Showing Posts About
Evasion
-
Alfie Champion 
Riccardo Ancarani - 7 Apr 2021
Attack Detection Fundamentals 2021: Windows - Lab #1
This article details a cybersecurity workshop demonstrating advanced Windows endpoint attack techniques for initial access. An HTA-based attack method was developed that drops a DLL and uses registration-free COM activation to execute a malicious payload. The payload involves shellcode injection, AMSI bypassing, and process injection techniques targeting Windows endpoints.
- Alfie Champion Riccardo Ancarani
- 7 Apr 2021
Attack Detection Fundamentals 2021: Windows - Lab #2
This article explores advanced defense evasion techniques in Windows cybersecurity, focusing on API unhooking and ETW bypassing. The lab demonstrates methods attackers can use to minimize their detection footprint during endpoint attacks, such as removing API hooks and disabling event tracing. Techniques include intercepting API calls, unhooking ntdll.dll, and manipulating .NET runtime event tracing to avoid security monitoring.
- Alfie Champion Riccardo Ancarani
- 7 Apr 2021
Attack Detection Fundamentals 2021: Windows - Lab #3
This article explores API hooking techniques for stealing RDP credentials during Windows authentication. The lab demonstrates how API hooks can intercept plaintext login information when users connect to remote desktop sessions. Multiple methods are presented, including using Frida and RdpThief, to extract credentials from the RDP client process.
- Alfie Champion Riccardo Ancarani
- 7 Apr 2021
Attack Detection Fundamentals 2021: Windows - Lab #4
This article demonstrates a technique for stealing browser cookies and saved passwords from a Windows endpoint using Chlonium. The attack involves extracting Chrome's encryption keys and cookie databases to hijack web sessions. System Access Control Lists (SACLs) are explored as a method for detecting and logging sensitive file access during such attacks.
- 1 May 2020
Bypassing Windows Defender Runtime Scanning
This article details techniques for bypassing Windows Defender's runtime memory scanning by exploiting memory permission limitations. A method was developed using PAGE_NOACCESS memory permissions to prevent detection during suspicious API calls. A custom Metasploit extension called Ninjasploit was created to implement these bypass techniques.
- William Burgess
- 18 Jul 2018
Bypassing Memory Scanners with Cobalt Strike and Gargoyle
A novel technique for bypassing memory scanners using the Gargoyle method with Cobalt Strike is demonstrated. The approach involves periodically staging and removing a beacon payload from memory to evade detection by endpoint security solutions. By moving in and out of executable memory at timed intervals, the technique aims to avoid traditional memory scanning techniques.