CYBER MONGOL
  • ASATA
  • Our Journey
  • Intelligence Engine
  • Human-Machine Teaming
  • Operator Research
  • Achievements and Media
  • Counter Intelligence
  • ASATA
  • Our Journey
  • Intelligence Engine
  • Human-Machine Teaming
  • Operator Research
  • Achievements and Media
  • Counter Intelligence
Search by typing & pressing enter

YOUR CART

7/13/2021

Module Overloading /Phantom DLL Injection: Totally Undetected by Defender for Endpoint

*Module Overloading /Phantom DLL Injection: Totally Undetected by Defender for Endpoint* Our automation has noticed an interesting signature (NtCreateSection + SEC_IMAGE) trend over the last 12 months. Offensive Security Tools are leveraging a type of process hollowing called Module Overloading, or Phantom DLL Injection which have OpSec advantages like using a payload with legitimate file backed memory; in this case a Microsoft signed module (BingOnlineServices.dll). Another operator advantage is negating the use of classic +RWX memory protections, instead assuming the protections of the legitimate dll. Below you can find some OST’s we are tracking that leverage the NtCreateSection API call + SEC_IMAGE flag.
 
process_ghosting: https://github.com/hasherezade/process_ghosting
 
process_doppelganging: https://github.com/hasherezade/process_doppelganging
 
phantom-dll-hollower-poc: https://github.com/forrest-orr/phantom-dll-hollower-poc
 
DInvoke: https://github.com/TheWover/DInvoke
 
Blog Post: https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing
 
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam

Comments are closed.

    Archives

    December 2021
    November 2021
    October 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    September 2020
    August 2020
    July 2020

    Categories

    All

    RSS Feed

contact us:
© COPYRIGHT 2015. ALL RIGHTS RESERVED.