion-using-direct-system-calls-user-mode-vs-kernel-mode-fad2fdfed01a" target="_blank" class="card-link">Read More</a>
</div>
</div>
<!-- Card 8 -->
<div class="card">
<div class="card-image">
<img src="Assets/Mimi_AI.jpg" alt="Bypass Mimikatz">
</div>
<div class="card-content">
<h3>Bypass “Mimikatz” using the Process Injection Technique</h3>
<p>Bypass Mimikatz using process injection. Most of the EDR’s/AV often identify mimikatz signatures and destroy it. There are many ways to bypass mimikatz from AV/EDR’s.</p>
<a href="https://medium.com/system-weakness/bypass-mimikatz-using-process-injection-technique-6d2a8415fcd6" target="_blank" class="card-link">Read More</a>
</div>
</div>
</div>
<h2>Code Implementation</h2>
<div class="card-container">
<!-- Card 1 -->
<div class="card">
<div class="card-image">
<img src="Assets/d3mp_AI.jpg" alt="D3MPSEC">
</div>
<div class="card-content">
<h3>D3MPSEC</h3>
<p>"D3MPSEC" is a memory dumping tool designed to extract memory dump from Lsass process using various techniques, including direct system calls, randomized procedures, and prototype name obfuscation. </p>
<a href="https://github.com/Offensive-Panda/D3MPSEC" target="_blank" class="card-link">View on GitHub</a>
</div>
</div>
<!-- Card 2 -->
<div class="card">
<div class="card-image">
<img src="Assets/syscall_AI.jpg" alt="Dirty Vanity">
</div>
<div class="card-content">
<h3>Dirty Vanity (DV_NEW)</h3>
<p>This is the combination of multiple evasion techniques. It is using direct syscalls to bypass user-mode EDR hooking and also to avoid static detection of syscalls instruction in stub I am using egg hunt technique.</p>
<a href="https://github.com/Offensive-Panda/DV_NEW" target="_blank" class="card-link">View on GitHub</a>
</div>
</div>
<!-- Card 3 -->
<div class="card">
<div class="card-image">
<img src="Assets/honey_AI.jpg" alt="Honeypots">
</div>
<div class="card-content">
<h3>Honeypots for Threat Intelligence</h3>
<p>Run as a service and monitoring all sysmon event logs and take action based on events generated by attacker's activities. Upload all dropped and created malwares, files on server for further analysis. This captures all commands executed by attacker on a system.</p>
<a href="https://github.com/Offensive-Panda/Collect_Threat_Intel_AND_Malware_Using_Honeypots" target="_blank" class="card-link">View on GitHub</a>
</div>
</div>
<!-- Card 4 -->
<div class="card">
<div class="card-image">
<img src="Assets/pers_AI.jpg" alt="Persistence">
</div>
<div class="card-content">
<h3>Persistence and Anti-Sandbox</h3>
<p>This reposiorty contains the c# code which is using latest persistence technique and multiple anti-vm, anti-sandboxes techniques. In this program, I am using 4 anti-vm and anti-sanboxe techniques, I am also using persistence technique using powershell and task scheduler.</p>
<a href="https://github.com/Offensive-Panda/Persistence_AND_Anti_Sandbox" target="_blank" class="card-link">View on GitHub</a>
</div>
</div>
<!-- Card 5 -->
<div class="card">
<div class="card-image">
<img src="Assets/diskon_AI.jpg" alt="Static Analysis">
</div>
<div class="card-content">
<h3>Bypass Malware Static Analysis</h3>
<p>Direct syscalls Injection to bypass AV/EDR. The main purpose of this repository is to understand the static detection and how to bypass it. When I was using direct syscalls in my implant, after compiling the code MDE was detecting the binary in static analysis.</p>
<a href="https://github.com/Offensive-Panda/on-disk-detection-bypass" target="_blank" class="card-link">View on GitHub</a>
</div>
</div>
<!-- Card 6 -->
<div class="card">
<div class="card-image">
<img src="Assets/dll_AI.jpg" alt="DLL Hijacking">
</div>
<div class="card-content">
<h3>C2 Elevated Shell via DLL Hijacking</h3>
<p>DLL Hijacking and Mock directories technique to bypass Windows UAC security feature and getting high-level privileged reverse shell. Security researchers identified this technique which uses a simplified process of DLL hijacking and mock folders to bypass UAC control.</p>
<a href="https://github.com/Offensive-Panda/C2_Elevated_Shell_DLL_Hijcking" target="_blank" class="card-link">View on GitHub</a>
</div>
</div>
<!-- Card 7 -->
<div class="card">
<div class="card-image">
<img src="Assets/rwx_AI.jpg" alt="RWX Memory">
</div>
<div class="card-content">
<h3>RWX Memory Hunt and Injection</h3>
<p>Abusing Windows fork API and OneDrive.exe process to inject the malicious shellcode without allocating new RWX memory region. This technique is finding RWX region in already running processes in this case OneDrive.exe and Write shellcode into that region and execute it without calling VirtualProtect, VirtualAllocEx, VirtualAlloc.</p>
<a href="https://github.com/Offensive-Panda/RWX_MEMEORY_HUNT_AND_INJECTION_DV" target="_blank" class="card-link">View on GitHub</a>
</div>
</div>
<!-- Card 8 -->
<div class="card">
<div class="card-image">
<img src="Assets/wpm_AI.jpg" alt="WPM Magic">
</div>
<div class="card-content">
<h3>WPM Magic and Injection</h3>
<p>Utilising AddressOfEntryPoint of process which is RX and using WriteProcessMemory internal magic to change the permission and write the shellcode. Exploit also using direct syscalls to bypass user-mode hooking of AV/EDRs. This technique is avoiding the usage of VirtualAlloc, VirtualProtect APIs.</p>
<a href="https://github.com/Offensive-Panda/WPM-MAJIC-ENTRY-POINT-INJECTION" target="_blank" class="card-link">View on GitHub</a>
</div>
</div>
<!-- Card 9 -->
<div class="card">
<div class="card-image">
<img src="Assets/pebwalk_AI.jpg" alt="PEB Walk">
</div>
<div class="card-content">
<h3>PEB Walk and API Obfuscation</h3>
<p>This exploit use PEB walk technique to resolve API calls dynamically and obfuscate all API calls to perform process injection. These technqies will help to bypass static analysis of AV/EDR solutions. To outline the process, the PEB walk for resolving the addresses of LoadLibraryA and GetProcAddress is as follows.</p>
<a href="https://github.com/Offensive-Panda/PEB_WALK_AND_API_OBFUSCATION_INJECTION" target="_blank" class="card-link">View on GitHub</a>
</div>
</div>
<!-- Card 10 -->
<div class="card">
<div class="card-image">
<img src="Assets/dotnet_AI.jpg" alt=".NET Profiler">
</div>
<div class="card-content">
<h3>.NET Profiler DLL Loading UAC Bypass</h3>
<p>.NET profiler DLL loading can be abused to make a legit .NET application load a malicious DLL using environment variables. This exploit is loading a malicious DLL using Task Scheduler (MMC) to bypass UAC and getting admin privileges.</p>
<a href="https://github.com/Offensive-Panda/.NET_PROFILER_DLL_LOADING" target="_blank" class="card-link">View on GitHub</a>
</div>
</div>
<!-- Card 11 -->
<div class="card">
<div class="card-image">
<img src="Assets/byovd_AI.jpg" alt="BYOVD">
</div>
<div class="card-content">
<h3>BYOVD for Privilege Escalation</h3>
<p>This exploit rebuilds and exploit the CVE-2019-16098 which is in driver Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. Instead of hardcoded base address of Ntoskrnl.exe.</p>
<a href="https://github.com/Offensive-Panda/NT-AUTHORITY-SYSTEM-CONTEXT-RTCORE" target="_blank" class="card-link">View on GitHub</a>
</div>
</div>
<!-- Card 12 -->
<div class="card">
<div class="card-image">
<img src="Assets/lsass_AI.jpg" alt="BYOVD">
</div>
<div class="card-content">
<h3>LsassReflectDumping</h3>
<p>This tool leverages the Process Forking technique using the RtlCreateProcessReflection API to clone the lsass.exe process. Once the clone is created, it utilizes MINIDUMP_CALLBACK_INFORMATION callbacks to generate a memory dump of the cloned process.</p>
<a href="https://github.com/Offensive-Panda/LsassReflectDumping" target="_blank" class="card-link">View on GitHub</a>
</div>
</div>
<!-- Card 13 -->
<div class="card">
<div class="card-image">
<img src="Assets/shadow_AI.png" alt="BYOVD">
</div>
<div class="card-content">
<h3>ShadowDumper</h3>
<p>Shadow Dumper is a powerful tool used to dump LSASS memory, often needed in penetration testing and red teaming. It uses multiple advanced techniques to dump memory, allowing to access sensitive data in LSASS memory.</p>
<a href="https://github.com/Offensive-Panda/ShadowDumper" target="_blank" class="card-link">View on GitHub</a>
</div>
</div>
</div>
<h2>Demonstration</h2>
<div class="card-container">
<!-- Card 1 -->
<div class="card">
<div class="card-image">
<img src="Assets/fork_AI.jpg" alt="Dirty Vanity Implementation Using Direct Syscalls">
</div>
<div class="card-content">
<h3>Dirty Vanity Implementation Using Direct Syscalls</h3>
<p>This is the combination of multiple evasion techniques. It is using direct syscalls to bypass user-mode EDR hooking and also to avoid static detection of syscalls instruction in stub I am using egg hunt technique. Egg hunt will place random bytes using DB instruction in syscall stub in the place of syscalls </p>
<a href="https://www.linkedin.com/posts/usman-sikander13_malwaredevelopment-syscalls-forking-activity-7193958115556343808-8UzK?utm_source=share&utm_medium=member_desktop" target="_blank" class="card-link">Read More</a>
</div>
</div>
<!-- Card 2 -->
<div class="card">
<div class="card-image">
<img src="Assets/rwxd_AI.jpg" alt="Mockingjay Technique to Avoid RWX Region Detection">
</div>
<div class="card-content">
<h3>Mockingjay Technique to Avoid RWX Region Detection</h3>
<p>Utilizes vulnerable DLLs to avoid detection of RWX (Read-Write-Execute) memory regions. This technique helps bypass security mechanisms that monitor or restrict RWX memory allocations by exploiting existing vulnerabilities. </p>
<a href="https://www.linkedin.com/posts/usman-sikander13_offensivesecurity-cybersecurity-malwaredevelopement-activity-7191049164409991168-fLwR?utm_source=share&utm_medium=member_desktop" target="_blank" class="card-link">Read More</a>
</div>
</div>
<!-- Card 3 -->
<div class="card">
<div class="card-image">
<img src="Assets/etw_AI.jpg" alt="Combining Unhooking and ETW Patching to Dump LSASS Memory">
</div>
<div class="card-content">
<h3>Combining Unhooking and ETW Patching to Dump LSASS Memory</h3>
<p>Explores advanced techniques for evading defenses to dump lsass,exe process memory. Combining Unhooking and ETW Patching: Integrates unhooking techniques with ETW (Event Tracing for Windows) patching to effectively dump LSASS (Local Security Authority Subsystem Service) memory. </p>
<a href="https://www.linkedin.com/posts/usman-sikander13_%3F%3F%3F%3F%3F%3F%3F%3F%3F-%3F%3F%3F%3F%3F%3F%3F%3F%3F-%3F%3F%3F-activity-7188865881580453890-iakH?utm_source=share&utm_medium=member_desktop" target="_blank" class="card-link">Read More</a>
</div>
</div>
<!-- Card 4 -->
<div class="card">
<div class="card-image">
<img src="Assets/syscall_AI.jpg" alt="Direct syscalls to dump LSASS.exe memory and offline dumping">
</div>
<div class="card-content">
<h3>Direct Syscalls to Dump LSASS.exe Memory and Offline Dumping</h3>
<p>Dumping LSASS memory using direct syscalls to bypass EDR detections. Bypassing traditional APIs hooking and security mechanisms.</p>
<a href="https://www.linkedin.com/posts/usman-sikander13_offensivesecurity-lsassdump-malware-activity-7187820505746325504-l25o?utm_source=share&utm_medium=member_desktop" target="_blank" class="card-link">Read More</a>
</div>
</div>
<!-- Card 5 -->
<div class="card">
<div class="card-image">
<img src="Assets/remote_AI.jpg" alt="Remote Template Injection">
</div>
<div class="card-content">
<h3>Remote Template Injection</h3>
<p>An exploration of techniques for injecting remote templates to achieve initial access. Created a attack cycle using remote template injection. Remote template injection is still working on Windows and has been used in many APT campaigns.</p>
<a href="https://www.linkedin.com/posts/usman-sikander13_remote-template-injection-today-i-created-activity-6936948079807844353-UQQ8?utm_source=share&utm_medium=member_desktop" target="_blank" class="card-link">Read More</a>
</div>
</div>
<!-- Card 6 -->
<div class="card">
<div class="card-image">
<img src="Assets/mark_AI.jpg" alt="Mark-of-the-Web for Red Team">
</div>
<div class="card-content">
<h3>Mark-of-the-Web for Red Team</h3>
<p>Bypass security features related to Mark-of-the-Web in Red Team engagements. For macros in files obtained from the internet, users will no longer be able to enable content with a click of a button. A message bar will appear for users notifying them with a button to learn more.</p>
<a href="https://www.linkedin.com/posts/usman-sikander13_bypass-macro-vba-activity-6900000010717458433-lAH2?utm_source=share&utm_medium=member_desktop" target="_blank" class="card-link">Read More</a>
</div>
</div>
<!-- Card 7 -->
<div class="card">
<div class="card-image">
<img src="Assets/outflank_AI.jpg" alt="Memory dump using Outflank Dumpert and Windows process injection">
</div>
<div class="card-content">
<h3>Memory Dump Using Outflank Dumpert and Windows Process Injection</h3>
<p>Utilizes the Outflank Dumpert tool to dump lsass.exe memory and combines it with process injection techniques.</p>
<a href="https://www.linkedin.com/feed/update/urn:li:activity:7056950152242094080?utm_source=share&utm_medium=member_android" target="_blank" class="card-link">Read More</a>
</div>
</div>
<!-- Card 8 -->
<div class="card">
<div class="card-image">
<img src="Assets/fod_AI.jpg" alt="NT-Authority Shell using Fodhelper">
</div>
<div class="card-content">
<h3>NT-Authority Shell using Fodhelper</h3>
<p>How to exploit Fodhelper to gain NT-Authority level access on compromised systems.</p>
<a href="https://www.linkedin.com/posts/usman-sikander13_%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F-%3F%3F%3F%3F-activity-7072507221774917632-T0LK?utm_source=share&utm_medium=member_android" target="_blank" class="card-link">Read More</a>
</div>
</div>
<!-- Card 9 -->
<div class="card">
<div class="card-image">
<img src="Assets/rwx_AI.jpg" alt="RWX-Memory Hunt and Injection with CreateRemoteThread">
</div>
<div class="card-content">
<h3>RWX-Memory Hunt and Injection with CreateRemoteThread</h3>
<p>Identifying and exploiting RWX memory regions to inject code via CreateRemoteThread technique. Identifies and utilizes RWX (Read-Write-Execute) memory regions for code injection, leveraging CreateRemoteThread to execute the injected code within the target process.</p>
<a href="https://www.linkedin.com/posts/usman-sikander13_%3F%3F%3F-%3F%3F%3F%3F%3F%3F%3F%3F%3F-%3F%3F%3F%3F%3F-activity-7061008530221033472-_3X6?utm_source=share&utm_medium=member_desktop" target="_blank" class="card-link">Read More</a>
</div>
</div>
<div class="card">
<div class="card-image">
<img src="Assets/terminate_AI.jpg" alt="Terminator">
</div>
<div class="card-content">
<h3>EDR Terminator (Call It Killer)</h3>
<p>Attack and Kill the guards, so that you can perform rest of your work easily.
𝐓𝐞𝐫𝐦𝐢𝐧𝐚𝐭𝐢𝐧𝐠 𝐖𝐢𝐧𝐝𝐨𝐰𝐬 𝐃𝐞𝐟𝐞𝐧𝐝𝐞𝐫 by using BYOVD technique. . A technique designed to disable or bypass Endpoint Detection and Response (EDR) systems, often by targeting and manipulating EDR processes or services to evade detection.</p>
<a href="https://www.linkedin.com/posts/usman-sikander13_edrkiller-malwaredevelopment-mdebypass-activity-7201848552522711042-vySE?utm_source=share&utm_medium=member_desktop" target="_blank" class="card-link">Read More</a>
</div>
</div>
<div class="card">
<div class="card-image">
<img src="Assets/lagos_AI.jpg" alt="Lagos Island">
</div>
<div class="card-content">
<h3>LSASS.exe Memory Dumping Using Multiple Techniques</h3>
<p>𝘓𝘴𝘢𝘴𝘴.𝘦𝘹𝘦 𝘔𝘦𝘮𝘰𝘳𝘺 𝘋𝘶𝘮𝘱𝘪𝘯𝘨 𝘶𝘴𝘪𝘯𝘨 𝘤𝘰𝘮𝘣𝘪𝘯𝘢𝘵𝘪𝘰𝘯 𝘰𝘧 𝘵𝘩𝘳𝘦𝘦 𝘵𝘦𝘤𝘩𝘯𝘪𝘲𝘶𝘦𝘴 [𝐋𝐚𝐠𝐨𝐬 𝐈𝐬𝐥𝐚𝐧𝐝 𝐌𝐞𝐭𝐡𝐨𝐝 (𝐚.𝐤.𝐚 𝐑𝐞𝐟𝐥𝐞𝐜𝐭𝐢𝐯𝐞𝐋𝐨𝐚𝐝𝐢𝐧𝐠), 𝐖𝐢𝐧𝐝𝐨𝐰𝐬 𝐏𝐫𝐨𝐜𝐞𝐬𝐬 𝐈𝐧𝐣𝐞𝐜𝐭𝐢𝐨𝐧: 𝐂𝐨𝐧𝐬𝐨𝐥𝐞𝐖𝐢𝐧𝐝𝐨𝐰𝐂𝐥𝐚𝐬𝐬, 𝐖𝐢𝐧𝐝𝐨𝐰𝐬 𝐅𝐨𝐫𝐤𝐢𝐧𝐠].</p>
<a href="https://www.linkedin.com/posts/usman-sikander13_%3F%3F%3F%3F%3F%3F%3F%3F-%3F%3F%3F%3F%3F%3F-%3F%3F%3F%3F%3F-activity-7210623488255000576-cEYF?utm_source=share&utm_medium=member_desktop" target="_blank" class="card-link">Read More</a>
</div>
</div>
<div class="card">
<div class="card-image">
<img src="Assets/uac_Ai.jpg" alt=".NET Profiler">
</div>
<div class="card-content">
<h3>UAC Bypass Using .NET Profiler DLL Loading Vulnerability</h3>
<p>.NET profiler DLL loading can be abused to make a legit .NET application load a malicious DLL using environment variables. This exploit is loading a malicious DLL using Task Scheduler (MMC) to bypass UAC and getting admin privileges.</p>
<a href="https://www.linkedin.com/posts/usman-sikander13_%3F%3F%3F-%3F%3F%3F%3F%3F%3F-%3F%3F%3F%3F%3F-%3F%3F%3F-%3F%3F%3F%3F%3F%3F%3F%3F-activity-7223665314146713601-rySG?utm_source=share&utm_medium=member_deskto" target="_blank" class="card-link">Read More</a>
</div>
</div>
<div class="card">
<div class="card-image">
<img src="Assets/callback_AI.jpg" alt="EDR Callbacks">
</div>
<div class="card-content">
<h3>Remove EDR Callbacks Using Vulnerable Driver</h3>
<p>Explores the use of a vulnerable driver to disable EDR callbacks. BYOVD technique to remove 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐃𝐞𝐟𝐞𝐧𝐝𝐞𝐫 𝐏𝐬𝐒𝐞𝐭𝐂𝐫𝐞𝐚𝐭𝐞𝐏𝐫𝐨𝐜𝐞𝐬𝐬𝐍𝐨𝐭𝐢𝐟𝐲𝐑𝐨𝐮𝐭𝐢𝐧𝐞 callback routine. EDRs are using different callback routines to monitor the activities and sending telemetry for further analysis. </p>
<a href="https://www.linkedin.com/posts/usman-sikander13_edrs-are-complex-solutions-and-key-components-activity-7227289675130916864-deG5?utm_source=share&utm_medium=member_desktop" target="_blank" class="card-link">Read More</a>
</div>
</div>
<div class="card">
<div class="card-image">
<img src="Assets/PE_AI.jpg" alt="PE BYOVD">
</div>
<div class="card-content">
<h3>Privilege Escalation Using Vulnerable Driver</h3>
<p>A guide to exploiting vulnerabilities in drivers to escalate privileges on compromised systems. Driver Micro-Star MSI Afterburner 4.6.2.15658 (aka 𝐑𝐓𝐂𝐨𝐫𝐞64.𝐬𝐲𝐬 and 𝐑𝐓𝐂𝐨𝐫𝐞32.𝐬𝐲𝐬) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs.</p>
<a href="https://www.linkedin.com/posts/usman-sikander13_%3F%3F%3F-%3F%3F-%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F-ugcPost-7226278965731069952-o6dD?utm_source=share&utm_medium=member_desktop" target="_blank" class="card-link">Read More</a>
</div>
</div>
<div class="card">
<div class="card-image">
<img src="Assets/shadow_AI.png" alt="Shadow">
</div>
<div class="card-content">
<h3>Shadow Dumper</h3>
<p>ShadowDumper is a powerful tool used to dump 𝐋𝐒𝐀𝐒𝐒 (Local Security Authority Subsystem Service) memory, often needed in penetration testing and red teaming activities. It offers flexible options to users and uses multiple advanced techniques to dump memory, allowing to access sensitive data in 𝐋𝐒𝐀𝐒𝐒 memory.</p>
<a href="https://www.linkedin.com/feed/update/urn:li:activity:7261436209132949504/" target="_blank" class="card-link">Read More</a>
</div>
</div>
</div>
<h2>Writeups For Cyber Community</h2>
<div class="container">
<div class="iframe-container">
<iframe src="BYOVD.pdf"></iframe>
</div>
<div class="iframe-container">
<iframe src="PEB Walk.pdf"></iframe>
</div>
<div class="iframe-container">
<iframe src="EDRBYPASS.pdf"></iframe>
</div>
<div class="iframe-container">
<iframe src="Defense_Evasion.pdf"></iframe>
</div>
</div>
</div>
<div class="references">
<h2>References</h2>
<ul style="list-style-type: none; padding: 0;">
<li style="margin-bottom: 10px;">
<a href="https://attack.mitre.org/matrices/enterprise/" style="text-decoration: none; color: #007bff;">https://attack.mitre.org/matrices/enterprise/</a>
</li>
<li style="margin-bottom: 10px;">
<a href="https://www.linkedin.com/in/usman-sikander13/" style="text-decoration: none; color: #007bff;">https://www.linkedin.com/in/usman-sikander13/</a>
</li>
<li style="margin-bottom: 10px;">
<a href="https://github.com/deepinstinct/Dirty-Vanity" style="text-decoration: none; color: #007bff;">https://github.com/deepinstinct/Dirty-Vanity</a>
</li>
<li style="margin-bottom: 10px;">
<a href="https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution" style="text-decoration: none; color: #007bff;">https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution</a>
</li>
<li style="margin-bottom: 10px;">
<a href="https://github.com/outflanknl/Dumpert" style="text-decoration: none; color: #007bff;">https://github.com/outflanknl/Dumpert</a>
</li>
<li style="margin-bottom: 10px;">
<a href="https://cytomate.net" style="text-decoration: none; color: #007bff;">https://www.cytomate.net</a>
</li>
<!-- Add more references as needed -->
</ul>
</div>
<div class="disclaimer">
<h2>Disclaimer</h2>
<p>The content, techniques, and tools provided in this repository are intended solely for educational and research purposes within the cybersecurity community. I explicitly disclaim any responsibility for the misuse or unlawful use of the provided materials. Any actions taken based on the information are done so at the user's own risk.</p>
</div>
</body>
</html>