Locked NtRemoteLoad | Remote Shellcode Injector

[dEEpEst]

NtRemoteLoad

Remote shellcode injector, based on HWSyscalls by ShorSec, leveraging undetectable (currently) indirect native syscalls to inject shellcode into another process, creating a thread and executing it.

Disclaimer: The information/files provided in this repository are strictly intended for educational and ethical purposes only. The techniques and tools are intended to be used in a lawful and responsible manner, with the explicit consent of the target system's owner. Any unauthorized or malicious use of these techniques and tools is strictly prohibited and may result in legal consequences. I am not responsible for any damages or legal issues that may arise from the misuse of the information provided.

Usage

This is the hidden content, please

• Sign In
• or
• Sign Up

Detection

Testing it against API monitor by Rohitab shows the following detection for Native syscalls:

This is the hidden content, please

• Sign In
• or
• Sign Up

/applications/core/interface/js/spacer.png">

Which is fairly good, though NtCreateFile could also be hidden but I have not seen a reason to change it yet.

On the other hand, testing it against Defender for Endpoint EDR trial with a Havoc C2 beacon payload yields the following detection:

Executing the payload

This is the hidden content, please

• Sign In
• or
• Sign Up

/applications/core/interface/js/spacer.png">

Getting the callback

This is the hidden content, please

• Sign In
• or
• Sign Up

/applications/core/interface/js/spacer.png">

Visibility

This is the hidden content, please

• Sign In
• or
• Sign Up

/applications/core/interface/js/spacer.png">

Which is also fairly good as these are just events, meaning the blue team would need Threat Hunting or SIEM to actually detect it.

 

Download Release v1.0 on Aug 27

This is the hidden content, please

• Sign In
• or
• Sign Up