GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → matterpreter → Shhmon

matterpreter / Shhmon

Neutering Sysmon via driver unload

Programming Languages

csharp
926 projects

Labels

evasionsysmon

Projects that are alternatives of or similar to Shhmon

Sysmon Config
Sysmon configuration file template with default high-quality event tracing
Stars: ✭ 3,287 (+1880.12%)
Mutual labels:  sysmon
Hacktheworld
An Python Script For Generating Payloads that Bypasses All Antivirus so far .
Stars: ✭ 527 (+217.47%)
Mutual labels:  evasion
Defendercheck
Identifies the bytes that Microsoft Defender flags on.
Stars: ✭ 942 (+467.47%)
Mutual labels:  evasion
Sysmonsearch
Investigate suspicious activity by visualizing Sysmon's event log
Stars: ✭ 302 (+81.93%)
Mutual labels:  sysmon
Telemetrysourcerer
Enumerate and disable common sources of telemetry used by AV/EDR.
Stars: ✭ 400 (+140.96%)
Mutual labels:  evasion
Sentinel Attack
Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT&CK
Stars: ✭ 676 (+307.23%)
Mutual labels:  sysmon
sysmon-splunk-app
Sysmon Splunk App
Stars: ✭ 42 (-74.7%)
Mutual labels:  sysmon
Green Hat Suite
Green-hat-suite is a tool to generate meterpreter/shell which could evade antivirus.
Stars: ✭ 112 (-32.53%)
Mutual labels:  evasion
Cloak
Cloak can backdoor any python script with some tricks.
Stars: ✭ 411 (+147.59%)
Mutual labels:  evasion
Ripv6
Random IPv6 - circumvents restrictive IP address-based filter and blocking rules
Stars: ✭ 10 (-93.98%)
Mutual labels:  evasion
Awesome Windows Red Team
A curated list of awesome Windows frameworks, libraries, software and resources for Red Teams
Stars: ✭ 308 (+85.54%)
Mutual labels:  evasion
Xeexe Topantivirusevasion
Undetectable & Xor encrypting with custom KEY (FUD Metasploit Rat) bypass Top Antivirus like BitDefender,Malwarebytes,Avast,ESET-NOD32,AVG,... & Automatically Add ICON and MANIFEST to excitable
Stars: ✭ 387 (+133.13%)
Mutual labels:  evasion
Bashfuscator
A fully configurable and extendable Bash obfuscation framework. This tool is intended to help both red team and blue team.
Stars: ✭ 690 (+315.66%)
Mutual labels:  evasion
Invizzzible
InviZzzible is a tool for assessment of your virtual environments in an easy and reliable way. It contains the most recent and up to date detection and evasion techniques as well as fixes for them.
Stars: ✭ 268 (+61.45%)
Mutual labels:  evasion
Phantom Evasion
Python antivirus evasion tool
Stars: ✭ 997 (+500.6%)
Mutual labels:  evasion
ir scripts
incident response scripts
Stars: ✭ 17 (-89.76%)
Mutual labels:  sysmon
Sysmon Dfir
Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.
Stars: ✭ 654 (+293.98%)
Mutual labels:  sysmon
Windows event logging
Windows Event Forwarding subscriptions, configuration files and scripts that assist with implementing ACSC's protect publication, Technical Guidance for Windows Event Logging.
Stars: ✭ 128 (-22.89%)
Mutual labels:  sysmon
Sysmon Modular
A repository of sysmon configuration modules
Stars: ✭ 1,229 (+640.36%)
Mutual labels:  sysmon
Sysmontools
Utilities for Sysmon
Stars: ✭ 903 (+443.98%)
Mutual labels:  sysmon
View All Similar Projects ➔

Shhmon - Neuter Sysmon by unloading its driver

Usage: Shhmon.exe <hunt|kill>

While Sysmon's driver can be renamed at installation, it is always loaded at altitude 385201. The objective of this tool is to challenge the assumption that our defensive tools are always collecting events. Shhmon locates and unloads the driver using this strategy:

1. Uses fltlib!FilterFindFirst and fltlib!FilterFindNext to enumerate drivers on the system in place of crawling the registry.
2a. If a driver is found at altitude 385201, it uses kernel32!OpenProcessToken and advapi32!AdjustTokenPrivileges to grant itself SeLoadDriverPrivilege.
2b. If a driver was not found at 385201, it walks HKLM\SYSTEM\CurrentControlSet\Services looking for a "Sysmon Instance" subkey and if found, assigns the required permission as desrcibed above.
3. If it was able get the required privilege, it calls fltlib!FilterUnload to unload the driver.

Defensive Guidance

There are a few interesting events surrounding this tactic that should be evaluated:

  • Sysmon Event ID 255 - Error message with a detail of DriverCommunication
  • Windows System Event ID 1 - From the source "FilterManager" stating File System Filter '\<DriverName\>' (Version 0.0, \<Timstamp\>) unloaded successfully.
  • Windows Security Event ID 4672 - SeLoadDriverPrivileges being granted to an account other than SYSTEM
  • Sysmon Event ID 1/Windows Security Event 4688 - Abnormal high-integrity process correlating with the driver unload. This event woudl be the last before the driver error in Sysmon

Mitre ATT&CK References: T1054, T1089

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].