detection-evasion.md

detection evasion

WARNING: Proceed with extreme caution! 速查！HW 热门免杀工具 ShellCodeLoader 加载器确认投毒

Collections

Antivirus/EDR evasion

• es3n1n/no-defender - A slightly more fun way to disable windows defender + firewall. (through the WSC api) - 使用avast av的白程序让defender以为有杀毒软件在工作，然后就关闭了
• iamagarre/BadExclusionsNWBO - BadExclusionsNWBO is an evolution from BadExclusions to identify folder custom or undocumented exclusions on AV/EDR - 找EDR钩子白名单的，有用
• MalwareTech/EDR-Preloader - An EDR bypass that prevents EDRs from hooking or loading DLLs into our process by hijacking the AppVerifier layer
• lap1nou/CLR_Heap_encryption - This is a POC for a CLR sleep obfuscation attempt. It use IHostMemoryManager interface to control the memory allocated by the CLR. Turns out you can use both ICorRuntimeHost and ICLRRuntimeHost at the same time, so we can still use ICorRuntimeHost to run an assembly from memory while having all the benefits from ICLRRuntimeHost
• ASkyeye/UnlinkDLL - DLL Unlinking from InLoadOrderModuleList, InMemoryOrderModuleList, InInitializationOrderModuleList, and LdrpHashTable
• Mr-Un1k0d3r/.NetConfigLoader - List of .Net application signed by Microsoft that can be used to load a dll via a .config file. Ideal for EDR/AV evasion and execution policy bypass - DLL有签名就能加载
• Ridter/RealBlindingEDR - Remove AV/EDR Kernel ObRegisterCallbacks、CmRegisterCallback、MiniFilter Callback、PsSetCreateProcessNotifyRoutine Callback、PsSetCreateThreadNotifyRoutine Callback、PsSetLoadImageNotifyRoutine Callback
• BlackSnufkin/NovaLdr - Threadless Module Stomping In Rust with some features (In memory of those murdered in the Nova party massacre)
• gtworek/PSBits: FakeOwnCmdLine.c - 修改PEB伪造命令行参数
• deepinstinct/ContainYourself - A POC of the ContainYourself research presented in DEF CON 31, which abuses the Windows containers framework to bypass EDRs - 创建容器来绕过MiniFilter检测
• ZeroMemoryEx/Blackout - kill anti-malware protected processes (BYOVD) - 用的GMER驱动，有签名
• tkmru/awesome-edr-bypass - Awesome EDR Bypass Resources For Ethical Hacking
• f1zm0/acheron - indirect syscalls for AV/EDR evasion in Go assembly
• Dec0ne/HWSyscalls - HWSyscalls is a new method to execute indirect syscalls using HWBP, HalosGate and a synthetic trampoline on kernel32 with HWBP
• JustasMasiulis/inline_syscall - Header only library that allows you to generate direct syscall instructions in an optimized, inlineable and easy to use manner
• ired.team: Retrieving ntdll Syscall Stubs from Disk at Run-time
• bananabr/TimeException - A tool to find folders excluded from AV real-time scanning using a time oracle
• optiv/Freeze - a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods
• Ciyfly/microwaveo - 将dll exe 等转成shellcode 最后输出exe 可定制加载器模板 支持白文件的捆绑 shellcode 加密
• rad9800/TamperingSyscalls - TamperingSyscalls is a 2 part novel project consisting of argument spoofing and syscall retrival which both abuse EH in order to subvert EDRs
• trickster0/TartarusGate - TartarusGate, Bypassing EDRs
• 1y0n/AV_Evasion_Tool - 掩日 - 免杀执行器生成工具 - 1.5K star
• RedTeamOperations/Journey-to-McAfee - 使用mcafee的DLL来实现进程注入，执行过程中mcafee不会有报警
• ytk2128/dll-merger - Merging DLLs with a PE32 EXE without LoadLibrary - 直接修改PE结构，来实现DLL和PE合并，不知道是否所有场景都能用
• mdsecactivebreach/ParallelSyscalls - EDR Parallel-asis through Analysis - ntdll!LdrpThunkSignature用来检测函数是否被挂钩，可以用于构造syscall
• y11en/PEBFake - PEBFake(修改PEB 伪装当前进程路径、参数等)
• Cracked5pider/KaynLdr - KaynLdr is a Reflective Loader written in C/ASM - 基于syscall实现，完全手写的DLL注入，注入后执行手写的PE加载器，非常高级
• wavestone-cdt/EDRSandblast - a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring - 最近发布了一个DefCon30Release分支
  • https://github.com/gabriellandau/EDRSandblast-GodFault
• aaaddress1/Skrull - a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel. It generates launchers that can run malware on the victim using the Process Ghosting technique. Also, launchers are totally anti-copy and naturally broken when got submitted
• tanc7/EXOCET-AV-Evasion - AV-evading, undetectable, payload delivery tool
• Stack Spoofing
  • countercept/CallStackSpoofer - A PoC implementation for spoofing arbitrary call stacks when making sys calls (e.g. grabbing a handle via NtOpenProcess) - 创建线程，修改CONTEXT实现StackFrame伪造，最后用VEH从异常里恢复并让线程退出
  • Cobalt-Strike/CallStackMasker - A PoC implementation for dynamically masking call stacks with timers
  • susMdT/LoudSunRun - Stack Spoofing with Synthetic frames based on the work of namazso, SilentMoonWalk, and VulcanRaven
  • mgeeky/ThreadStackSpoofer - Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts - 跟上面的手段类似
  • klezVirus/SilentMoonwalk - PoC Implementation of a fully dynamic call stack spoofer
• https://www.cyberark.com/resources/threat-research-blog/hook-heaps-and-live-free
  • Idov31/Cronos - PoC for a new sleep obfuscation technique leveraging waitable timers to evade memory scanners - 这个不是shellcode，是基于CreateWaitableTimerW的一个例子
  • janoglezcampos/DeathSleep - A PoC implementation for an evasion technique to terminate the current thread and restore it before resuming execution, while implementing page protection changes during no execution
  • waldo-irc/LockdExeDemo - hook sleep函数，sleep时挂起所有其他线程，加密堆上分配的内存
  • SolomonSklash/SleepyCrypt - A shellcode function to encrypt a running process image when sleeping - 挨个处理PE节，通过XOR混淆
  • mgeeky/ShellcodeFluctuation - An advanced in-memory evasion technique fluctuating shellcode's memory protection between RW/NoAccess & RX and then encrypting/decrypting its contents
  • IcebreakerSecurity/Ekko_CFG_Bypass - A PoC for adding NtContinue to the CFG allowed list in order to make callback-based sleep obfuscation techniques work in a CFG protected process - 这个兼容开启了CFG的程序，有一个64位SetProcessValidCallTargets的例子
  • Kudaes/Shelter - ROP-based sleep obfuscation to evade memory scanners
• klezVirus/inceptor - Template-Driven AV/EDR Evasion Framework
• timwhitez/Doge-Assembly - Golang evasion tool, execute-assembly .Net file - DLL unhook/ETW禁用/blockdlls/父进程修改等等
• Airboi/bypass-av-note - 免杀技术大杂烩---乱拳也打不死老师傅
• persianhydra/Xeexe-TopAntivirusEvasion - Undetectable & Xor encrypting with custom KEY (FUD Metasploit Rat) bypass Top Antivirus like BitDefender,Malwarebytes,Avast,ESET-NOD32,AVG,... & Automatically Add ICON and MANIFEST to excitable
• Mr-Un1k0d3r/EDRs - information about EDRs that can be useful during red team exercise - 通过判断第一个指令是否为JMP来检查函数是否被Hook，并给出了多个EDR的hook列表
• s3cur3th1ssh1t: A tale of EDR bypass methods
• gist: theevilbit/divide_and_conquer.c - Divide and Conquer NextGen AV bypass - 方法太low了，无实战价值
• gnxbr/Fully-Undetectable-Techniques - I will post here my research aiming Fully UnDetectable (FUD) techniques and tools - 大多是基于CreateDesktop的
• ethereal-vx/Antivirus-Artifacts - Anti-virus artifacts. Listing APIs hooked by: Avira, BitDefender, F-Secure, MalwareBytes, Norton, TrendMicro, and WebRoot
• outflanknl/TamperETW - selectively forward .NET ETW events
• matterpreter/SHAPESHIFTER - 通过syscall绕过hook
• ayoul3/reflect-pe - Reflectively load PE - 带一个关键词替换功能
• scrt/avcleaner - C/C++ source obfuscator for antivirus bypass
• nickcano/ReloadLibrary - A quick-and-dirty anti-hook library proof of concept - 2018停更，这个是遍历和还原IAT Hook，没啥用
• CylanceVulnResearch/ReflectiveDLLRefresher - a standalone test harness for scanning the process's memory space and unhooking the currently loaded libraries，恢复AV钩子的
• optiv/ScareCrow - Payload creation framework designed around EDR bypass - 也是从文件恢复钩子的方法
  • https://github.com/timwhitez/ScareCrow-Common
• secretsquirrel/SigThief - Stealing Signatures and Making One Invalid Signature at a Time
• Shellter - AV Evasion Artware
• Hackplayers/Salsa-tools - ShellReverse TCP/UDP/ICMP/DNS/SSL/BINDTCP and AV bypass, AMSI patched
• Ch0pin/AVIator - Antivirus evasion project
• Mr-Un1k0d3r/DKMC - DKMC - Dont kill my cat - Malicious payload evasion tool
• Mr-Un1k0d3r/UniByAv - a simple obfuscator that take raw shellcode and generate executable that are Anti-Virus friendly
• silentsignal/av-breaking - Bare Knuckled AV Breaking
• AbedAlqaderSwedan1/ASWCrypter - An Bash&Python Script For Generating Payloads that Bypasses All Antivirus so far FUD
• rootm0s/Protectors - Obfuscator, Encryption, Junkcode, Anti-Debug, PE protection/modification
• threatexpress/metatwin - a file resource cloner. Metadata, including digital signature, is extracted from one file and injected into another
• Ekultek/Graffiti - A tool to generate obfuscated one liners to aid in penetration testing
• DiabloHorn/cliramdisk - A reduced functionality cli client for the imdisk ram disk driver
• perturbed-platypus - EDR Is Coming; Hide yo Sh!t - 将payload存储到UEFI
• AdrianVollmer/PowerHub - A web application to transfer PowerShell modules, executables, snippets and files while bypassing AV and application whitelisting - 支持EXE/PS1远程加载
• TideSec/BypassAntiVirus - 远控免杀系列文章及配套工具，搜集汇总了互联网上的几十种免杀工具和免杀方法 - 没啥用，只记录
• the-xentropy/xencrypt - A PowerShell script anti-virus evasion tool
• DeEpinGh0st/AutoRemove - 利用PyautoGUI实现的对防病毒软件的自动化卸载
• Red Team Tactics: Hiding Windows Services - 通过SetServiceObjectSecurity修改权限实现隐藏，测试不影响服务启动。

Windows defender

• S12cybersecurity/WinDefenderKiller - 修改注册表关闭defender监控
• EspressoCake/DefenderPathExclusions - Creation and removal of Defender path exclusions and exceptions in C# - 通过WMI操作，支持远程加白
• SafeBreach-Labs/wd-pretender - Compatible with Windows Defender platform version 4.18.2302.7 and earlier - 修改VDM特征码，删除特定规则实现免杀
• taviso/loadlibrary - Porting Windows Dynamic Link Libraries to Linux - 可以运行defender去扫描
• f-secure: Bypassing Windows Defender Runtime Scanning - 使用 PAGE_NOACCESS 防止AV扫描
• hfiref0x/WDExtract - Extract Windows Defender database from vdm files and unpack it - 2020停更，但是2022.03测试有效
• commial/experiments/windows-defender - 包含ASR的分析和Luac转换工具，使用luadec可以反编译
• gist: mattifestation/ExpandDefenderSig.ps1 - Decompresses Windows Defender AV signatures for exploration purposes
• last-byte/unDefender - Killing your preferred antimalware by abusing native symbolic links and NT paths - 启动TrustedInstaller服务，使用NtImpersonateThread切换token后，关闭WdFilter服务，之后利用软连接让Defender服务加载错误的驱动，实现杀软的关闭
  • timwhitez/StopDefender - Stop Windows Defender programmatically - 原理类似
• securemode/DefenderKeys - Quick PowerShell script to extract any exclusions configured for Windows Defender

EDR Telemetry

• gist: jthuraisamy/loaded_psp_drivers.cpp - Loaded Security Product Drivers
• jthuraisamy/TelemetrySourcerer - Enumerate and disable common sources of telemetry used by AV/EDR - 用驱动删除AV的回调和钩子 - 得自己编译
• carbonblack/cbapi - server_apis/proto/sensor_events.proto - CB通信内容，2017年的PB定义，仅供参考
• microsoft: Understand the advanced hunting schema in Microsoft Defender for Endpoint
• microsoft: Collect support logs in Microsoft Defender for Endpoint using live response - 原先的MDATPClientAnalyzer程序

Restriction/whitelist bypass

• bohops/UltimateWDACBypassList - A centralized resource for previously documented WDAC bypass techniques
• Mr-Un1k0d3r/Windows-SignedBinary - bypass endpoint solution that block known "malicious" signed application such as "regsvr32.exe" - 生成HASH不同，但是有微软签名的程序。方法是随机修改几个字节，检查签名是否还有效
• rootm0s/WinPwnage - Elevate, UAC bypass, persistence, privilege escalation, dll hijack techniques
• SafeBreach-Labs/BACE - Mapping of Binaries that allows Arbitrary Code Execution
• GreatSCT/GreatSCT - an open source project to generate application white list bypasses
• infosecn1nja/MaliciousMacroMSBuild - Generates Malicious Macro and Execute Powershell or Shellcode via MSBuild Application Whitelisting Bypass
• Jumbo-WJB/windows_exec_ways
• gist: All System32 DLL export functions that contain "RunDLL", an indicator that it's designed to run with rundll32.exe
• rvrsh3ll/CPLResourceRunner - Run shellcode from resource
• fireeye/DueDLLigence - Shellcode runner for all application whitelisting bypasses
• Neo23x0/DLLRunner - a smart DLL execution script for malware analysis in sandbox systems
• bohops/GhostBuild - a collection of simple MSBuild launchers for various GhostPack/.NET projects
• outflanknl/NetshHelperBeacon - Example DLL to load from Windows NetShell - 没啥用
• trustedsec/auto_SettingContent-ms - a quick POC for using the Matt Nelson (enigma0x3) technique for generating a malicious .SettingContent-ms extension type for remote code execution - 执行方法与HTA一致
• jpginc/xbapAppWhitelistBypassPOC - A POC application whitelisting XBAP project
• Powershell
  • p3nt4/PowerShdll - Run PowerShell with rundll32. Bypass software restrictions
  • Ben0xA/nps - Not PowerShell
  • bitsadmin/nopowershell - PowerShell rebuilt in C# for Red Teaming purposes
  • Cn33liz/CScriptShell - a Powershell Host running within cscript.exe
  • leechristensen/UnmanagedPowerShell - Executes PowerShell from an unmanaged process
  • Cn33liz/p0wnedLoader - 远程加载加密的 p0wnedShell，使用反射机制
  • mgeeky/Stracciatella - OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI and Script Block Logging disabled
  • OmerYa/Invisi-Shell - Hide your Powershell script in plain sight. Bypass all Powershell security features
  • decoder-it/powershellveryless - Constrained Language Mode + AMSI bypass all in one
  • PowerTools/PowerPick - Various ways of executing Powershell functionality without the use of Powershell
  • Mr-Un1k0d3r/PowerLessShell - Run PowerShell command without invoking powershell.exe
• WMI
  • 0xbadjuju/WheresMyImplant - A Bring Your Own Land Toolkit that Doubles as a WMI Provider
• Applocker
  • shells.systems - AppLocker在NTFS扩展属性里缓存文件HASH，PSBits里的CopyEA工具可以将这个HASH修改成白名单里的值，并绕过AppLocker
  • api0cradle/UltimateAppLockerByPassList - The goal of this repository is to document the most common techniques to bypass AppLocker
  • freshness79/unlock - Microsoft Applocker evasion tool
  • cyberark/Evasor - an automated security assessment tool which locates existing executables on the Windows operating system that can be used to bypass any Application Control rules
• api0cradle/LOLBAS - Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)
  • LOLBAS-Project/LOLBAS
  • Living Off The Land Binaries and Scripts (and also Libraries)
  • CTI-Driven/LOLBins - The LOLBins CTI-Driven (Living-Off-the-Land Binaries Cyber Threat Intelligence Driven) is a project that aims to help cyber defenders understand how LOLBin binaries are used by threat actors during an intrusion in a graphical and digestible format for the TIPs platform using the STIX format

白加黑

• marpie/signed-loaders - signed-loaders documents Windows executables that can be used for side-loading DLLs
• bohops.com - Exploring the WDAC Microsoft Recommended Block Rules: VisualUiaVerifyNative - 很多有签名的 .NET 程序，会使用 BinaryFormatter 反序列化，可以用来执行任意操作

Credential guard

• Adepts-Of-0xCC/SnoopyOwl
  • A physical graffiti of LSASS: getting credentials from physical memory for fun and learning
• teamhydra: Bypassing Credential Guard - 内存修改 lsass wdigest!g_IsCredGuardEnabled 和 wdigest!g_fParameter_useLogonCredential
  • https://github.com/wh0nsq/BypassCredGuard
  • PorLaCola25/TransactedSharpMiniDump - using NTFS transactions to avoid writting the minidump to disk and exfiltrating it via HTTPS using sockets
• Do You Really Know About LSA Protection (RunAsPPL) - 主要参考PS_PROTECTED_SIGNER枚举，以及哪些程序可以打开PPL保护的进程

Lsass dump

• antonioCoco/MalSeclogon - A little tool to play with the Seclogon service - 利用泄露的handle实现lsass DUMP
• Barbarisch/forkatz - credential dump using foreshaw technique using SeTrustedCredmanAccessPrivilege
• deepinstinct/LsassSilentProcessExit - Command line interface to dump LSASS memory to disk via SilentProcessExit - 调用RtlReportSilentProcessExit函数，使WerSvc服务立即为指定的PID生成MiniDump，比直接调用MiniDump更加隐蔽
• anshaxing/Dumphash - 绕过杀软dumphash 离线读取
• jfmaes/SharpHandler - 使用已有的lsass handle来读取内存
• b4rtik/SharpMiniDump - Create a minidump of the LSASS process from memory - pinvoke + syscall方式，更加隐蔽
• CCob/MirrorDump - Another LSASS dumping tool that uses a dynamically compiled LSA plugin to grab an lsass handle and API hooking for capturing the dump in memory
• gitjdm/dumper2020 - Yet another LSASS dumper
• ricardojoserf/TrickDump - Dump lsass using only NTAPIS running 3 programs to create 3 JSON and 1 ZIP file... and generate the Minidump later
• YOLOP0wn/POSTDump - POSTDump is the C# / .NET implementation of the ReactOS minidump function (like nanodump), thus avoiding call to the Windows API MiniDumpWriteDump function. The dump logic code is saved under the POSTMinidump project, feel free to use it for your own projects.
• outflanknl/Dumpert - LSASS memory dumper using direct system calls and API unhooking - 持续更新，而且有CS的组件
• FSecureLABS/physmem2profit - create a minidump of a target host's LSASS process by analysing physical memory remotely
• Hackndo/lsassy - Extract credentials from lsass remotely - 通过wmi或者at远程执行命令，远程生成dump后直接解析并提取密码
• cube0x0/MiniDump - C# Lsass parser - 参考pypykatz实现了minidump解析，以及部分lsass内存处理
• seventeenman/CallBackDump - 能过卡巴、核晶、defender等杀软的dump lsass进程工具
  • https://tttang.com/archive/1810/
• D1rkMtr/DumpThatLSASS
• Iansus/SilentLsassDump - Dumping LSASS by Unhooking MiniDumpWriteDump by getting a fresh DbgHelp.dll copy from the disk , plus functions and strings obfuscation , it contains Anti-sandbox , if you run it under unperformant Virtual Machine you need to uncomment the code related to it and recompile
• hoangprod/AndrewSpecial - dumping lsass' memory stealthily and bypassing "Cilence" since 2019 - 恢复ReadVirtualMemory钩子，让MiniDumpWriteDump不被监控到，可以绕过EDR获取lsass的dump
• OneSourceCat/creddump - creddump bypass AV - RPC触发lsass加载DLL
• b4rtik/ATPMiniDump - Evading WinDefender ATP credential-theft - 替换 MiniDumpWriteDump 为 PssCaptureSnapshot 即可
• lengjibo/RedTeamTools/MiniDump - 使用COMSVCS!MiniDumpW创建，效果等同于dbghelp!MiniDumpWriteDump
• GhostPack/SharpDump - a C# port of PowerSploit's Out-Minidump.ps1 functionality

AMSI

• MzHmO/DebugAmsi - DebugAmsi is another way to bypass AMSI through the Windows process debugger mechanism
• waawaa/AMSI_Rubeus_bypass - AMSI bypass hooking NtCreateSection
• Flangvik/AMSI.fail - C# Azure Function with an HTTP trigger that generates obfuscated PowerShell snippets that break or disable AMSI for the current process
• gist: In-Process Patchless AMSI Bypass - 用断点方式，不用内存补丁，但是感觉很鸡肋
• gist: mattifestation/AMSIScriptContentRetrieval.ps1 - PoC code used to demonstrate extracting script contents using the AMSI ETW provider
• countercept/AMSIDetection - AMSI detection PoC - 检测AMSI绕过的POC，对比硬盘上的amsi.dll与内存加载的版本section hash是否一致来实现的
• tokyoneon/Chimera - a (shiny and very hack-ish) PowerShell obfuscation script designed to bypass AMSI and commercial antivirus solutions
• didierstevens.com: New Tool: amsiscan.py
• spectorops: Antimalware Scan Interface Detection Optics Analysis Methodology: Identification and Analysis of AMSI for WMI - 通过amsi.dll关键词，枚举使用AMSI的EXE；通过ETW发现WinRM在产生 Microsoft-Antimalware-Scan-Interface 事件；逆向 JAmsiIsScannerNeeded 发现WMI有一套CRC白名单机制
• RythmStick/AMSITrigger - The Hunt for Malicious Strings - pinvoke 调用 AmsiScanBuffer，定位特征码；他是按照4KB切割后，分段检测的，与实际检测结果不一定一致
• atxsinn3r/amsiscanner - A C/C++ implementation of Microsoft's Antimalware Scan Interface
• cobbr/PSAmsi - a tool for auditing and defeating AMSI signatures

Signature identification

• scrt/avdebugger - Most antivirus engines rely on strings or other bytes sequences, function exports and big integers to recognize malware. This project helps to automatically recover these signatures
• hegusung/AVSignSeek - Tool written in python3 to determine where the AV signature is located in a binary/payload
• utds3lab/multiverse - A static binary rewriter that does not use heuristics
• matterpreter/DefenderCheck - Identifies the bytes that Microsoft Defender flags on - 2K star，二分法调用Defender静态扫描、定位特征码
  • https://github.com/gatariee/gocheck
• rasta-mouse/ThreatCheck - Identifies the bytes that Microsoft Defender / AMSI Consumer flags on

Linux

• tokyoneon/Armor - Armor is a simple Bash script designed to create encrypted macOS payloads capable of evading antivirus scanners
• Bashfuscator - A fully configurable and extendable Bash obfuscation framework

Traffic analysis evasion

• 1tayH/noisy - A simple python script that generates random HTTP/DNS traffic noise in the background while you go about your regular web browsing, to make your web traffic data less valuable for selling and for extra obscurity
• xpn/appproxyc2 - This repo contains a simple POC to show how to tunnel traffic through Azure Application Proxy
• rvrsh3ll/FindFrontableDomains - Search for potential frontable domains - 查询alexa top 1000，看哪些CNAME指向了cloudfront、akamai、appspot等地址，这些是可以被利用的
• redteam-cyberark/Google-Domain-fronting - Domain fronting using Google app engine
• vysec/DomainFrontingLists - A list of Domain Frontable Domains by CDN
• kirillwow/ids_bypass - IDS Bypass tricks
• Evading Microsoft ATA - 2017年的很老了，需要重测，仅作为参考

Sandbox/cloud based detection evasion

• violentlydave/mkhtaccess_red - Auto-generate an HTaccess for payload delivery -- automatically pulls ips/nets/etc from known sandbox companies/sources that have been seen before, and redirects them to a benign payload
• David-Reguera-Garcia-Dreg/anticuckoo - A tool to detect and crash Cuckoo Sandbox
• a0rtega/pafish - a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do
• LordNoteworthy/al-khaser - Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection
• AlicanAkyol/sems - Virtualbox, VirtualMachine, Cuckoo, Anubis, ThreatExpert, Sandboxie, QEMU, Analysis Tools Detection Tools
• Arvanaghi/CheckPlease - Sandbox evasion modules written in PowerShell, Python, Go, Ruby, C, C#, Perl, and Rust
• sharepub/CheckVM-Sandbox
• fr0gger/RocProtect-V1 - Emulating Virtual Environment to stay protected against advanced malware
• G4lB1t/SmoothCriminal - Detect sandbox by cursor movement speed - cuckoo的鼠标模拟是固定的，不够随机
• LloydLabs/wsb-detect - enables you to detect if you are running in Windows Sandbox ("WSB")
• ZanderChang/anti-sandbox - Windows对抗沙箱和虚拟机的方法总结
• 常见思路 - 如果读取注册表、检查沙箱、执行 ping 实现延迟、GetTickCount，会被杀软标记为可疑行为
  • 检查文件名长度是否为32或者包含.md5.exe
  • 桌面上的图标数量
  • 使用 GetForegroundWindow + Sleep 检查用户是否切换过窗口且数量大于3
  • 若 py saz pcap chls 之一存在文件关联，判断为沙箱环境
  • 使用 GetMonitorInfoA 检查分辨率是否高于 800x600（360有物理机无效）
  • 检查日期，只在周三启动
  • Summary of recent Anti-Sandbox Tricks - 检查声卡 DirectShow 的案例
  • Analyzing Azorult's Anti-Analysis Tricks with Joe Sandbox Hypervisor - 这个是规则检测
  • 从%WINDIR%\inf\setupapi.setup.log日志里获取BIOS等信息。使用WMI查询可能导致EDR报警

Steganography 隐写术

• Und3rf10w/boblobblob - hiding git blobs in plain sight
• peewpw/Invoke-PSImage - Embeds a PowerShell script in the pixels of a PNG file and generates a oneliner to execute
• DominicBreuker/stego-toolkit - Collection of steganography tools - helps with CTF challenges
• Under the hood: Hiding data in JPEG images

Uncategorized

• Tylous/ZipExec - A unique technique to execute binaries from a password protected zip
• OsandaMalith/PE2HTML - Injects HTML/PHP/ASP to the PE
• gh0stkey/avList - 杀软进程对应杀软名称 - 列表质量很差，还有一些病毒的名字，而且还区分大小写，有重复项目
• Allocated filter altitudes - 可用来做驱动黑名单
• Malware researchers - Beware of GetProcAddress spoofing via manipulation of PE format in memory - 就是修改IAT，小trick没啥用

Resources

• https://evasions.checkpoint.com/
• blackhat EU-21-Nisi-Lost-In-The-Loader - 不同版本的Windows，PE加载略有不同，可以利用这个特性绕过沙箱
  • Win7 doesn’t accept executables with ImageBase = 0
  • Win7 and 10 check SizeOfHeaders under specific conditions, XP does not
  • Win7 and XP accept relocation types that 10 does not
  • Win7 and 10 discard binaries with entry point within the header
  • Win7 does not load binaries whose SizeOfImage is smaller than the offset of the last byte of the section table
• Unprotect Project
• Anti-Virus, No Thanks - Mark Baggett - 很老的免杀技术了，仅供参考
• xcon2016: 用深入解析AV虚拟机&高级Bypass技术
• A Guide to Reversing and Evading EDRs: Part 1
• Thread and Process State Change - Win10 20.04新增API NtCreateProcessStateChange
• Operators, EDR Sensors, and OODA Loops
  • A Guide to Reversing and Evading EDRs: Part 1
• Maelstrom: EDR Kernel Callbacks, Hooks, and Call Stacks