MSec Operations

27 posts

MSec Operations

MSec Operations

@MSecOps

Germany 参加日 Temmuz 2024
1 フォロー中1.6K フォロワー
固定されたツイート
MSec Operations
MSec Operations@MSecOps·
🔥 Introducing RustPack 🔥 . RustPack is an evasive Packer/Loader, that is capable of bypassing common AV/EDR vendors. It accepts user-provided known malicious input payloads, such as shellcode, C# assemblies or portable executables (PE). Those inputs are encrypted, and decrypted on runtime by a newly generated non non-malicious payload. This process is known to be called packing or crypting. Some Features: - Each payload looks different, making signature creation more difficult. - Userland hooks are bypassed by default for each generated payload. - The encryption key is never fully embedded in the final payload but always retrieved on runtime. This is good for bypassing emulators or automatic unpacking engines. - Encrypted payloads can also be decoupled from the new binary to load them from a remote location on runtime - Multiple Anti-Debug techniques are applied to each payload by default. - Environmental Keying and Anti-Sandbox options included. - No cloud service. The software is delivered to the customer as a closed source solution Evasion options: - Several AMSI bypass techniques ranging from Patching to using Hardware Breakpoints - Multiple optional ETW bypasses - Support for Module stomping - OPSec safe remote injection techniques such as ThreadlessInject or a customised Caro-Kann technique The tool is still under active development and lot's of features/demos/etc. will follow. Some more information can be found here: msecops.de/products #redteam #pentesting #pentest #OST
MSec Operations tweet media
English
3
65
298
83.6K
MSec Operations
MSec Operations@MSecOps·
RustPack version 1.6.0 was just sent to our customers! This release includes multiple enhancements to existing bypass techniques, but also has some major new features such as: - Steganography support - embedding encrypted payloads in PNG images 🫡 - Payload retrieval from a remote web server - and yes PNG images can also get downloaded from a web server instead of from disk only - Position Independent Code output format, RustPack can now be considered as your personal polymorphic Donut on steroids! Create shellcode from .NET assemblies or PE files to stealthily load them at runtime. 🔥🔥
MSec Operations tweet media
English
0
3
43
3K
MSec Operations がリツイート
S3cur3Th1sSh1t
S3cur3Th1sSh1t@ShitSecure·
The MSec Operations - @MSecOps - Discord channel provides vetted Cyber Security experts the opportunity to exchange TTPs, to ask questions and to get answers! 😎 More than 280 verified people already joined. discord.gg/JRxXmy8P4B
English
0
5
47
4.7K
MSec Operations
MSec Operations@MSecOps·
Machine learning-based detection is not yet widely used by AV/EDR vendors to flag potentially malicious executables. However, some few vendors have already implemented effective engines for unsigned executables. 💡And this has nothing todo with signatures! In the past, the easiest way to get rid of such detections was to use a DLL instead of an executable, as for those the detections are not that aggressive - yet. From our perspective it's only a matter of time untill DLLs get flagged in a similar way. What are you using to tackle such detections? RustPack 1.5.1 has just been released to our customers. The main change in this release is the implementation of multiple new parameters to bypass these machine learning-based detections. 🔥
MSec Operations tweet media
English
1
3
23
10.5K
wr4pped
wr4pped@M43LS70M3·
@MSecOps is rustpack open source? is there a site where this needs to be purchased?
English
1
0
0
266
MSec Operations
MSec Operations@MSecOps·
Tools such as PsExec.py from Impacket are usually flagged for lateral movement due to the pre-built service executable that is dropped on the remote system. However, some vendors also flag Impacket based on its behaviour. With RustPack, you can easily create service executables that won't be detected by signatures or behaviour-based detection. 😎 In this demo video, an unsigned service executable is generated. This will only fire the payload on a system with the hostname 'Win11' — environmental keying will prevent the payload from showing up in a sandbox or cloud analysis. To avoid Impacket detection, we drop and execute the binary via the recently released Titanis protocol library from @TrustedSec: github.com/trustedsec/Tit…. The result is an Adaptix C2 connection in the SYSTEM context. 🫡 #Pentest #RedTeam #Malware #OST
English
4
120
615
70.4K
MSec Operations
MSec Operations@MSecOps·
Around three months ago, we provided our customers with RustPack version 1.4.0. 💪 This version included several changes to the core code of the loader component. For example, there were new options to disable the use of indirect syscalls in case any vendor creates detections on those in the future. It is also possible to switch to ntdll or Win32 function usage. Other changes included: - Process hollowing support as an alternative to module stomping (which was already included), with a new OPSec save spawn/inject technique for shellcode execution; no ETWti events for the execute primitive, which could lead to a memory scan. 🔥 - It is now possible to store encrypted payloads on the target system's registry and load them from there at runtime. - Environmental keying support has been added: the payload will only fire when the target system is joined to the specified domain or when the hostname matches. 🛸 - Additional random anti-emulation stubs were added for each payload and tested successfully against major EDR vendors. - The documentation has been overhauled to include detailed instructions on how to find custom DLL sideload binaries, how to weaponise them, and how to perform COM hijacking! 🎓 RustPack 1.5.0 was released to customers just today. The main change here includes: - Polymorphic obfuscation for each payload, with lots of newly added code stubs. - Control flow obfuscation to make static or dynamic analysis more difficult. - Several anti-static analysis stubs that will lead to broken control flows for reverse engineers. - New anti-debug checks at runtime. Interested in using RustPack yourself? Contact us at info[at]msecops.de! 🫡
MSec Operations tweet media
English
1
7
42
10K
MSec Operations
MSec Operations@MSecOps·
Creating COM hijacking payloads has never been easier than with RustPack! With COM Hijacking, you can persist on a target system by 'living' in trusted user processes, such as the Chrome browser. You only need to bring one DLL. When the user opens Chrome, for example, a C2 connection is established. 🔥 Achieving stable payload execution without crashing or freezing the target system requires an understanding of what is relevant. Additionally, lots of processes may attempt to load the hijacked CLSID; you don't want to receive 43 beacons per day from the same system. Limiting execution to a defined process is important here! 🎓 What about combining that payload with environmental keying, anti-emulation, anti-sandboxing, as well as AMSI and ETW bypasses? Doing all this yourself will take time. With RustPack, however, you can create such a payload in a few seconds, and it's stable! The video demonstrates how to create a payload DLL to execute Adaptix C2 shellcode in the Chrome browser. 🛸
English
0
18
79
16K
MSec Operations
MSec Operations@MSecOps·
Rumour has it that Jonas Lykkegaard's self-delete technique doesn't work on Windows 11 anymore. Well, the original proof of concept (PoC) does not, but slight modifications bring this technique back to Win11!😎 With #RustPack, you can easily generate self-deleting executables or DLLs. The following video showcases a DLL being executed from rundll32.exe and deleting itself while the process continues to run. 🔥 Of course, this also works for DLL sideloads. Having problems generating payloads yourself? Don't have time for proper evasion? Your loaders get flagged regularly? We've got you covered — contact us at info[at]msecops.de 👍
English
1
20
96
7K
MSec Operations
MSec Operations@MSecOps·
@mcohmi We do test against several EDRs but won’t demo those. The videos are more for tool usage and feature explanations.
English
1
0
2
205
Ohm-I (Oh My)
Ohm-I (Oh My)@mcohmi·
Sincere question, but are we still using only Windows Defender as a demonstration for bypassing with complex techniques? Or did GENERIC AV make everybody cautious about naming specific EDRs?
MSec Operations@MSecOps

The Ruy-Lopez technique sometimes helps a lot with evasion. The technique was published and open sourced by our founder @Shitsecure two years ago. In #RustPack version 1.3.1 we added a custom, non-public version of this technique that is much more OPSec safe than the public version. The original release only allowed spawn/inject, which is relatively limited. If you wanted to stay in your local process or sideload binary, you could not use it. In RustPack you can use Ruy-Lopez for local execution AND spawn/inject for both executables and DLL payloads. And it will prevent userland EDR DLLs from loading on top of amsi.dll. 🤠 For a few months now, all Sliver payloads have been flagged by many vendors because of the built-in AMSI patch bypass. Most people stuck to modifying the sliver source to get rid of these detections. Well, if amsi.dll is never loaded at all, the patch won't happen either, and you can get rid of this detection just by using the Ruy-Lopez technique. 💡 The following video shows how to pack a Sliver executable with RustPack to get a fully functional connection without any detections. 🔥 And this is just a small use case. A fully interactive Powershell runspace with all amsi related DLLs blocked and no userland hook DLLs sounds great too, right? Easy to build with RustPack in a few seconds. Execute all those Powershell scripts like it's many years before 2025. 🥳 #RedTeam #Pentest #OST #Malware #Maldev

English
1
0
9
1.7K
MSec Operations
MSec Operations@MSecOps·
And yes, out custom Ruy-Lopez technique even works perfectly fine for e.G. DLLs that are run via rundll32.exe. Same works for sideloading DLLs, and so on. 😎
English
0
4
12
2.5K
MSec Operations
MSec Operations@MSecOps·
The Ruy-Lopez technique sometimes helps a lot with evasion. The technique was published and open sourced by our founder @Shitsecure two years ago. In #RustPack version 1.3.1 we added a custom, non-public version of this technique that is much more OPSec safe than the public version. The original release only allowed spawn/inject, which is relatively limited. If you wanted to stay in your local process or sideload binary, you could not use it. In RustPack you can use Ruy-Lopez for local execution AND spawn/inject for both executables and DLL payloads. And it will prevent userland EDR DLLs from loading on top of amsi.dll. 🤠 For a few months now, all Sliver payloads have been flagged by many vendors because of the built-in AMSI patch bypass. Most people stuck to modifying the sliver source to get rid of these detections. Well, if amsi.dll is never loaded at all, the patch won't happen either, and you can get rid of this detection just by using the Ruy-Lopez technique. 💡 The following video shows how to pack a Sliver executable with RustPack to get a fully functional connection without any detections. 🔥 And this is just a small use case. A fully interactive Powershell runspace with all amsi related DLLs blocked and no userland hook DLLs sounds great too, right? Easy to build with RustPack in a few seconds. Execute all those Powershell scripts like it's many years before 2025. 🥳 #RedTeam #Pentest #OST #Malware #Maldev
English
2
16
66
8.5K
MSec Operations
MSec Operations@MSecOps·
#RustPack version 1.3.0 has been released today. This version includes (again) minor changes to the final payload metadata to remove various potential IoCs. 🔥🔥 For example, most packers use some kind of string based encoding to reduce entropy, such as the well-known UUID, MAC, IPv4 endings. Or custom words. However, having a large amount of strings in a binary can also be considered suspicious, so this release now uses a different encoding that looks like legitimate code instead of strings. 💡 You can never have enough alternatives to bypass AMSI or ETW? With this release, we have reached the point where new techniques should not be needed for some time. We have added three new AMSI bypass techniques and two more ETW bypasses in this release. This makes a total of 7 different AMSI bypasses and 5 ETW bypasses. Of course, we provide our customers with information on which bypass to use against which vendor. Multiple of those bypasses are not used by any public open source tools by now, ensuring long term coverage without detections. If any of these bypasses get flagged by behaviour, we usually also adjust them for the next release so that it's usable again. 😎 One of the newly added AMSI bypasses is a customized Ruy-Lopez version, which not only prevents AMSI related DLLs from loading into a process but which on top also prevents userland hooking DLLs from loading. You will therefore not only get rid of AMSI based detections but also don't have to worry about userland hooks in that process anymore. 🥳 From this release on, all executables and DLLs by default use random metadata information, such as copy right information, productversion and so on. Executables are also shipped with random different Icons, which also reduces overall suspicion. But Operators can now also clone any other files metadata or Icons, so that executables can look like PDF-files or whatever else you prefer to use. Interested in buying RustPack or getting more information? Contact us via info[at]msecops.de ! #Pentest #RedTeam #OST
MSec Operations tweet media
English
0
3
19
2.2K
MSec Operations
MSec Operations@MSecOps·
In one of our previous videos we demonstrated how to generate sideloading binaries by cloning the exports of an existing DLL to forward them - x.com/MSecOps/status… . However, using Microsoft DLLs and Microsoft-signed binaries is not the best OPsec, as it's easy for EDR vendors to create a detection rule for e.g. "version.dll" being loaded from a non-System32 directory. 🧐 We therefore recommend using third party signed executables that attempt to load their own DLL. This is much harder to track/map on the endpoint. If you know which functions are imported from your signed binary (see import table), you can also generate a sideloading DLL for persistence or initial access use cases. Bring your own third-party signed binary and voila - you're trusted! In this example, we sideload into java.exe, which is signed by Oracle. It attempts to load several DLLs - including jli.dll as shown in the video. #RustPack can easily create such DLLs with custom export functions - anti-debugging features, sandbox evasion, signature evasion and anti-emulation can be easily added. 🔥🔥 Userland hooks are bypassed by default options and you can enable custom AMSI/ETW bypasses for the process on top. If you want to use it for persistence, you can of course still clone the original DLL exports as we did in the previous video and forward them accordingly. 👍 Interested in buying RustPack? Contact us at info[at]msecops.de ! #RedTeam #Pentest #OST #Maldev #Malware #Havoc
MSec Operations@MSecOps

How do you create your payloads in 2025? At MSec Operations we prefer to use DLL sideloading for EDR evasion. This technique allows our malicious code to run within a signed, legitimate executable. Combining this technique with other useful techniques will provide stable execution to fly under the radar. 🛸 The following video demonstrates the use of #RustPack to create such a payload in just a few seconds. The command line usage shows that our input payload is a simple unmodified Apollo C2 executable. We want to clone all the exported functions from the original Windows wininet.dll to create our own library with the same name. The execution of the payload will be delayed by ~5 seconds in this case, without using the Win32 sleep function, but by performing random calculations. ⏲️ Hardware breakpoints are used to bypass the Antimalware Scan Interface (AMSI). Without an AMSI bypass, Apollo would be flagged as a C# assembly when loaded. 🎓 Our payload will only fire on a domain joined system, this basically prevents it from running in e.g. sandbox environments. 🤠 Last but not least, in this example, the encrypted payload itself is stored in a separate file on the target system and not even in the same folder as our malicious DLL. Anyone analysing just the DLL will never be able to find out what the payload is. Automatic sample submissions for cloud analysis usually only upload the executable or DLL, emulators won't see the real payload either. 🤠 Tired of creating such payloads yourself? With #RustPack it's really easy, and payloads always look completely different, even if the same payload is packed twice to avoid signature-based detection Contact us via info[at]msecops.de for more information! 👍

English
0
29
121
10.7K
MSec Operations
MSec Operations@MSecOps·
#RustPack Version 1.2.0 is now released for our customers. The biggest change was to add full DInvoke support for all payloads. The import table now won't show the Windows APIs being used anymore, instead by default random non malicious imports are added in here to make payloads look more benign. This was in the very end like a re-write of all existing code. Besides from that one new AMSI bypass alternative was added on top of the existing ones. All of them work fine against most EDRs but it's always good to have options. 🙃 On top one new OpSec safe injection technique was integrated, in combination with the existing options it will be hard to flag your payload - even with ETWti data. 🤠 More info here: msecops.de/products
MSec Operations tweet media
English
0
5
32
3.3K
MSec Operations
MSec Operations@MSecOps·
How do you create your payloads in 2025? At MSec Operations we prefer to use DLL sideloading for EDR evasion. This technique allows our malicious code to run within a signed, legitimate executable. Combining this technique with other useful techniques will provide stable execution to fly under the radar. 🛸 The following video demonstrates the use of #RustPack to create such a payload in just a few seconds. The command line usage shows that our input payload is a simple unmodified Apollo C2 executable. We want to clone all the exported functions from the original Windows wininet.dll to create our own library with the same name. The execution of the payload will be delayed by ~5 seconds in this case, without using the Win32 sleep function, but by performing random calculations. ⏲️ Hardware breakpoints are used to bypass the Antimalware Scan Interface (AMSI). Without an AMSI bypass, Apollo would be flagged as a C# assembly when loaded. 🎓 Our payload will only fire on a domain joined system, this basically prevents it from running in e.g. sandbox environments. 🤠 Last but not least, in this example, the encrypted payload itself is stored in a separate file on the target system and not even in the same folder as our malicious DLL. Anyone analysing just the DLL will never be able to find out what the payload is. Automatic sample submissions for cloud analysis usually only upload the executable or DLL, emulators won't see the real payload either. 🤠 Tired of creating such payloads yourself? With #RustPack it's really easy, and payloads always look completely different, even if the same payload is packed twice to avoid signature-based detection Contact us via info[at]msecops.de for more information! 👍
English
8
52
230
25.9K
MSec Operations
MSec Operations@MSecOps·
The next version of #RustPack will not expose any of it's used imports anymore 🔥🔥🔥 Instead, there will be random friendly looking imports for each payload. Only if the operators really want to they can still go for zero imports. Just because it's possible.🙂
MSec Operations tweet media
English
0
2
15
5.9K
MSec Operations
MSec Operations@MSecOps·
The simplest use case for #RustPack: Packing shellcode into an unsigned executable. RustPack is an Windows executable, which can be used offline. It takes the input file (in this case Havoc shellcode) and builds an executable output format, which will decrypt and execute the shellcode on runtime. Although we don't recommend using unsigned executables, they will still work fine against most classic AV vendors and some EDR's. Perfectly fine for a Pentest, better not when detections matter. As you can see, there is a warning system that tells operators that they should adjust the options to make the payload more OPsec safe. If you don't see a warning - that's the way to go. But OPsec considerations can also be found in our RustPack DOCS. 💡 Operators can place the output executable on their target host and execute it to retrieve the Command & Control connection. 🔥 In our case, we enumerate our current user using the built-in whoami module, check for open windows using an open source BOF and finally enumerate the AMSI provider DLLs using Seatbelt. 😎
English
0
9
56
5.3K
MSec Operations
MSec Operations@MSecOps·
🔥🔥The first new #RustPack version 1.1 was just sent to our customers. 🔥🔥 ________________________ Changes include: - A killdate can now be set, after that date payloads won't fire anymore - The operator can specify the host binary, in which the payload will fire. It will only fire there, nice for DLL Sideloading or targeted COM Hijacking - Optional option to only execute the payload once at the same time. Also viable for Sideloading or COM Hijacking to not get multiple C2 connections at once - New non public ETW patching offsets - Service binary output format, so that custom executables for Lateral Movement or persistence can be used - Now there is also RustPack DOCS, a guide for each feature plus OPSec recommendations from our side🚨 ________________________ More information about RustPack at msecops.de! Directly want to get into contact? E-Mail us via: inquiry[at]msecops[dot]de
MSec Operations tweet media
English
1
3
30
4.2K

ディスカバー

@M43LS70M3 @TrustedSec @mcohmi @Shitsecure @elonmusk @BarackObama @taylorswift13 @cristiano