Freeze
SigThief
Freeze | SigThief | |
---|---|---|
8 | 2 | |
1,317 | 1,943 | |
- | - | |
5.0 | 10.0 | |
9 months ago | almost 3 years ago | |
Go | Python | |
MIT License | BSD 3-clause "New" or "Revised" License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Freeze
- Red team engagement help!
-
Bypassing Windows Defender 2023
At the moment I am trying to obfuscate a cobaltstrike exe beacon. I tried with https://github.com/optiv/Freeze and with a custom shellcode loader (encrypted in AES) in C++ but I didn't get any luck.
- Freeze - a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods
- Freeze - Payload Generation Toolkit for Bypassing EDR
- Freeze: Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods on Windows
SigThief
-
Hackers exploited Windows 0-day for 6 months after Microsoft knew of it
> To work with supported versions of Windows, third-party drivers must first be digitally signed by Microsoft to certify that they are trustworthy and meet security requirements.
That’s a very bold statement when you can replicate a signature, so now the malware is “trustworthy” https://github.com/secretsquirrel/SigThief
-
Red team engagement help!
I think this is also similar to this https://github.com/secretsquirrel/SigThief
What are some alternatives?
ScareCrow - ScareCrow - Payload creation framework designed around EDR bypass.
Limelighter - A tool for generating fake code signing certificates or signing real ones
AceLdr - Cobalt Strike UDRL for memory scanner evasion.
NSGenCS - Extendable payload obfuscation and delivery framework
EDRs
aes_dinvoke - a repository that contains the program.cs source file that has D/Invoke bare minimum implementation and AES encryption for shellcode execution
go - The Go programming language
CarbonCopy - A tool which creates a spoofed certificate of any online website and signs an Executable for AV Evasion. Works for both Windows and Linux