search

0xsp-SRD / mortar

evasion technique to defeat and divert detection and prevention of security products (AV/EDR/XDR)
MIT License
1.41k stars 226 forks source link

Applying this technique to other tools #5

Closed B0r3dS3c closed 2 years ago

B0r3dS3c commented 2 years ago

Hi, this works amazingly well with mimikatz against multiple antivirus products that i have tested. (Windows Defender, McAfee, Eset, Norton, Bitdefender and Avast)

But i still have a question, is there a way where we could apply this technique to other tools that run once, such as WinPEAS or PowerUp?

lawrenceamer commented 2 years ago

thanks for your test, I think running some of these assembles bins is not that possible, but I will do some testing later, in both ways can you share with me some screenshots of your testing results for BitDefender,Norton like doing mimikatz or meterpreter

B0r3dS3c commented 2 years ago

Thanks for your response, hope that you find a way to make it work! 😊

Norton Bitdefender_3 Sadly Bitdefender then blocks the access to lsass. I didn't find a way to bypass that restriction.

The only change i have made in the code of the AggresorBD2.DLL, is in the stealth call: C:\Program Files\Palo Alto Networks\Traps\CyveraConsole.exe to C:\Program Files\Bitdefender\Bitdefender Security\bdservicehost.exe

lawrenceamer commented 2 years ago

I think Bitdefender can prevent access to lsass. mortar is not designed to bypass hooks while it is made to load bins into memory. would be better if you tried also meterpreter/CS so I can include that into my research.tnx

B0r3dS3c commented 2 years ago

The meterpreter session works perfectly, it gets detected by bitdefender but it still keeps on running BitdefenderMeterpreter Meterpreter1

Even the Mimikatz module doesn't get detected or blocked 😉 Mimidump

lawrenceamer commented 2 years ago

thanks for the testing, please tag me on Twitter with your results. @zux0x3a

B0r3dS3c commented 2 years ago

But i still have a question, is there a way where we could apply this technique to other tools that run once, such as WinPEAS or PowerUp?

Did you find any way to make this work? I think you closed this issue by mistake.

lawrenceamer commented 2 years ago

i will make it open until has some results in my pocket, thanks for your testing

lawrenceamer commented 2 years ago

mortar loader can't support loading assemblies into memory, I would suggest using functions such as execute-assemblies within cobalt-strike or alternative.

NehorayK commented 1 year ago

Hi, please when someone sees that reply contact me via mail or just reply here, I kind of need help with one of the tools you mentioned here. Thanks 🙏