Sr. Offensive Security Researcher | Adversary Emulation | ๐๐ฒ๐ฎ๐ฑ๐ถ๐ป๐ด ๐ ๐ฎ๐น๐๐ฎ๐ฟ๐ฒ ๐๐ฒ๐๐ฒ๐น๐ผ๐ฝ๐บ๐ฒ๐ป๐ ๐ฎ๐ป๐ฑ ๐ฅ๐ฒ๐๐ฒ๐ฎ๐ฟ๐ฐ๐ต ๐ข๐ฝ๐ฒ๐ฟ๐ฎ๐๐ถ๐ผ๐ป๐.
๐๐จ๐ฆ๐๐ข๐ง๐ข๐ง๐ ๐๐ง๐ก๐จ๐จ๐ค๐ข๐ง๐ ๐๐ง๐ ๐๐๐ ๐๐๐ญ๐๐ก๐ข๐ง๐ ๐ฐ๐ข๐ญ๐ก ๐3๐๐๐๐๐ ๐ญ๐จ ๐๐ฒ๐ฉ๐๐ฌ๐ฌ ๐๐ฏ/๐๐๐๐ฌ ๐๐จ๐๐๐๐ซ: 1) ETW Patching (EDR monitoring capabilities by strategically patching the Event Tracing for Windows (ETW) framework.) 2) Unhooking ntdll.dll using suspended process. 3) Mapping .text section of hooked ntdll.dll with clean copy. 5) Shellcode as a MAC ๐๐ก๐๐ฅ๐ฅ๐๐จ๐๐: 1) Direct syscalls to dump lsass memory 2) Random Procedures and Prototypes 3) Dynamic syscalls resolve using PEB Lookup ๐๐๐ 1: https://lnkd.in/dyKmggBf ๐๐๐ 2: https://lnkd.in/dh8VCnt8 ๐๐๐ 3: https://lnkd.in/ddP27HGB
Thank you Usman great articles !
Penetration Tester / Software Developer | CRTO | eCPTX | PNPT | CRTP | OSCP | eCPPT | CHFI | eMAPT | CEH Practical | Cyber Security Trainer | Ethical Hacker
4moPerfect! have you tested it with Bitdefender?