Статья bypass all antiviruses/EDRs Like RockStar, create your own clean undetectable cobalt strike beacon, backdoor, trojan Part 1

[DogZombie]

Nice

 

[sw0rdf1sh]

thanks for the share , i have question as , new EDR are having more capablity than static detection , for example , behavoir threat protection , local analysis , sandbox analysis , process injection , identity analytics , how can this bypass all the EDR features , will this work in the dynamic play for EDR ?

 

[spyboy]

thanks for the share , i have question as , new EDR are having more capablity than static detection , for example , behavoir threat protection , local analysis , sandbox analysis , process injection , identity analytics , how can this bypass all the EDR features , will this work in the dynamic play for EDR ?

Almost all the features you mentioned depend on the dlls that the antivirus inject on the process to execute such features, and this method cleans the process from such dlls. I am not saying it will work with all antiviruses but it will work with many of them, and we have other techniques that the antivirus use such as ETW, and there are many other bypassing techniques that I haven't mentioned in the tutorial like parent process id spoofing and many more

 

[sw0rdf1sh]

Almost all the features you mentioned depend on the dlls that the antivirus inject on the process to execute such features, and this method cleans the process from such dlls. I am not saying it will work with all antiviruses but it will work with many of them, and we have other techniques that the antivirus use such as ETW, and there are many other bypassing techniques that I haven't mentioned in the tutorial like parent process id spoofing and many more

u planning to release further tutorial ? if yes , that would be great

 

[spyboy]

u planning to release further tutorial ? if yes , that would be great

Of course, I am planning to make further more private bypassing techniques. I'm sure you'll like them

 

[sw0rdf1sh]

Of course, I am planning to make further more private bypassing techniques. I'm sure you'll like them

damn , <3 i;m waiting

 

[spyboy]

The article has been updated. I have added and explained some new things.

 

[cppjunior]

I don't really need to try it, the unhooking is an old method where all the downsides are known for a long time. I'm not saying that it doesn't work, I'm saying why it is not the best thing to do in practice.

This concrete implementation is not the best either. In general case it would be better to find and replace only hooked bytes, in that case you can restore original bytes atomically (instead of memcpy them), so there should be no race conditions. Also I really hate to see people not checking the success of winapi calls, the funny thing about that concrete code in case windows is installed on D drive for example the process will just fail with access violation exception.

Как раз что то похожее реализовано в BumbleBee

The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection

In late March 2022, a new malware dubbed “Bumblebee” was discovered, and reported to be distributed in phishing campaigns containing ISO…

elis531989.medium.com

 

[apdcx0]

SpyBoy, please 2 part. I am looking forward to))) Your 2 articles are the best. Thank you so much!!!

 

[spyboy]

SpyBoy, please 2 part. I am looking forward to))) Your 2 articles are the best. Thank you so much!!!

I'm glad you like them, I will post the rest parts as soon as possible once I have time and they will contain advanced evasion techniques
No worries

 

[stderr]

Good one! Very informative.

 

[br0]

what about kernel callback ? did you hear about EtwTi ?

bypass all antiviruses/EDRs Like RockStar schoolboy...​

 

[spyboy]

what about kernel callback ? did you hear about EtwTi ?

bypass all antiviruses/EDRs Like RockStar schoolboy...​

First of all, as mentioned in the title "part 1" and I provided only one technique, and focused on static detect and I said in the tutorial that there are plenty of techniques.
Secondly, kernel callback and ETWTI, That's it ?? really ??
Dude you have to know something, when you want to brag or show off, you MUST do it with something incredible.
Actually, I had enough of ignorance people, that's really disgusting
Anyway, don't forget the piece of advice that I've given you

 

[br0]

First of all, as mentioned in the title "part 1" and I provided only one technique, and focused on static detect and I said in the tutorial that there are plenty of techniques.
Secondly, kernel callback and ETWTI, That's it ?? really ??
Dude you have to know something, when you want to brag or show off, you MUST do it with something incredible.
Actually, I had enough of ignorance people, that's really disgusting
Anyway, don't forget the piece of advice that I've given you

What did you talk about? You behave like a clown. Please tell us how you bypass the Microsoft-Windows-Threat-Intelligence provider supplier from the user mode? Each of your step that you described createfilea, createfilemapping, MapViewOffile, VirtualProtect ... etc ... will be logging in every consumer which subscride on this provider, and this chain of behavor it is 100% detect as malicious every fucking silly edr and WD as is.. you don't evasion anything like this
ps: Don't you think the title of this topic -

bypass all antiviruses/EDRs Like RockStar, create your own clean undetectable...​

слишком ахуевший ?

 

[spyboy]

What did you talk about? You behave like a clown. Please tell us how you bypass the Microsoft-Windows-Threat-Intelligence provider supplier from the user mode? Each of your step that you described createfilea, createfilemapping, MapViewOffile, VirtualProtect ... etc ... will be logging in every consumer which subscride on this provider, and this chain of behavor it is 100% detect as malicious every fucking silly edr and WD as is.. you don't evasion anything like this

Why do you insist that the technique that I mentioned in this post should bypass ETWTI?
I can blind your ETWTI for good and run all kind of malwares without even trying to unhook or bypass edr or anything else.

 

[spyboy]

too pissed off?

Of course not, your ignorance what pisses you off. Dude I can sell some techniques for you, so can understand how to bypass ETWTI without accessing the kernel

 

[br0]

Why do you insist that the technique that I mentioned in this post should bypass ETWTI?
I can blind your ETWTI for good and run all kind of malwares without even trying to unhook or bypass edr or anything else.

Very interesting, share your knowledge with us in part II, if you really can do it...

 

[spyboy]

Very interesting, share your knowledge with us if you really can do it

I swear I can do more than that.
But Even in your dreams, I won't share it with you.
Now get lost, you wasted my time and ruined my tutorial by your hate comments.

 

[br0]

The article is open for discussion, and your article is a complete shit and I brought the arguments why, to which you did not give a clear answer, based on this you are totally scriptkiddie and this article is schoolboy level evasion.
DONE.

 

[spyboy]

You could've discussed in an elegant way, like everyone does. What kind of discussion starts by mocking?
Anyway, say what do you want to say. Actually, I don't need to prove anything, all the guys who contacted me, they knew how much helpful I am. Maybe this is a lesson for you to learn how to leave nice comments or how to start a decent discussion.

Done.