CYBER MONGOL
  • ASATA
  • Our Journey
  • Intelligence Engine
  • Human-Machine Teaming
  • Operator Research
  • Achievements and Media
  • Counter Intelligence
  • ASATA
  • Our Journey
  • Intelligence Engine
  • Human-Machine Teaming
  • Operator Research
  • Achievements and Media
  • Counter Intelligence
Search by typing & pressing enter

YOUR CART

4/9/2021

C# Dropper, D/Invoke Manual Mapping(ntdll.dll) + Shellcode Injection

*C# Dropper, D/Invoke Manual Mapping(ntdll.dll) + Shellcode Injection* After a really good talk by Jean-Francois Maes, I wanted to try his code’s functionality (EDRGoesBrrr) with a dropper that I’m working on. The dropper opens an HTTPS tunnel with ngrok, downloads an edited version of his injector which leverages D/Invoke to manually map ntdll.dll (avoiding any hooks) and then injects a Covenant implant into RDP clipboard monitor. I did use the NuGet package for D/Invoke which didn’t seem to cause any problems. No alerts in MDE but there was an informational warning in the timeline regarding the parent PID spoofing. Testing was done on MDE (BlockMode + Automated Investigation).
 
 
Talk (EDR Mechanics / Evasion Techniques): Defeating EDR's using D/Invoke - YouTube

 
EDRGoesBrrr(source):brown-bags/DInvoke to defeat EDRs/DemoDInvokeLoader at main · NVISOsecurity/brown-bags · GitHub
​

Comments are closed.

    Archives

    December 2021
    November 2021
    October 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    September 2020
    August 2020
    July 2020

    Categories

    All

    RSS Feed

contact us:
© COPYRIGHT 2015. ALL RIGHTS RESERVED.