Excited to share our research on Process Parameter Poisoning with Max Hirschberger! We detail a novel process injection technique using parameters as an attack surface & released p3-loader (PoC).
https://t.co/YpllANifct
https://t.co/7mdnHQ2HFY
#Malware#WindowsIntetnals
@TheXC3LL@singe@sensepost We’ve updated our undetected EDR bypass process injection technique post to reference modexp’s original work at https://t.co/rgSTkmzfu2
We've documented a new EDR-bypassing process injection technique from @z3ro2504 & Max Hirschberger on the @sensepost blog. Link to post and code in the replies.
Abusing Handle Elevation to Terminate Windows Defender
New Medium post! In past articles, I covered two techniques: elevating an existing process handle's access rights using BYOVD, and crashing a remote process corrupting its PEB. Now we combine both
https://t.co/UxHnTTPSy5
AI can be integrated in a C2 to automatically detect security software with the list of running processes sent by the implant.
Can you think of any other way to integrate AI into a C2?
Building a Windows Defender Disable Shellcode with Stardust
New Medium post!
After building a reverse shell with Stardust, we now create a shellcode that disables Windows Defender by modifying its registry policy keys
https://t.co/3Rg9COogxo
Handle Permission Elevation via BYOVD
New Medium post, today we continue with the BYOVD list of posts, in this one we'll learn how to elevate the permissions of a process handle by directly patching the GrantedAccess field inside the kernel handle table
https://t.co/YfrWWwq1wu
C/C++ and Rust definitions for Windows API functions and data types
If you've ported Windows C/C++ code to Rust, you've likely faced mismatchd types, different imports, and constant switching between documentation. This tool aims to simplify that process
https://t.co/9I6Win3xwr
DLL Injection via Thread Hijacking Without Executable Memory
New Medium post. Today we cover a technique that combines thread hijacking with Return-Oriented Programming (ROP) to inject a DLL into a remote process without allocating executable memory
https://t.co/agjGzWx69v
New feature: scan results can now be shared publicly. This option is completely optional and remains disabled by default
Example:
https://t.co/PTkXkjQTfN
Word Based Shellcode Encoding
New Medium post. Today, I’d like to share a technique that allows shellcode to be encoded as a sequence of English words. Similar to the classic shellcode to IPv4 encoding approach
https://t.co/LR4zZnrXTV
Silencing EDR File Telemetry: MiniFilter Callback Unlinking
New Medium post. Today we are diving into MiniFilter callbacks, the kernel-level hooks that monitor every file I/O operation on the system. The goal is to silence EDR file telemetry. Lets start!
https://t.co/wQG2SCinL4
New lesson added into the Introduction to Windows Maldev course. The classic shared section process injection!
https://0x12darkdev[.]net/courses/introduction-malware-development/