Januar 11, 2025 Lesezeit: 3 Minuten

Are you a Red Teamer or offensive security expert looking to push the boundaries of your bypass capabilities? Our newly released eBook, Mastering Elastic Defend Bypass, is specifically tailored for those in the trenches of cybersecurity, providing in-depth strategies and techniques for bypassing modern XDR solutions and evading detection mechanisms. This guide is a must-have for professionals who want to elevate their skills and gain a deeper understanding of bypassing cutting-edge defenses.

What’s Inside the eBook?

In this technical and advanced guide, I cover both static and dynamic techniques for evading state-of-the-art XDR solutions, focusing on memory scanning evasion and much more. With a combination of theory and practical application, the eBook offers:

• Static and Dynamic Bypass Techniques: Learn how to effectively bypass detection mechanisms used by the latest XDR solutions. The guide explores various methods that work both during runtime and static analysis, ensuring you have a comprehensive understanding of how to approach detection evasion.

• Memory Scanning Evasion: Memory scanning is one of the most critical areas where modern XDR systems focus. This eBook dives deep into advanced memory scanning evasion methods that can be used to remain undetected during memory analysis.

• C2 Framework Agent Modification: A highlight of this guide is the step-by-step process of modifying the Havoc C2 framework agent. I show how to adapt and deploy this agent within highly secure environments without triggering detection systems, providing you with the ability to execute operations with stealth.

• Practical Insights and Tools: Not only does this eBook provide theoretical insights, but it also offers practical steps and real-world examples. You'll gain access to the necessary tools and resources via GitHub, with easy-to-follow instructions on how to implement the techniques discussed.

Who Is This eBook For?

This eBook is designed for professionals who already have experience in the field of offensive security, Red Teaming, or cybersecurity. It’s not suitable for beginners, as it dives into highly technical material that assumes prior knowledge and understanding of the subject. If you are comfortable with advanced concepts and want to elevate your skills.

Why Should You Get This eBook?

As a professional in the cybersecurity space, staying ahead of the latest detection methods and knowing how to bypass them is crucial. This guide equips you with the tools and techniques to stay undetected, whether you're performing Red Team assessments or working in a high-security environment. With detailed explanations, actionable insights, and access to the tools you need, this eBook is an indispensable resource for anyone serious about mastering bypass techniques.

Get Your Copy Today!

Ready to take your bypass skills to the next level? The eBook is available in PDF format (3MB) and comes with all the practical steps and resources you need to implement the techniques discussed.

Don’t miss out on this essential guide for Red Teamers and offensive security professionals. Get your copy today and start mastering Elastic Defend Bypass like never before!

September 18, 2024 Lesezeit: 9 Minuten

In this post, I will demonstrate how to make the tool of your choice undetectable and bypass security products like classic Antivirus (AV) and Endpoint Detection and Response (EDR) systems.

Introduction

As security professionals, penetrationtesters and red teamers, we often face challenges in ensuring our tools remain undetected by various security measures. The goal is to find solutions that require minimal manual effort and can be quickly applied to a wide range of tools, including those that are not open-source. This guide is intended for educational purposes only, and I encourage ethical use of the techniques discussed here.

Evade static detection

In the first step we concentrate on bypassing static detection. The AV solutions provide signatures for known malicious code or programs that are recognized as harmful. These can contain a hash check as well as use certain code parts, strings or the like as a basis for detection. In order to avoid this detection, we have to know the signatures in detail in order to remove or obfuscate them from the binary. In addition, different AV solutions work with different signatures, which would mean that we may be able to create a bypass for a solution, but another product will still recognize the file as malicious. But since we originally said we wanted a general solution, we use a simple technique. We take the complete binary code and encrypt it.

The Encryption

In order to completely encrypt a PE file we have to use a secure encryption algorithm like AES. Below we have a short Python code that accomplishes this for our purpose

https://github.com/ZERODETECTION/BypassAV/blob/main/pe_2_aes.py

We're testing our initial PE file at Virustotal and the encrypted version.

As we can see, no AV scanner can now decrypt the encrypted code and therefore it remains undetected for a static scan. but how can we execute the encrypted code?

We could decrypt the PE file and put it back on the disk, but that would have the same effect because the on-access scan would check the file and recognize the original code as malicious.

Another solution would be that we don't take the PE file itself, but convert the PE file into shellcode. Shellcode can be executed directly from memory and does not need to be copied to disk as a file.

Convert the PE file into shellcode

For the conversion we use the great tool donut. Donut converts the PE file into position-independent shellcode.

Position-Independent Code (PIC) shellcode is designed to execute regardless of where it's loaded in memory. This is particularly useful for environments like modern operating systems, which use address space layout randomization (ASLR).

https://github.com/TheWover/donut

We are not only pass the PE file but also the parameters to be executed to donut.

As we can see, this is also encrypted by Donut, but multiply AV products are still able to recognize it. 

To get around this, we simply use our own encryption algorithm.

Now we have our position independent shellcode AES encrypted. To execute our shellcode we need to build a loader. 

The Loader

To execute the shellcode we create a simple C program that opens the shellcode, copies it into memory, decrypts it and then executes it in memory. This way we avoid the fact that the code is lying unencrypted on the hard drive. There is still a residual risk that the AV scanner will scan the memory and detect the malicious code there.

https://github.com/ZERODETECTION/BypassAV/blob/main/loader.cpp

We have now written a very simple loader, which executes it with the functions VirtualAlloc, AESDecrypt, RtlMoveMemory and a direct jump to the shellcode. We should note that we have marked a memory area as RWX executable for executing the shellcode. For some AV products, this is a crucial signal that potentially malicious code could be executed here.

We should also note at this point that our loader loads the shellcode from a file and has not integrated it. This has advantages and disadvantages. It would also be possible to embed the shellcode into the executeable without much effort.

In order to reduce the detection rates even further, we rename the decryption routine and also change the parameters.

With this modification we can achieve that the Microsoft Defender, which has a high prevalence, no longer recognizes the loader as harmful. Even the AI based static detection of Sentinel One also no longer recognizes this sample with this modification.

In order to ensure a complete bypass of all products, we could now make further changes. but that would end in a trial and error principle. It is now important to check what the dynamic detection looks like. Currently we have only tested the bypass for dynamic detection.

AV Check

Now it's time to test the dynamic execution. We run the loader on a VM with Microsoft Defender and check whether the shellcode is also executed accordingly or whether the AV Scanner recognizes the execution or stops it. Most AV scanners have cloud and sandbox functions, which means that the samples are also checked on runtime without user interaction.

In order to prevent our sample from being uploaded, we always turn off the cloud upload. We should also avoid checking with Virustotal if we don't want our loader to be recognized by AV solutions at short notice.

As you can see, we can now execute this while bypassing the AV solution without modifying the PE file.

Conclusion

We have therefore achieved our goal, we have taken a known malware / dual-use tool and successfully executed it undetected on an AV-protected system without any individual adjustment. The method shown here should also be adaptable with other programs, pentest tools or even malware.

When using zerodetection and the Implant Builder, these techniques are also used, but you can choose between over 50 templates with a wide variety of techniques and tactics. In addition, the entire process is completely automated.

https://www.zerodetection.net/demonstration.html

Even if the execution worked at first glance and was not recognized or blocked, it cannot be ruled out that, depending on the activity, the AV scanner may recognize the software. This can be done through behaivor detection as well as based on telemetry data or artifacts in memory can also be recognized.

It makes sense to clean the memory or memory areas after execution in order to avoid leaving any residue behind that will be detected when the memory is scanned later.

Juli 21, 2024 Lesezeit: 3 Minuten

In the realm of cybersecurity, Red Team Pentesting is an advanced approach used to identify and exploit vulnerabilities in systems. While these tests are incredibly valuable for uncovering weaknesses, they also come with their own set of challenges and risks. One crucial aspect of these engagements is understanding precisely what is being executed, especially in terms of the tools and their origins.

Challenges in Red Team Pentesting

Red Team Pentesters employ a wide array of tools and techniques to rigorously test the security measures of a system. While some of these tools are well-documented and widely recognized, others are custom-built for specific scenarios or even created by the testers themselves.

These custom tools and scripts offer significant advantages in terms of flexibility and adaptability, but they also come with risks. Since these tools are often not extensively tested or broadly understood, there is a possibility that they might cause unforeseen problems. For instance, they could lead to system crashes or produce unintended side effects that impact the availability of the target environment.

Another risk associated with using custom or lesser-known tools is the potential for supply chain attacks. If a pentester uses a tool developed or provided by a third party, there is a risk that the tool may contain vulnerabilities or malicious components that go undetected during the engagement.

The Solution: ZeroDetection

To mitigate the risks associated with using unknown or untested tools, some Red Teams have turned to ZeroDetection. ZeroDetection offers vetted and tested templates specifically designed to minimize security incidents and system crashes during engagements.

ZeroDetection templates are crafted to ensure a high probability of successfully executing an engagement without compromising the target environment. These templates undergo rigorous testing and validation to ensure that they do not introduce unforeseen side effects or additional security risks.

By using such verified templates, Red Team Pentesters can ensure they are employing a controlled and trustworthy method for their tests. This reduces the risk of security incidents and minimizes potential impacts on the availability of the client’s systems.

Conclusion

Red Team Pentesting is an essential tool for enhancing cybersecurity, but it is crucial that the tools and techniques used are well-understood and carefully selected. While custom tools and scripts can be powerful, they also bring specific risks, such as system crashes and supply chain attacks.

Utilizing ZeroDetection or similar vetted and tested templates can significantly reduce these risks. By adopting such technologies, Red Team Pentesters can ensure they perform effective tests without jeopardizing the security and availability of the target environment.

Juli 21, 2024 Lesezeit: 6 Minuten

In the ever-evolving landscape of cybersecurity, the cat-and-mouse game between attackers and defenders is relentless. As defenders bolster their defenses with advanced detection capabilities, red teams must continually innovate to stay ahead. Enter ZeroDetection, a powerful tool that elevates your red team operations and adversary simulations by enabling you to create stealthier implants and make your beacons or C2 agents more elusive. In this blog post, we’ll explore how ZeroDetection can optimize your red team activities, enhance your adversary simulations, and help you evade security measures with ease.

The Need for Stealth in Red Team Operations

Red team operations aim to simulate real-world attacks to test and improve an organization's security posture. To provide valuable insights, these simulations must mimic the tactics, techniques, and procedures (TTPs) of actual adversaries. However, with advanced security solutions in place, red teams face the challenge of evading detection by sophisticated security controls. This is where ZeroDetection comes into play.

What is ZeroDetection?

ZeroDetection is a cutting-edge tool designed to enhance the stealth of red team operations. It allows users to create highly customized implants and refine their beacons or command-and-control (C2) agents to bypass modern detection mechanisms. By leveraging ZeroDetection, red teams can achieve a higher level of operational security, making their adversary simulations more realistic and effective.

Key Features of ZeroDetection

1. Custom Implant Creation:

   ZeroDetection enables the creation of custom implants that can be tailored to specific operational needs. These implants are designed to blend seamlessly into the target environment, making them difficult to detect.

2. Stealthy Beacon and C2 Agents:

   The tool allows for the modification and enhancement of beacons and C2 agents to evade detection by security monitoring systems. This includes altering communication patterns, using encryption, and mimicking legitimate traffic.

3. Evading Security Postures:

   ZeroDetection provides techniques to bypass various security layers, including endpoint detection and response (EDR) systems, intrusion detection systems (IDS), and network monitoring tools.

Optimizing Red Team Operations with ZeroDetection

Here are some practical ways to leverage ZeroDetection for optimizing your red team operations:

1. Developing Undetectable Implants:

   Utilize ZeroDetection to create implants that are uniquely tailored to each engagement. This ensures that the implants are not flagged by signature-based detection systems, increasing the chances of staying undetected throughout the operation.

2. Enhancing Communication Stealth:

   Modify your beacons and C2 agents to use covert communication channels. ZeroDetection allows for the use of encrypted communications, which can be disguised as legitimate traffic, making it difficult for network monitoring tools to detect malicious activities.

3. Evading Endpoint Detection:

   Implement techniques provided by ZeroDetection to bypass endpoint detection systems. This includes process injection, memory obfuscation, and using legitimate processes for malicious purposes (living off the land).

4. Adapting to Security Controls:

   Continuously adapt your TTPs based on the security controls in place. ZeroDetection’s flexibility allows you to tweak your methods on the fly, ensuring that your red team remains effective even as defenders update their detection capabilities.

Enhancing Adversary Simulations

Effective adversary simulations require a deep understanding of the latest attack vectors and the ability to mimic them accurately. ZeroDetection enhances these simulations by providing tools and techniques that real-world adversaries might use, offering a realistic assessment of an organization’s security posture.

1. Realistic Attack Scenarios:

   Use ZeroDetection to craft scenarios that closely resemble the tactics of advanced persistent threats (APTs). This helps in evaluating how well an organization can detect and respond to sophisticated attacks.

2. Continuous Improvement:

   By evading detection during simulations, you can identify gaps in the organization’s defenses. This continuous feedback loop allows for the refinement of both the red team’s tactics and the organization’s security measures.

3. Training and Awareness:

   High-fidelity simulations with ZeroDetection not only test defenses but also serve as valuable training for security teams. Realistic scenarios help defenders recognize and respond to actual attack patterns.

Conclusion

In the dynamic world of cybersecurity, staying ahead requires constant innovation and adaptation. ZeroDetection provides red teams with the tools needed to enhance their operations, create stealthier implants, and simulate adversary tactics more effectively. By leveraging ZeroDetection, you can ensure that your red team engagements are not only challenging but also provide deep insights into an organization’s security posture. Embrace ZeroDetection to elevate your red team operations and stay one step ahead in the cybersecurity game.

Juni 9, 2024 Lesezeit: 4 Minuten

In the ever-evolving landscape of IT infrastructure, keeping track of your systems' uptime is crucial. Yet, many solutions available today are bogged down with complex dependencies, convoluted setups, and steep learning curves. Enter zerodown, the straightforward, clean, and minimalist uptime monitor designed to keep your infrastructure in check without the fuss.

What is zerodown?

zerodown is an intuitive uptime monitoring tool tailored for simplicity and efficiency. Unlike other monitoring solutions, zerodown focuses on providing a hassle-free experience with minimal system requirements and straightforward setup. Whether you're managing a small personal project or overseeing a larger infrastructure, zerodown ensures you stay informed about the status of your systems without overwhelming you with unnecessary complexity.

Key Features

1. Simplicity at Its Core: zerodown is designed to be as straightforward as possible. There are no complex dependencies or arduous setups. Just download, configure, and start monitoring.

2. Minimalist Design: Leveraging the sleek aesthetics of Bootstrap, zerodown offers a clean and user-friendly interface. The minimalist design ensures that you can easily navigate and manage your monitoring dashboard without distractions.

3. Lightweight Agent: The monitoring agent is lightweight and efficient, written in Go, known for its performance and reliability. It collects uptime data and sends it over HTTP in JSON format to the monitoring server.

4. Easy Overview: The server component of zerodown keeps track of all monitored clients, presenting their statuses in a simple list. This allows for a quick and easy overview of your entire infrastructure's health at a glance.

How Does It Work?

zerodown operates with two main components: the agent and the server.

- The Agent: Installed on each system you wish to monitor, the agent is responsible for collecting uptime data. Written in Go, it ensures efficient performance and minimal resource consumption. The agent transmits data via HTTP using JSON, making it easy to integrate with other systems if needed.

- The Server: This component receives data from all agents and compiles it into a cohesive monitoring dashboard. Using Bootstrap for its front-end, the server displays the status of all clients in a clean, easy-to-read list format. This design ensures that you can quickly assess the health of your infrastructure without getting lost in unnecessary details.

Why Choose zerodown?

zerodown is ideal for anyone seeking a no-nonsense monitoring solution. Its simplicity does not come at the cost of functionality; instead, it strips away the unnecessary complexities to deliver a tool that just works. Whether you're a developer, system administrator, or IT manager, zerodown helps you keep an eye on your infrastructure's uptime with ease and confidence.

In conclusion, zerodown stands out as a beacon of simplicity in a field often cluttered with overly complicated solutions. With its minimalist design and straightforward functionality, it ensures that monitoring your infrastructure is a breeze. Give zerodown a try and experience the ease of simple, effective uptime monitoring.

Feel free to share your thoughts or get started with zerodown today. For more information, visit our [https://github.com/ZERODETECTION/zerodown]. Happy monitoring!

Juni 2, 2024 Lesezeit: 3 Minuten

In this blog post, we'll explore how to use the C2 framework Havoc and the Zerodetection toolset to create implants that remain undetectable by AV, EPP, EDR, and XDR systems.

Havoc C2 is a modern Command and Control (C2) framework designed for post-exploitation activities. It was programmed by the talented coder C5pider and is used by security professionals to simulate advanced persistent threats (APTs) and test the resilience of networks against sophisticated cyber attacks. Havoc C2 provides a robust infrastructure for managing compromised hosts, delivering payloads, and executing commands remotely. Its modular architecture allows for the integration of custom payloads and exploits, making it a versatile tool for red teaming and penetration testing. With features like encrypted communications, multi-platform support, and a user-friendly interface, Havoc C2 helps security teams evaluate and improve their defensive strategies against real-world adversaries.

First, we'll begin by launching Havoc. To do this, we start the team server and connect using the Havoc client.

Next, we open the payload generator and create an agent.

We generate an agent using the Ekko sleep technique and choose the format "Windows Shellcode."

We open up the "Implant Builder," choose our generated payload, and select a template.

We transfer our newly generated implant to the target machine and execute it.

The machine should now be visible in Havoc.

Everything is working smoothly and without any interruptions from the antivirus.

Havoc is a remarkable C2 framework developed by the talented coder C5pider. Its generated agents are highly effective out of the box and can even bypass AV products like MS Defender without requiring any adjustments. When combined with various bypass techniques provided by Zerodetection, it forms a potent combination capable of evading even the most sophisticated endpoint security systems.

In this example, we're leveraging the Havoc Framework to generate an agent using the Ekko sleep technique. This agent will then be integrated into a loader created using Zerodetection's "Implant Builder." The loader is crafted with the Fiber template, which utilizes fiber techniques to bypass AV/EPP/EDR/XDR systems. Additionally, the shellcode is encrypted using a custom XOR encryption for added security.