Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
AV Bypass with Metasploit Templates and Custom Binaries
Evading Windows Defender with 1 Byte Change
Bypassing Windows Defender: One TCP Socket Away From Meterpreter and Beacon Sessions
Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs
Windows API Hashing in Malware
Detecting Hooked Syscalls
Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs
Retrieving ntdll Syscall Stubs from Disk at Run-time
Full DLL Unhooking with C++
Enumerating RWX Protected Memory Regions for Code Injection
Disabling Windows Event Logs by Suspending EventLog Service Threads
Obfuscated Powershell Invocations
Masquerading Processes in Userland via _PEB
Commandline Obfusaction
File Smuggling with HTML and JavaScript
Timestomping
Alternate Data Streams
Hidden Files
Encode/Decode Data with Certutil
Downloading Files with Certutil
Packed Binaries
Unloading Sysmon Driver
Bypassing IDS Signatures with Simple Reverse Shells
Preventing 3rd Party DLLs from Injecting into your Malware
ProcessDynamicCodePolicy: Arbitrary Code Guard (ACG)
Parent Process ID (PPID) Spoofing
Executing C# Assemblies from Jscript and wscript with DotNetToJscript
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By
GitBook
Hidden Files
Defense Evasion, Persistence
Execution
Hiding the file mantvydas.sdb using a native windows binary:
[email protected]
1
PS
C
:
\experiments
>
attrib
.
exe
+
h
.
\mantvydas
.
sdb
Copied!
Note how powershell (or cmd) says the file does not exist, however you can type out its contents if you know the file exists:
Note, that
dir /a:h
(attribute: hidden) reveals files with a "hidden" attribute set:
Observations
As usual, monitoring commandline arguments may be a good idea if you want to identify these events:
References
Hide Artifacts: Hidden Files and Directories, Sub-technique T1564.001 - Enterprise | MITRE ATT&CK®
​
Previous
Alternate Data Streams
Next
Encode/Decode Data with Certutil
Last modified
2yr ago
Copy link
Contents
Execution
Observations
References