Usman Sikander (a.k.a Offensive-Panda) is a seasoned security professional specializing in adversary emulation, malware analysis, and red teaming. With a focus on practical application, he excels in analyzing real-world threats to extract Tactics, Techniques, and Procedures (TTPs), validating security postures through Advanced Persistent Threat (APT) emulations, and developing exploits across MITRE ATT&CK tactics. His expertise lies in enhancing security measures by leveraging meticulous research and hands-on experience.
This collection offers advanced methods to bypass sophisticated security measures in Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) systems. This comprehensive and central repository is designed for cybersecurity enthusiasts, researchers, and professionals seeking to stay ahead in the field. It provides a valuable resource for those dedicated to improving their skills, security defenses and measures. This repository includes strategies for manipulating system calls, obfuscating code, managing memory to evade detection and other advanced evasion techniques. By leveraging these methods, experts can enhance penetration testing, red teaming, malware analysis, and develop more resilient defenses.
| Post Detail | Post Link |
|---|---|
| Dirty vanity implementaion using direct syscalls | Post Link |
| Mokingjay Technique Implementaion to avoid RWX region detection | Post Link |
| Combining Unhooking and ETW patching to dump lsass.exe memory | Post Link |
| Direct syscalls to dump lsass.exe memory and offline dumping | Post Link |
| Remote Template Injection | Post Link |
| Mark-of-the-Web for Red Team | Post Link |
| Memory dump using outflank dumpert and Windows process injection | Post Link |
| Nt-Authority Shell using Fodhelper | Post Link |
| RWX-Memory hunt and injection with CreateRemoteThread | Post Link |
| EDR Terminator (call it killer) | Post Link |
| Lsass.exe memory dumping using multiple techniques [𝐋𝐚𝐠𝐨𝐬 𝐈𝐬𝐥𝐚𝐧𝐝 𝐌𝐞𝐭𝐡𝐨𝐝 (𝐚.𝐤.𝐚 𝐑𝐞𝐟𝐥𝐞𝐜𝐭𝐢𝐯𝐞𝐋𝐨𝐚𝐝𝐢𝐧𝐠), 𝐖𝐢𝐧𝐝𝐨𝐰𝐬 𝐏𝐫𝐨𝐜𝐞𝐬𝐬 𝐈𝐧𝐣𝐞𝐜𝐭𝐢𝐨𝐧: 𝐂𝐨𝐧𝐬𝐨𝐥𝐞𝐖𝐢𝐧𝐝𝐨𝐰𝐂𝐥𝐚𝐬𝐬, 𝐖𝐢𝐧𝐝𝐨𝐰𝐬 𝐅𝐨𝐫𝐤𝐢𝐧𝐠] | Post Link |
| UAC Bypass Using .NET profiler DLL Loading Vulnerability | Post Link |
| Remove EDR callbacks using vulnerable driver | Post Link |
| Privileges Escalation using Vulnerable Driver | Post Link |
| Technique | Description |
|---|---|
| Direct and Indirect Syscalls | Strategies for making direct and indirect function calls to evade detection mechanisms. |
| API Hashing | Techniques for obfuscating and altering API calls to avoid detection. |
| API Imports Obfuscation | Methods to obfuscate code and make it harder to analyze. |
| Payload Encryption | Use of encryption to bypass static analysis of EDRs. |
| Egg Hunting | Syscall Instruction In-memory patching to bypass static detection. |
| Random Instructions and Prototypes | Use random NOP instructions and name of API, prototypes to avoid static analysis. |
| Mokingjay | Use of vulnerable dll to avoid detection of RWX memory region creation. |
| Forking Technique Memory Dumps | Use of windows fork API to clone parent process after injecting shellcode, avoid detection of CreateRemoteThread. |
| API Unhooking | Unhooking EDRs user mode hooks using clean copy of dll, raw copy from remote server, suspended process to bypass EDRs. |
| ETW Patching | Applying ETW patching to avoid event based detection. |
| PEB Lookup | Resolving SSN and Native API's on run-time using PEB lookup for 32bits & 64bits. |
| RWX Memory Block Hunt | Hunt for already created RWX region to write and execute shellcode. This technique remove the dependencies of vulnerable DLL with RWX and API to allocate RWX. |
| BYOVD | Bring your own vulnerable driver which involves deploying drivers that are legitimately signed and can be successfully loaded into Windows systems to execute code in kernel context. |
<iframe src="BYOVD.pdf" width="900px" height="750px" style="display: inline-block;"></iframe> <iframe src="PEB Walk.pdf" width="900px" height="750px" style="display: inline-block;"></iframe> <iframe src="EDRBYPASS.pdf" width="900px" height="750px" style="display: inline-block;"></iframe> <iframe src="Defense_Evasion.pdf" width="900px" height="750px" style="display: inline-block; margin-right: 20px;"></iframe>
The content, techniques, and tools provided in this repository are intended solely for educational and research purposes within the cybersecurity community. I explicitly disclaim any responsibility for the misuse or unlawful use of the provided materials. Any actions taken based on the information are done so at the user's own risk.