Weasel Sec

Full access now and no more issue with UAC.

One way to get around MOTW is to use ClickOnce to download a malicious doc. Since dfsvc.exe handles the download, the file doesn’t get tagged with the MOTW flag.

I uploaded all the malware samples used in my book #EvasiveMalware to my Github: github.com/d4rksystem/Eva… I received some questions about the lab samples, so just posting it for everyone here 🤓

Bypassing EDR in a Crystal Clear Way lorenzomeacci.com/bypassing-edr-…

Why yes, yes we can use ESTSAUTH captured from evilginx to automatically register a passkey

@techspence Probably not, since it ultimately invokes wmiprvse.exe.

@Weasel_Sec But does it work against crowdstrike?

GitHub - bats3c/shad0w: A post exploitation framework designed to operate covertly on heavily monitored environments github.com/bats3c/shad0w

Goexec is a new take on some of the methods used to gain remote execution on Windows devices. Goexec implements a number of largely unrealized execution methods and provides significant OPSEC improvements overall falconops.com/blog/introduci… Github repo: github.com/FalconOpsLLC/g…

@mrgretzky Could be from JARM fingerprint?

You've got to love it when AVs start flagging your official online course phishing training lab website as phishing... 🤦‍♂️ Also figured out Google will block emails including links to the lab. virustotal.com/gui/url/ff9241…

@domchell Redirect them to a fake webinar where @peterwintrsmith is playing the guitar.

I see you blue teamers trying to sneak in

@_EthicalChaos_ It’s beautiful mate.

This one definitely took way longer than planned, but finished now, just in time for Christmas.

I FINALLY got call stack spoofing working inside BeaconGate.

@merterpreter Oh nice. Better than null bytes.

@Weasel_Sec Nowadays Edrs have Add-ons for this but it was a thing in the past. I’have had great success in engagements with this method github.com/mertdas/SharpI…

Raw payload. No obfuscation, nothing. Just 9.31MB in size.

@gerbot_ Go.

@Weasel_Sec Which language was written in?

@frosty468119564 VirusTotal doesn't allow you to upload files larger than 650MB. I tried uploading a 650MB file and got the same result as with a 250MB file.

@gerbot_ Correct!

@Weasel_Sec Scanners don't like chonk

Now, same payload increased to 250MB. Just added a lot of null bytes after the raw payload:

🚨EDR Telemetry website is live! 🥳 I hope this makes it even easier for folks to compare the telemetry of EDR vendors and visualize their visibility gaps 🙂 ‣ Website🔗edr-telemetry.com ‣ GitHub 🔗github.com/tsale/edr-tele… **Telemetry results reflect the most recent updates from the EDR Telemetry project.

0xC2 is now available and the site has been updated with a brief introduction 0xc2.io/posts/introduc…