BC-SECURITY/Beginners-Guide-to-Obfuscation

Stars
1,009
Rank 45,557 (Top 0.9 %)
Language
PowerShell
License
MIT License
Created over 3 years ago
Updated 6 months ago

BC-SECURITY/Beginners-Guide-to-Obfuscation

BC-SECURITY

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Evading Detection: A Beginner's Guide to Obfuscation

Defenders are constantly adapting their security to counter new threats. Our mission is to identify how they plan on securing their systems and avoid being identified as a threat. This is a hands-on class to learn the methodology behind malware delivery and avoiding detection. This workshop explores the inner workings of Microsoft's Antimalware Scan Interface (AMSI), Windows Defender, and Event Tracing for Windows (ETW). We will learn how to employ obfuscated malware using Visual Basic (VB), PowerShell, and C# to avoid Microsoft's defenses. Students will learn to build AMSI bypass techniques, obfuscate payloads from dynamic and static signature detection methods, and learn about alternative network evasion methods.

Objectives

Understand the use and employment of obfuscation in red teaming.
Demonstrate the concept of least obfuscation.
Introduce Microsoft's Antimalware Scan Interface (AMSI) and explain its importance.
Demonstrate obfuscation methodology for .NET payloads.

Recordings

Starkiller

Starkiller is a Frontend for PowerShell Empire.

Moriarty

Moriarty is designed to enumerate missing KBs, detect various vulnerabilities, and suggest potential exploits for Privilege Escalation in Windows environments.

Malleable-C2-Profiles

Malleable C2 Profiles. A collection of profiles used in different projects using Cobalt Strike & Empire.

Invoke-ZeroLogon

Invoke-ZeroLogon allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.

Invoke-PrintDemon

This is a PowerShell Empire launcher PoC using PrintDemon and Faxhell.

DEFCON27

DEFCON 27 slides and workshop materials.

Offensive-VBA-and-XLS-Entanglement

IronSharpPack

IronSharpPack is a repo of popular C# projects that have been embedded into IronPython scripts that execute an AMSI bypass and then reflective load the C# project.

Long-Live-The-Empire

A comprehensive workshop aimed to equip participants with an in-depth understanding of modern Command and Control (C2) concepts, focusing on the open-source Empire C2 framework.

ScriptBlock-Smuggling

Example code samples from our ScriptBlock Smuggling Blog post

Empire-Cli

CLI Frontend for PowerShell Empire.

Taming-Offensive-IronPython

This workshop is designed to provide you with a solid understanding of IronPython, its integration with the .NET framework, and how it can be used to interact with other .NET languages.

Red-Team-Village-CTF-2023

Secure Terminal CTF Challenge for DC31 Red Team Village

SocksProxyServer-Plugin

Socks Proxy Server Plugin for Invoke-SocksProxy

DeathStarPlugin

Deathstar is an Empire plugin that automates gaining Domain and/or Enterprise Admin rights in Active Directory environments using common offensive tactics, techniques, and procedures (TTPs).

empire-docs

https://bc-security.gitbook.io/empire-wiki/

DEFCONSafeMode

DEFCON Safe Mode Slides

ChiselServer-Plugin

DEFCON24

DEFCON 24 slides and materials.

intro-ctf

Empire-Compiler

Twilio-Plugin

Empire-Launcher

denylist-plugin

Report-Generation-Plugin

Plugin for replacing the original reporting functionality in Empire with customizable PDFs.

AutoRun-Plugin

Plugin to automatically execute an agent tasking on checkin