Tips and Tricks
- EDRs love scanning RWX memory, so use: RW -> RX
- Try to use apis closer to the kernel so that products have less telemetry over your apis and you have more api mixups to use. Examples are:
CreateRemoteThread
RtlCreateUserThread
QueueUserAPC: ResumeThread or NtResumeThread or NtAlertResumeThread
NtQueueApcThread: ResumeThread or NtResumeThread or NtAlertResumeThread
- Avoid calling functions against common parameters. For example, you can do something like this:
- address = VirtualAlloc(1000)
- virtualprotect(addr+50)
- memcpy(address+100)
- createthread(address + 200)
- Try include obscure flags in OpenProcess calls
- Try to duplicate existing handles on the machine instead of creating new ones with NtQuerySystemInformation
- Inject from noisy contexts like from SYSTEM or csrss.exe
- Encrypt/change your permissions of your payload and modules if not in use
Last modified 1yr ago