• Stars
    star
    169
  • Rank 224,453 (Top 5 %)
  • Language
    C++
  • License
    MIT License
  • Created over 2 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Lockbit3.0 Microsoft Defender MpClient.dll DLL Hijacking PoC

Lockbit3.0-MpClient-Defender-PoC

Lockbit3.0 Microsoft Defender MpClient.dll DLL Hijacking PoC

Based on: LockBit ransomware abuses Windows Defender to load Cobalt Strike

https://www.bleepingcomputer.com/news/security/lockbit-ransomware-abuses-windows-defender-to-load-cobalt-strike/

How to test by yourself

  • Create a new directory, copy C:\Program Files\Windows Defender\MpCmdRun.exe or C:\Program Files\Windows Defender\NisSrv.exe in this new directory
  • Copy mpclient-mpcmdrun.dll or mpclient-nissrv.dll (depends of the binary that you want to test) and rename the dll mpclient.dll.
  • Run the executable.

How to compile

If you want to try MpCmdRun.exe:

clang++ dllmain-mpcmdrun.cpp -o mpclient.dll -shared

If you want to try NisSrv.exe:

clang++ dllmain-NisSrv.cpp -o mpclient.dll -shared

Yara Rule

Check the file lockbit3mpclientdefender.yar

More Repositories

1

Universal-Dear-ImGui-Hook

An universal Dear ImGui Hook for Directx12 D3D12 (D3D11, D3D10 and maybe Vulkan will be added later)
C++
350
star
2

DLLirant

DLLirant is a tool to automatize the DLL Hijacking researches on a specified binary.
322
star
3

Universal-ImGui-D3D11-Hook

Universal Directx11 D3D11 Hook Project for all directx11 - 10 applications with ImGui and InputHook included, fullscreen supported.
C++
237
star
4

InlineWhispers2

Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2
Assembly
173
star
5

Infosec-Useful-Stuff

This repository is my own list of tools / useful stuff for pentest, defensive activities, programming, lockpicking and physical security
52
star
6

french-ezines

French old computer security ezines restored to serve as mirrors. The sources have been slightly tweaked for immediate use.
HTML
33
star
7

API-Hashing

A basic exemple of the API-Hashing method used by Red Teamers but also by malwares developers in C++
C++
32
star
8

log4j-CVE-2021-44228-Public-IoCs

Public IoCs about log4j CVE-2021-44228
YARA
9
star
9

Pentestor

Pentestor is a tool to automatise basic tasks during a Pentest.
Python
6
star
10

Starfield-Game-WideScreen-Patcher

Starfield WideScreen 32/9 Patcher is a tool to patch the Starfield binary to disable the black bars on a 32/9 WideScreen.
C#
5
star
11

Sh0ckFR.github.io

SCSS
3
star
12

easynrich

Script to launch shodan-nrich on the subdomains of a specific domain or a domains list
Python
3
star
13

Burp-Requests-Fusion

Burp Requests Fusion is a Burp Extension to add custom HTTP headers (dynamic headers too) from a local server to all HTTP requests
Java
3
star
14

CVE-2024-4577

Fixed and minimalist PoC of the CVE-2024-4577
Python
2
star
15

DataTranscripters

Another approach to stock big data volumes (theory only)
1
star
16

Alienvault-Takedowns-Helper

A small script to get the registrars and the whois of a domain via AlienVault OTX and RiskIQ
Python
1
star
17

Sh0ckFR

1
star
18

threat-actors.com

Source code of threat-actors.com website, everything you need to know about cyber threat actors.
HTML
1
star