ring0
Joined March 2017
Pinned Tweet
Introducing shad0w - A covert post exploitation framework designed to operate quietly on heavily monitored environments. Using a range of techniques including directly calling syscalls, anti-dll injection and in-memory .NET execution to evade EDR. github.com/bats3c/shad0w
24
537
1,245
Show this thread
batsec retweeted
Replying to @vysecurity
yarh dude- its kinda weak as a open source maintainer and so many followers i would think you knew better
1
1
18
batsec retweeted
ANSWER: I found out how to do what I wanted. Here's an awesome article by @_batsec_ blog.dylan.codes/pwning-wind… It turns out that you can just check every process for whether it contains the module wevtsvc.dll. Then you inject into that process and patch EtwEventCallback 5/?
1
4
8
Show this thread
A good anti-cheat system is wayyy more advanced at detecting malicious/cheating users than the best commercial EDR solutions currently available.
16
25
222
Although anti-cheat doesn't need to protect anywhere near the attack surface an EDR solution does. EDR vendors could learn alot from them.
4
1
29