Sh0ckFR/Lockbit3.0-MpClient-Defender-PoC Sh0ckFR/Lockbit3.0-MpClient-Defender-PoC

  • Stars
    star
    169
  • Rank 224,453 (Top 5 %)
  • Language
    C++
  • License
    MIT License
  • Created over 2 years ago
  • Updated over 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
Sh0ckFR/Lockbit3.0-MpClient-Defender-PoC
github

Sh0ckFR

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Lockbit3.0 Microsoft Defender MpClient.dll DLL Hijacking PoC

Lockbit3.0-MpClient-Defender-PoC

Lockbit3.0 Microsoft Defender MpClient.dll DLL Hijacking PoC

Based on: LockBit ransomware abuses Windows Defender to load Cobalt Strike

https://www.bleepingcomputer.com/news/security/lockbit-ransomware-abuses-windows-defender-to-load-cobalt-strike/

How to test by yourself

  • Create a new directory, copy C:\Program Files\Windows Defender\MpCmdRun.exe or C:\Program Files\Windows Defender\NisSrv.exe in this new directory
  • Copy mpclient-mpcmdrun.dll or mpclient-nissrv.dll (depends of the binary that you want to test) and rename the dll mpclient.dll.
  • Run the executable.

How to compile

If you want to try MpCmdRun.exe:

clang++ dllmain-mpcmdrun.cpp -o mpclient.dll -shared

If you want to try NisSrv.exe:

clang++ dllmain-NisSrv.cpp -o mpclient.dll -shared

Yara Rule

Check the file lockbit3mpclientdefender.yar

More Repositories

1

Universal-Dear-ImGui-Hook

An universal Dear ImGui Hook for Directx12 D3D12 (D3D11, D3D10 and maybe Vulkan will be added later)
C++
350
star
2

DLLirant

DLLirant is a tool to automatize the DLL Hijacking researches on a specified binary.
322
star
3

Universal-ImGui-D3D11-Hook

Universal Directx11 D3D11 Hook Project for all directx11 - 10 applications with ImGui and InputHook included, fullscreen supported.
C++
237
star
4

InlineWhispers2

Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2
Assembly
173
star
5

Infosec-Useful-Stuff

This repository is my own list of tools / useful stuff for pentest, defensive activities, programming, lockpicking and physical security
52
star
6

french-ezines

French old computer security ezines restored to serve as mirrors. The sources have been slightly tweaked for immediate use.
HTML
33
star
7

API-Hashing

A basic exemple of the API-Hashing method used by Red Teamers but also by malwares developers in C++
C++
32
star
8

log4j-CVE-2021-44228-Public-IoCs

Public IoCs about log4j CVE-2021-44228
YARA
9
star
9

Pentestor

Pentestor is a tool to automatise basic tasks during a Pentest.
Python
6
star
10

Starfield-Game-WideScreen-Patcher

Starfield WideScreen 32/9 Patcher is a tool to patch the Starfield binary to disable the black bars on a 32/9 WideScreen.
C#
5
star
11

Sh0ckFR.github.io

SCSS
3
star
12

easynrich

Script to launch shodan-nrich on the subdomains of a specific domain or a domains list
Python
3
star
13

Burp-Requests-Fusion

Burp Requests Fusion is a Burp Extension to add custom HTTP headers (dynamic headers too) from a local server to all HTTP requests
Java
3
star
14

CVE-2024-4577

Fixed and minimalist PoC of the CVE-2024-4577
Python
2
star
15

DataTranscripters

Another approach to stock big data volumes (theory only)
1
star
16

Alienvault-Takedowns-Helper

A small script to get the registrars and the whois of a domain via AlienVault OTX and RiskIQ
Python
1
star
17

Sh0ckFR

1
star
18

threat-actors.com

Source code of threat-actors.com website, everything you need to know about cyber threat actors.
HTML
1
star