Limelighter
EDRs
| Limelighter | EDRs | |
|---|---|---|
| 4 | 7 | |
| 843 | 1,926 | |
| - | - | |
| 0.0 | 0.0 | |
| about 1 year ago | over 1 year ago | |
| Go | C | |
| MIT License | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Limelighter
-
Red team engagement help!
Use lime lighter to fake code sign for better static detection evasion https://github.com/Tylous/Limelighter
- Limelighter - A tool for generating fake code signing certificates or signing real ones
- LimeLighter - A tool for generating fake code signing certificates or signing real ones
EDRs
-
Red team engagement help!
As for the shellcode. Just encrypt the shellcode and use some form of injection like QueueUserAPC injection. If the EDR does usermode hooking, remap NTDLL and Kernel32 first, if it’s kernel mode only (MDE for example) just patch either the Win32 API ETWEventWrite or NT api NTEventTrace with a ret (0x3c on 64 bit x86) an example is here https://github.com/Mr-Un1k0d3r/EDRs/blob/main/unhook_bof.c
-
Testing an XDR solution
Hi, RedCanary from Atomic Red Team is great, but you have to adapt it. Also here are some great infos regarding EDR and how to bypass them : https://github.com/Mr-Un1k0d3r/EDRs
- This repo contains information about EDRs that can be useful during red team exercise.
- Information on EDRs intended to support Red Teamers. The gaps and techniques documents are of huge value to Blue.
- Interesting stuff
-
What EDRs Hook on Microsoft Windows i.e. where the gaps exist in terms of telemetry / detection coverage
Source: https://github.com/Mr-Un1k0d3r/EDRs/pull/5
- EDRs - Hooked Functions from various EDR's
What are some alternatives?
certerator - A tool to generate a custom code signing certificate chain and generate instructions to sign a binary. Useful for establishing persistence on a penetration test.
atomic-red-team - Small and highly portable detection tests based on MITRE's ATT&CK.
Freeze - Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods
SigThief - Stealing Signatures and Making One Invalid Signature at a Time
NSGenCS - Extendable payload obfuscation and delivery framework
CarbonCopy - A tool which creates a spoofed certificate of any online website and signs an Executable for AV Evasion. Works for both Windows and Linux
AceLdr - Cobalt Strike UDRL for memory scanner evasion.
ScareCrow - ScareCrow - Payload creation framework designed around EDR bypass.