Freeze
EDRs
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Freeze
- Red team engagement help!
-
Bypassing Windows Defender 2023
At the moment I am trying to obfuscate a cobaltstrike exe beacon. I tried with https://github.com/optiv/Freeze and with a custom shellcode loader (encrypted in AES) in C++ but I didn't get any luck.
- Freeze - a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods
- Freeze - Payload Generation Toolkit for Bypassing EDR
- Freeze: Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods on Windows
EDRs
-
Red team engagement help!
As for the shellcode. Just encrypt the shellcode and use some form of injection like QueueUserAPC injection. If the EDR does usermode hooking, remap NTDLL and Kernel32 first, if it’s kernel mode only (MDE for example) just patch either the Win32 API ETWEventWrite or NT api NTEventTrace with a ret (0x3c on 64 bit x86) an example is here https://github.com/Mr-Un1k0d3r/EDRs/blob/main/unhook_bof.c
-
Testing an XDR solution
Hi, RedCanary from Atomic Red Team is great, but you have to adapt it. Also here are some great infos regarding EDR and how to bypass them : https://github.com/Mr-Un1k0d3r/EDRs
- This repo contains information about EDRs that can be useful during red team exercise.
- Information on EDRs intended to support Red Teamers. The gaps and techniques documents are of huge value to Blue.
- Interesting stuff
-
What EDRs Hook on Microsoft Windows i.e. where the gaps exist in terms of telemetry / detection coverage
Source: https://github.com/Mr-Un1k0d3r/EDRs/pull/5
- EDRs - Hooked Functions from various EDR's
What are some alternatives?
SigThief - Stealing Signatures and Making One Invalid Signature at a Time
atomic-red-team - Small and highly portable detection tests based on MITRE's ATT&CK.
ScareCrow - ScareCrow - Payload creation framework designed around EDR bypass.
Limelighter - A tool for generating fake code signing certificates or signing real ones
NSGenCS - Extendable payload obfuscation and delivery framework
CarbonCopy - A tool which creates a spoofed certificate of any online website and signs an Executable for AV Evasion. Works for both Windows and Linux
aes_dinvoke - a repository that contains the program.cs source file that has D/Invoke bare minimum implementation and AES encryption for shellcode execution
go - The Go programming language
AceLdr - Cobalt Strike UDRL for memory scanner evasion.