ring0
Joined March 2017
Pinned Tweet
Introducing shad0w - A covert post exploitation framework designed to operate quietly on heavily monitored environments. Using a range of techniques including directly calling syscalls, anti-dll injection and in-memory .NET execution to evade EDR. github.com/bats3c/shad0w
24
537
1,245
Show this thread
batsec retweeted
Replying to @vysecurity
yarh dude- its kinda weak as a open source maintainer and so many followers i would think you knew better
1
1
24
batsec retweeted
ANSWER: I found out how to do what I wanted. Here's an awesome article by @_batsec_ blog.dylan.codes/pwning-wind… It turns out that you can just check every process for whether it contains the module wevtsvc.dll. Then you inject into that process and patch EtwEventCallback 5/?
1
4
8
Show this thread
Replying to @infosecuriti
Glad it's helpful. I've written a couple YARA rules to disable detection for some common techniques. Feel free to add any others you find useful.
0
0
2
Replying to @incredincomp
I wouldn't advice it
1
0
1
Replying to @ilove2pwn_
I'm not saying one can replace the other, just that AC does a much better job detecting malicious code, especially in the kernel
1
0
1
But that's obviously just one tiny area. Which is why I'm saying that EDR can learn from AC
1
0
2
Show this thread