icyguider/LightsOut icyguider/LightsOut

  • Stars
    star
    137
  • Rank 257,442 (Top 6 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Updated 12 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
icyguider/LightsOut
github

icyguider

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Generate an obfuscated DLL that will disable AMSI & ETW

LightsOut

LightsOut will generate an obfuscated DLL that will disable AMSI & ETW while trying to evade AV. This is done by randomizing all WinAPI functions used, xor encoding strings, and utilizing basic sandbox checks. Mingw-w64 is used to compile the obfuscated C code into a DLL that can be loaded into any process where AMSI or ETW are present (i.e. PowerShell).

LightsOut is designed to work on Linux systems with python3 and mingw-w64 installed. No other dependencies are required.

Features currently include:

  • XOR encoding for strings
  • WinAPI function name randomization
  • Multiple sandbox check options
  • Hardware breakpoint bypass option
 _______________________
|                       |
|   AMSI + ETW          |
|                       |
|        LIGHTS OUT     |
|        _______        |
|       ||     ||       |
|       ||_____||       |
|       |/    /||       |
|       /    / ||       |
|      /____/ /-'       |
|      |____|/          |
|                       |
|          @icyguider   |
|                       |
|                     RG|
`-----------------------'
usage: lightsout.py [-h] [-m <method>] [-s <option>] [-sa <value>] [-k <key>] [-o <outfile>] [-p <pid>]

Generate an obfuscated DLL that will disable AMSI & ETW

options:
  -h, --help            show this help message and exit
  -m <method>, --method <method>
                        Bypass technique (Options: patch, hwbp, remote_patch) (Default: patch)
  -s <option>, --sandbox <option>
                        Sandbox evasion technique (Options: mathsleep, username, hostname, domain) (Default: mathsleep)
  -sa <value>, --sandbox-arg <value>
                        Argument for sandbox evasion technique (Ex: WIN10CO-DESKTOP, testlab.local)
  -k <key>, --key <key>
                        Key to encode strings with (randomly generated by default)
  -o <outfile>, --outfile <outfile>
                        File to save DLL to

Remote options:
  -p <pid>, --pid <pid>
                        PID of remote process to patch

Intended Use/Opsec Considerations

This tool was designed to be used on pentests, primarily to execute malicious powershell scripts without getting blocked by AV/EDR. Because of this, the tool is very barebones and a lot can be added to improve opsec. Do not expect this tool to completely evade detection by EDR.

Usage Examples

You can transfer the output DLL to your target system and load it into powershell various ways. For example, it can be done via P/Invoke with LoadLibrary:

image

Or even easier, copy powershell to an arbitrary location and side load the DLL!

image

Greetz/Credit/Further Reference:

More Repositories

1

Shhhloader

Syscall Shellcode Loader (Work in Progress)
Python
680
star
2

Nimcrypt2

.NET, PE, & Raw Shellcode Packer/Loader Written in Nim
Nim
575
star
3

ICMP-TransferTools

Transfer files to and from a Windows host via ICMP in restricted network environments.
Python
274
star
4

MoreImpacketExamples

More examples using the Impacket library designed for learning purposes.
Python
228
star
5

DumpNParse

A Combination LSASS Dumper and LSASS Parser. All Credit goes to @slyd0g and @cube0x0.
C#
143
star
6

nimcrypt

PE Crypter written in Nim
Nim
76
star
7

NewPowerDNS

Updated version of PowerDNS by @domchell. Adds support for transfers over DNS A records and a few other useful features.
Python
43
star
8

PowerChunker

Bypass AMSI via PowerShell by splitting a file into multiple chunks
Python
39
star
9

UAC-BOF-Bonanza

Collection of UAC Bypass Techniques Weaponized as BOFs
C
17
star
10

icyguider.github.io

My blog
HTML
2
star