Logo
latest

Process injection

  • Introduction
    • What?
    • Why?
    • How?
  • Shellcode injection
    • Overview
    • C++ Code
    • Injection
    • Resources
  • Process hollowing
    • Overview
    • C++ code
    • Injection
    • Resources
  • Thread execution hijacking
    • Overview
    • C++ code
    • Resources
  • Dynamic-link library injection
    • Resources
  • Portable executable injection
    • Resources
  • TrickBot
    • Resources
      • Trickbot
      • Dyre(za)

AV evasion

  • Introduction
    • What?
    • Why?
    • How?
  • Basic assembly shellcode
    • Resources
  • Generate shellcode
    • Generate shellcode using public tools
    • Shellcode injection
    • Generate shellcode from exe files
  • Staged vs stageless payloads
  • Encoding and encrypting shellcode
    • Metasploit encoding
    • Metasploit encryption
    • Creating a Custom Payload
  • Packers
    • Packing
    • Now what?
  • Binders
    • Binders and AV

Obfuscation basics

  • Introduction
    • What?
    • Why?
    • How?
  • Principles
    • Resources
  • Protecting and stripping identifiable information
    • Object names
      • Example in C++
      • Example with powershell
    • Code structure
    • File & Compilation Properties
    • Lab it up

Signature evasion

  • Introduction
    • What?
    • Why?
    • How?
  • Signature identification
    • ThreatCheck
    • AMSITrigger
    • Lab
  • Static code-based signatures
    • Splitting and merging objects
    • Removing and obscuring identifiable information
    • Lab
    • Obfuscated code
  • Static property-based signatures
    • File Hashes
    • Entropy
    • Resources
  • Behavioural signatures
    • Lab
    • Obfuscated code
    • Resources
  • Real world challenge
    • Lab
    • Obfuscation order
    • Obfuscated code

Bypassing UAC

  • Introduction
    • What?
    • Why?
    • How?
  • GUI based bypasses
    • msconfig
    • azman.msc
  • AutoElevating processes
    • Fodhelper
    • Lab
  • Fodhelper-curver exploit
    • Lab
  • Bypassing Always Notify
    • Lab
  • Automated exploitation

Runtime detection evasion

  • Introduction
    • What?
    • Why?
    • How?
  • Study AMSI
    • Resources
  • PowerShell downgrade
  • PowerShell reflection
  • Patching AMSI
    • Code
    • Resources
  • Automating, but …
    • AMSI.fail
    • AMSITrigger

Evading logging and monitoring

  • Introduction
    • What?
    • Why?
    • How?
  • Study ETW
    • Approaches
    • ETW Instrumentation
    • Resources
  • Powershell reflection
    • Code
  • Patching tracing functions
    • Code
  • Group policy takeover
    • Code
  • Abusing log pipeline
    • Code
  • Challenge

Living off the land

  • Introduction
    • What?
    • Why?
    • How?
  • Windows sysinternals
    • Resources
  • LOLBAS project
    • Resources
  • File operations
    • Certutil
    • BITSAdmin
    • Findstr
    • Resources
  • File execution
    • File Explorer
    • WMIC
    • Rundll32
  • Application whitelisting bypasses
    • Regsvr32
    • Bourne Again Shell (Bash)
    • Lab
    • Resources
  • Shortcuts
  • No PowerShell
    • Lab
    • Resources
  • Challenge: Astaroth
    • Resources

Network security solutions

  • Introduction
    • What?
    • Why?
    • How?
  • IDS/IPS systems
    • Intrusion detection
    • Intrusion prevention
    • IDS Engine types
    • Rule triggering examples (snort)
    • Resources
  • Evasion via protocol manipulation
    • Rely on a different protocol
      • Ncat
    • Manipulate (Source) TCP/UDP port
      • Nmap
      • Ncat
    • Use session splicing (IP packet fragmentation)
      • Nmap
    • Sending invalid packets
    • Resources
  • Evasion via payload manipulation
    • Obfuscating and encoding the payload
    • Escaped Unicode
    • Encrypting the communication channel
    • Modifying the shellcode
    • Resources
  • Evasion via route manipulation
    • Relying on source routing
    • Using proxy servers
    • Resources
  • Evasion via tactical DoS
  • C2 and IDS/IPS evasion
  • Next-Generation security
    • IDPS
    • NGNIPS
    • Challenges
    • Resources

Firewalls

  • Introduction
    • What?
    • Why?
    • How?
  • Firewall systems
    • Classification of firewalls
    • Firewall inspection abilities
      • Packet-Filtering Firewall
      • Circuit-Level Gateway
      • Stateful Inspection Firewall
      • Proxy Firewall
      • Next-Generation Firewall (NGFW)
      • Cloud Firewall or Firewall as a Service (FWaaS)
  • Evasion via controlling the source MAC/IP/Port
    • Decoy(s)
    • Proxy
    • Spoofed MAC address
    • Spoofed IP address
    • Fixed Source Port Number
    • Resources
  • Evasion via forcing fragmentation, MTU, and data length
  • Evasion via modifying header fields
    • Set IP time-to-live
    • Send packets with specified IP options
    • Send packets with a wrong TCP/UDP checksum
  • Evasion using port hopping
  • Evasion using port tunnelling
    • Lab
  • Evasion using non-standard ports
    • Lab
  • Next-Generation firewalls

Sandbox evasion

  • Introduction
    • What?
    • Why?
    • How?
  • An adversary walks into a sandbox
  • Common sandbox evasion techniques
    • Sleeping through sandboxes
    • Geolocation and geoblocking
    • Checking system information.
    • Querying network information
    • Setting the stage
    • Resources
  • Implementing evasion techniques
    • Taking a Nap
    • Geolocation Filtering
    • Checking system information
    • Querying Network Information
    • Adding External Dependencies in Visual Studio
  • The Great Escape
    • Code
Evasion techniques
  • Evasion techniques
  • Red Team
  • Improbability Blog
  • About
  • Register

Introduction

Firewalls
THM Room: Firewalls

What?

Learn about and experiment with various firewalls.

Why?

To be able to apply firewall evasion techniques, such as port hopping and port tunneling.

How?

  • Firewall systems

  • Evasion via controlling the source MAC/IP/Port

  • Evasion via forcing fragmentation, MTU, and data length

  • Evasion via modifying header fields

  • Evasion using port hopping

  • Evasion using port tunnelling

  • Evasion using non-standard ports

  • Next-Generation firewalls

Previous Next
Unseen University, 2023, with a forest garden fostered by /ut7.
Read the Docs v: latest
Versions
latest
Downloads
On Read the Docs
Project Home
Builds