Two Seven One Three

Some powerful built-in Windows 11 programs are allowed to write files to Defender’s working directory: \System32\msiexec.exe \Register-CimProvider.exe \svchost.exe \lsass.exe Tools and methods to find these whitelisted programs for other #antimalware Github: /TwoSevenOneT/DefenderWrite

Challenge: Drop #mimikatz onto a drive with the latest Windows 11. 1. Found a way to write a file into Windows Defender’s working directory: Success ✅ 2. Dropped "mimikatz.exe" into that folder: Failed 🛑 Conclusion: Windows Defender does not exclude its own executable folder

@DXevj7ck The purpose is to prevent EDRs from connecting to their servers, with low user privs

@TwoSevenOneT Why don’t you try blocking the URL in Windows Defender?

While I was trying to evade cloud-based EDRs, I accidentally found a way to temporarily block a client's machine network with a POC running as a Normal user. Not using the Windows Filtering Platform (WFP) which requires Admin priv I haven't thought of exploitation scenarios for this tool yet, it might be a dead-end #antimalware research direction 🤔 #redteam

@_hackscale_ @FaithWa76789087 As soon as possible 😁

@TwoSevenOneT @FaithWa76789087 We’re waiting for it >3

@FaithWa76789087 Sure 🤗

@TwoSevenOneT Wanna release the code? 😏

@Abdulmalik_TTG Why not 🤭 All information has value.

@TwoSevenOneT Realllll 😂

Need to survey which Antivirus product to prioritize bypassing

@huntnp007 Yep, Mimi when you want to check whether an exec malicious behavior triggers an alert or not. It's just a quick check.

@TwoSevenOneT EICAR's for auditors. Mimikatz is for operators.

To be honest, in many cases I test evasion or antivirus bypass by dropping #mimikatz onto the Desktop and running it to see if it works. I don't use the EICAR test file 😂 Drop Mimikatz and the AV doesn't complain ==> something's worked

@HolyMoly84103 Safer than "real" hackers, the ones who test payloads with VirusTotal ;)

@TwoSevenOneT 🤣 one of the best solution for every one who need to test av is work...

@gentilkiwi Yep😆

@TwoSevenOneT Depends on the test, EICAR will not annoy CSIRT teams ;)

@HonkyTonkHer0 Yep, this is just a quick way to check

@TwoSevenOneT Not all modern EDR tools will alert when mimikatz or a similar tools write to disk. They will only alert once the tool is utilized. This varies by customer configuration as well.

@r3dactt Be on the same page 😁

@TwoSevenOneT Glad to see I am not the only one 😂

They work harder than the sysadmin team to confige users' machines 🤣

I am releasing a new toolkit I built for IIS-based lateral movement and code execution within IIS worker pool process's memory. Phantom ASPX Loader & PhantomLink -- a two-part toolkit for reflectively loading native DLLs into IIS w3wp.exe worker processes via ASPX. github.com/zux0x3a/Phanto…

Recently my RE workflow moved into sandboxed VMs where agents have full control over the environment. I needed an MCP server that runs headless in the same sandbox and exposes way more of the #BinaryNinja API than others. Here's the release: github.com/mrphrazer/bina…

GitHub - 0xsh3llf1r3/ColdWer: Cobalt Strike BOF to freeze EDR/AV processes and dump LSASS using WerFaultSecure.exe PPL bypass github.com/0xsh3llf1r3/Co…

@7uckzero Yes, what's important is how we make a valid service "crash". If we use a custom payload to trigger it, then the failure recovery function isn't very useful anymore.

@TwoSevenOneT My friend told me that this technique already appeared around 2014. Regardless, it is still worth researching, as EDR solutions tend to closely monitor the SERVICE_CONFIG_FAILURE_ACTIONS flag. trustedsignal.blogspot.com/2014/05/kansa-…

You can exploit the Service Failure Recovery feature of Windows Service to execute a payload without ever touching the ImagePath. #antimalware #redteam #Pentesting