Throughout the Art of Anti Detection series we have mainly looked at methods for bypassing automated security products, but in this part we will focus on several self-defense methods for protecting our foothold on the target machines against actual users. These users may be technically insufficient employees or they may be blue team members in a cyber incident division of a company. Our goal is to stay alive and hide our presence inside the target system without having any privileges. But before getting deeper i advise you to read the previous articles of this series, because these methods will include a lot of shellcoding and API hooking thus requires prior knowledge. Now lets get to it !Read More
Category: Operating System
Offensive IAT Hooking
This article will be about using IAT hooking methods for offensive purposes. These methods can be used in multiple situations where attacker needs to evade certain defense and analysis mechanism or hide from the victim in low privileged environments. Before getting into the technical stuff reader needs to be familiar with the following terminology. Read More
Introducing New Packing Method: First Reflective PE Packer Amber
Because of the increasing security standards inside operating systems and rapid improvements on malware detection technologies today’s malware authors takes advantage of the transparency offered by in-memory execution methods. In-memory execution or fileless execution of a PE file can be defined as executing a compiled PE file inside the memory with manually performing the operations that OS loader supposed to do when executing the PE file normally. In-memory execution of a malware facilitates the obfuscation and anti-emulation techniques. Additionally the malware that is using such methods leaves less footprints on the system since it does not have to possess a file inside the hard drive. Combining in-memory execution methods and multi stage infection models allows malware to infect systems with very small sized loader programs; only purpose of a loader is loading and executing the actual malware code via connecting to a remote system. Using small loader codes are hard to detect by security products because of the purpose and the code fragments of loaders are very common among legitimate applications. Malware that are using this approach can still be detected with scanning the memory and inspecting the behaviors of processes but in terms of security products these operation are harder to implement and costly because of the higher resource usage (Ramilli, 2010). Read More
Art of Anti Detection 3 – Shellcode Alchemy
This article will deal with basic shellcoding and similar concepts, assembly level encoder/decoder design and few methods for bypassing anti exploit solutions such as Microsoft’s Enhanced Mitigation Experience Toolkit(EMET). Read More
Windows Privilege Escalation Methods for Pentesters
Imagine that you have gotten a low-priv Meterpreter session on a Windows machine. Probably you’ll run getsystem to escalate your privileges. But what if it fails?
Don’t panic. There are still some techniques you can try.