Our great sponsors
-
Freeze
Discontinued Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods (by optiv)
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
CarbonCopy
A tool which creates a spoofed certificate of any online website and signs an Executable for AV Evasion. Works for both Windows and Linux
Use lime lighter to fake code sign for better static detection evasion https://github.com/Tylous/Limelighter
I think this is also similar to this https://github.com/secretsquirrel/SigThief
As for the shellcode. Just encrypt the shellcode and use some form of injection like QueueUserAPC injection. If the EDR does usermode hooking, remap NTDLL and Kernel32 first, if it’s kernel mode only (MDE for example) just patch either the Win32 API ETWEventWrite or NT api NTEventTrace with a ret (0x3c on 64 bit x86) an example is here https://github.com/Mr-Un1k0d3r/EDRs/blob/main/unhook_bof.c
But I do always healthy recommend writing a custom DLL loader for your payloads. And with CS, make sure you’re using a custom reflective loader. Something like AceLDR https://github.com/kyleavery/AceLdr
Never failed to get execution on target using this https://github.com/t3hbb/NSGenCS
Funny enough, I've had some luck with fake-signing exes. https://github.com/paranoidninja/CarbonCopy Its a little old so your milage might vary (I honestly havent used it in a year or so) but in a pinch I've fake signed with microsoft.com public cert and it bypassed av and edr tools.