Personal

Maldev

• [x] Reflective PE Loader, indirect syscalls + cleanup

  • Basically nettitude but with JIT TRIPPING

    Reflective PE loader, indirect syscalls + cleanup & stomping

  • mimikatz will work when compiled by hand

• [ ] Memory evasion

  • https://www.blackhillsinfosec.com/avoiding-memory-scanners/
  • https://media.defcon.org/DEF CON 30/DEF CON 30 presentations/Kyle Avery - Avoiding Memory Scanners Customizing Malware to Evade YARA PE-sieve and More.pdf

• [ ] Havoc Implant

  • Inline shellcode with module overloading
  • https://github.com/rasta-mouse/SharpC2/, https://mehrn00.github.io/blog/posts/tetanus-agent
  • inline assembly
    • ‣, ‣, https://www.accenture.com/us-en/blogs/cyber-defense/clrvoyance-loading-managed-code-into-unmanaged-processes ⇒ Inline assembly. Covers the case where our implant is injected or wrapped by an unmanaged process. Weird Double cross appdomain delegates to resolve something? Avoid DPAPI encryption/decryption for now? Need to figure out how to deal with IOC of assembly in memory.
  • Socks Proxy

  • Windows API and Impersonation Part 1 - How to get SYSTEM using Primary Tokens | zc00l blog (0x00-0x00.github.io) ⇒ steal_token

  • https://github.com/fgsec/SharpGetSystem ⇒ getsystem
  • https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerPick/SharpPick/Program.cs ⇒ powerpick

• [x] Indirect Syscall POC implementations

  • Overloading a DLL

    Dll Overloading

    • SECFORCE - Security without compromise
    • Mapping is actually how loadlibrary/ldrloadlibrary do their magic!
    • Control flow guard is an issue on .net 5/6
      • Sleeping With Control Flow Guard - Icebreaker
        • too unstable, use secforce
      • https://www.secforce.com/blog/dll-hollowing-a-deep-dive-into-a-stealthier-memory-allocation-variant/
      • Solution is to simply avoid mapping dlls with control flow guard
    • CONSIDER USING THIS FOR SHELLCODE INJECTION

• [ ] LSASS dumper in memory C#

  • C POC https://web.archive.org/web/20221117081846/https://dec0ne.github.io/research/2022-11-14-Undetected-Lsass-Dump-Workflow/
  • https://github.com/post-cyberlabs/Offensive_tools/blob/main/PostDump/PostDump/

• [x] Azure DevOps payload pipelineimpdr

  • https://blog.xpnsec.com/building-modifying-packing-devops/
  • https://github.com/mgeeky/ProtectMyTooling/ static obfuscation
  • sorta done, PTT kidna buggy and i could only get confuserex to work with the CLI binary
  • [ ] Look into integrating https://github.com/xforcered/InvisibilityCloak

• [ ] A better AMSI/ETW bypass

  • View sharpblock for hardware breakpoints

  • A scuffed managed ETW hook

    ETW Alternative

• [x] Bananaphone indirect syscalls

  bananaphone

• [ ] sektor7 ⇒ vxapi ⇒ C shit

  • https://github.com/vxunderground/VX-API

• [ ] Check out PEzor https://iwantmore.pizza

• [ ] Full PIC shellcode makefile https://github.com/codewhitesec/HandleKatz

  • Check out the PDF too

Operations

• [ ] Midblood - automated ACLs and AD Attack paths
  • Detections
    • https://github.com/jsecurity101/TelemetrySource
• [ ] Adaoptive DLL hijacking?
  • https://github.com/monoxgas/Koppeling
• [ ] Spencer’s list
  • https://taggartinstitute.org/p/responsible-red-teaming
  • https://slayerlabs.com/index.html#ranges
• [ ] Warcon TTPs
  • https://mgeeky.tech/warcon-2022-modern-initial-access-and-evasion-tactics/