Category: EDR

DFIR vs EDR vs Malware Analysis vs Cyber Crime vs Legally Admissible Digital Forensics vs Law Enforcement . (Don’t get it twisted. )

Cyber Security can become very convoluted due to similarities, but the nuances makes a big differences. Allot of people talk about the above terms as if there are all the same use cases. I am going to just detail the differences for these use cases. Even thou, the technical skills are the same level.

Write Blocker

EDR / MDR Buyer’s Guide

Reference

Bypass Evade AV/EDR / Remoting

Questions to ask AV/EDR vendors

Using this questions to not only evaluate other vendors but also get a discount on there offerings.

• Has your NextGen AV / EDR ever being bypassed ?
  • What are some examples and how has this being addressed?
  • Has your agent caused any Endpoint performance degradation or outages?
  • Have you had any outages or latency issues with your SaaS based platform and/or outages?
  • Has your agent caused any production outages for any of your customers?

• https://github.com/MrEmpy/Awesome-AV-EDR-XDR-Bypass
• Bishop Fox

https://github.com/BishopFox/sliver

https://arstechnica.com/information-technology/2022/08/newfangled-edr-malware-detection-generates-billions-but-is-easy-to-bypass/

• Brutel
  • https://bruteratel.com/
• Bypass EDR
  • https://github.com/byt3bl33d3r/SILENTTRINITY
  • https://github.com/byt3bl33d3r/OffensiveNim/blob/master/src/excel_com_bin.nim
  • https://mgeeky.tech/uploads/WarCon22%20-%20Modern%20Initial%20Access%20and%20Evasion%20Tactics.pdf
• Spoofing EDR – https://labs.withsecure.com/blog/forging-swift-mt-payment-messages/
• Mangle – https://github.com/optiv/Mangle
• Juicy Patato – https://github.com/ohpe/juicy-potato
• Ransomeware demo
  • https://github.com/jade01win/demon
  • Kali
    • git clone https://github.com/jade01win/demon
    • cd demo
    • vi demo.py # edit host/port
  • Windows
    • git clone https://github.com/jade01win/demon
    • pip install py2exe
    • pip install pywheel
    • pip install pyinsallter
    • pip install pycryptodome
  • Use py2exe to compile demon;py “setup.py”
    • from ditutils.core import setup
    • import py2exe
    • setup(console=[‘demo.py’])
    • —–
    • python setup.py py2exe
• uninstall software components via wmic
  • wmic product WHERE NAME=’Device Control’ call uninstall
• Inbound network connections;
  • Bruteforce SSH, SMB, and RDP not support, only outbpound network connections supported by EDR.
  • Crackmap – https://github.com/byt3bl33d3r/CrackMapExec
  • Impacket
• Azurehood after ASMI bypass
• ASMI Bypass
  • https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/
  • https://github.com/Dec0ne
  • https://github.com/Dec0ne/AMS-BP
• Excel malware laroux (excel 97 template )
  • https://www.f-secure.com/v-descs/laroux.shtml
  • https://www.decalage.info/files/eu-19-Lagadec-Advanced-VBA-Macros-Attack-And-Defence.pdf
  • https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Virus:X97M/Laroux
  • example – https://bazaar.abuse.ch/sample/f5c141a5a08bd18e0b8a21fbf2231331ccb1fba761e9dc7d45d787e5156c5b8a/
• https://www.linkedin.com/posts/mahdi-hatami-_hunting-dfir-threathunting-ugcPost-6763025441952436224-2CCb
• https://jhalon.github.io/utilizing-syscalls-in-csharp-1/
• https://github.com/Mr-Un1k0d3r/RedTeamCCode/blob/main/minidump_crowdstrike_bypass64.c
• https://github.com/Mr-Un1k0d3r/EDRs
• https://github.com/NVISOsecurity/brown-bags/tree/main/DInvoke%20to%20defeat%20EDRs
• https://arty-hlr.com/blog/2021/05/06/how-to-bypass-defender/
• https://github.com/AdrianVollmer/PowerHub
• http://blog.noobroot.com/2013/09/bypassing-kaspersky-anti-virus-2014.html
• bypassing-av
• Penetration Testing_ The Quest For Fully UnDetectable Malware
• https://vanmieghem.io/blueprint-for-evading-edr-in-2022/
• https://www.linkedin.com/feed/update/urn:li:activity:6923355088564465665/
• https://mrd0x.com/cortex-xdr-analysis-and-bypass/
• https://vanmieghem.io/blueprint-for-evading-edr-in-2022/
• https://www.erdalozkaya.com/evading-industry-leading-endpoint-protection/

Red Team Tools

• Nuclei Templates
  • https://nuclei-templates.netlify.app/
• Identifies attempt to coerce a local NTLM authentication via HTTP using Printer Spooler service as a target. Anadversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.
  • https://github.com/topotam/PetitPotam
  • https://github.com/med0x2e/NTLMRelay2Self
• https://github.com/S3cur3Th1sSh1t/MultiPotato
• The Curious Case Of Mavinject.Exe
  • https://fourcore.io/blogs/mavinject-curious-process-injection?fbclid=IwAR1JrmFp5otKS-jx1UidsjPBvL6zoAKKiWY7PThZlBdvNCM-mLuoPNp8bSU
  • https://www.linkedin.com/posts/soumyadeep-bas_this-week-i-read-an-awesome-analysis-of-a-activity-6929052791399137280-LrLV?utm_source=linkedin_share&utm_medium=member_desktop_web
• Potato
  • https://github.com/S3cur3Th1sSh1t/MultiPotato
  • https://orange-cyberdefense.github.io/ocd-mindmaps/