ITSEC Newsletter 2023-04-20

Author

Henrik Falk
April 20, 2023

Process injection in 2023, evading leading EDRs

Process injection on Windows 11 bypassing industry leading endpoint protection solutions.

vanmieghem.io/process-injection-evading-edr-in-2023

"Nowadays when I speak with my red team friends and touch upon the topic of process injection, the response is usually "Yes... but no...". The risks of detection outweigh the need for having an implant "parasiting" in a host process. Typical process injection techniques stand out too much and more often than not is the injection linked to malicious activity. Occasionally, I like to pick-up this "AV evasion" hobby, and achieving process injection with arguably the most signatured malicious shellcode against today's best endpoint protection, seemed like a fun exercise to me. So in this blog post, we'll walk through what combination of evasive techniques can be used to achieve process injection with zero detections or alerts."

Direct Syscalls: A journey from high to low - RedOps

redops.at/en/blog/direct-syscalls-a-journey-from-high-to-low

"In this article, I will focus on the Direct System Call technique and show you how to create a Direct System Call shellcode dropper step-by-step using Visual Studio in C++. I will start with a dropper that only uses the Windows APIs (High Level APIs). In the second step, the dropper undergoes its first development and the Windows APIs are replaced by Native APIs (Medium Level APIs). And in the last step, the Native APIs are replaced by Direct System Calls (Low Level APIs). I will also explain how to analyse and check your droppers using tools such as API Monitor, Dumpbin and x64dbg."

Raspberry Robin: Anti-Evasion How-To & Exploit Analysis - Check Point Research

Research by: Shavit Yosef Introduction During the last year, Raspberry Robin has evolved to be one of the most distributed malware currently active. During this time, it is likely to be used by many actors to distribute their own malware such as IcedID, Clop ransomware and more. Over time, malware has continued to evolve and escalate […]

research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis

"In this research, we examine Raspberry Robin as an example of identifying and evading different evasions. We discovered some unique and innovative methods and analyzed the two exploits used by Raspberry Robin to gain higher privileges showing that it also has capabilities in the exploiting area."

I hack, U-Boot

During hardware assessments, it is common to come across devices implementing U-Boot.

www.synacktiv.com/publications/i-hack-u-boot.html

"During hardware assessments, it is common to come accross devices implementing U-Boot. This article aims to describe what it is, why it could be interesting from an offensive perspective, and the attack surface associated with this popular bootloader."

GitHub - t3l3machus/PowerShell-Obfuscation-Bible: A collection of techniques, examples and a little bit of theory for manually obfuscating PowerShell scripts to achieve AV evasion, compiled for educational purposes. The contents of this repository are the result of personal research, including reading materials online and conducting trial-and-error attempts in labs and pentests.

A collection of techniques, examples and a little bit of theory for manually obfuscating PowerShell scripts to achieve AV evasion, compiled for educational purposes. The contents of this repository...

github.com/t3l3machus/PowerShell-Obfuscation-Bible

"A collection of techniques, examples and a little bit of theory for manually obfuscating PowerShell scripts to achieve AV evasion, compiled for educational purposes. The contents of this repository are the result of personal research, including reading materials online and conducting trial-and-error attempts in labs and pentests. You should not take anything for granted."