dEEpEst Posted September 29, 2023 Share Posted September 29, 2023 NtRemoteLoad Remote shellcode injector, based on HWSyscalls by ShorSec, leveraging undetectable (currently) indirect native syscalls to inject shellcode into another process, creating a thread and executing it. Disclaimer: The information/files provided in this repository are strictly intended for educational and ethical purposes only. The techniques and tools are intended to be used in a lawful and responsible manner, with the explicit consent of the target system's owner. Any unauthorized or malicious use of these techniques and tools is strictly prohibited and may result in legal consequences. I am not responsible for any damages or legal issues that may arise from the misuse of the information provided. Usage This is the hidden content, please Sign In or Sign Up Detection Testing it against API monitor by Rohitab shows the following detection for Native syscalls: This is the hidden content, please Sign In or Sign Up /applications/core/interface/js/spacer.png"> Which is fairly good, though NtCreateFile could also be hidden but I have not seen a reason to change it yet. On the other hand, testing it against Defender for Endpoint EDR trial with a Havoc C2 beacon payload yields the following detection: Executing the payload This is the hidden content, please Sign In or Sign Up /applications/core/interface/js/spacer.png"> Getting the callback This is the hidden content, please Sign In or Sign Up /applications/core/interface/js/spacer.png"> Visibility This is the hidden content, please Sign In or Sign Up /applications/core/interface/js/spacer.png"> Which is also fairly good as these are just events, meaning the blue team would need Threat Hunting or SIEM to actually detect it. Download Release v1.0 on Aug 27 This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
Recommended Posts