GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → xuanxuan0 → TiEtwAgent

xuanxuan0 / TiEtwAgent

Licence: other
PoC memory injection detection agent based on ETW, for offensive and defensive research purposes

Programming Languages

c
50402 projects - #5 most used programming language
C++
36643 projects - #6 most used programming language

Labels

securitydetectioninjectionmemory-scanningedr

Projects that are alternatives of or similar to TiEtwAgent

CNeptune
CNeptune improve productivity & efficiency by urbanize .net module with meta-code to lay foundation for frameworks
Stars: ✭ 30 (-77.78%)
Mutual labels:  injection
mmrazor
OpenMMLab Model Compression Toolbox and Benchmark.
Stars: ✭ 644 (+377.04%)
Mutual labels:  detection
Mask-YOLO
Inspired from Mask R-CNN to build a multi-task learning, two-branch architecture: one branch based on YOLOv2 for object detection, the other branch for instance segmentation. Simply tested on Rice and Shapes. MobileNet supported.
Stars: ✭ 100 (-25.93%)
Mutual labels:  detection
DependencyInjector
Lightweight dependency injector
Stars: ✭ 30 (-77.78%)
Mutual labels:  injection
Caffe2-yolo-v3
A Caffe2 implementation of the YOLO v3 object detection algorithm
Stars: ✭ 32 (-76.3%)
Mutual labels:  detection
dotnet-security-unit-tests
A web application that contains several unit tests for the purpose of .NET security
Stars: ✭ 25 (-81.48%)
Mutual labels:  injection
Automata
Automatic detection engineering technical state compliance
Stars: ✭ 33 (-75.56%)
Mutual labels:  detection
inject
A simple Kotlin multi-platform abstraction around the javax.inject annotations.
Stars: ✭ 42 (-68.89%)
Mutual labels:  injection
Rhythm-CB-Scripts
Collection of scripts for use with Carbon Black Cb Response API
Stars: ✭ 14 (-89.63%)
Mutual labels:  edr
Elkeid
Elkeid is a Cloud-Native Host-Based Intrusion Detection solution project to provide next-generation Threat Detection and Behavior Audition with modern architecture.
Stars: ✭ 1,245 (+822.22%)
Mutual labels:  edr
clap-detection
Simple clap rhythm detection on Raspberry Pi using Csound and Python. Toy example.
Stars: ✭ 29 (-78.52%)
Mutual labels:  detection
iFrameX
Iframe generator with dynamic content injection like HTML, Javascript, CSS, etc. and two ways communication, parent <-> iframe.
Stars: ✭ 18 (-86.67%)
Mutual labels:  injection
MsfMania
Python AV Evasion Tools
Stars: ✭ 388 (+187.41%)
Mutual labels:  injection
Mono.Cecil.Inject
An extension to Mono.Cecil that provides helper methods for simple method injection.
Stars: ✭ 65 (-51.85%)
Mutual labels:  injection
GapFlyt
GapFlyt: Active Vision Based Minimalist Structure-less Gap Detection For Quadrotor Flight
Stars: ✭ 30 (-77.78%)
Mutual labels:  detection
music-id
🚀 Music ID for Twitch (TwitchMusicID) is a Chatbot which automatically identifies music in the background of Twitch Streams, VODs, and Clips.
Stars: ✭ 49 (-63.7%)
Mutual labels:  detection
AutoLabelImg
A self automatically labeling tool
Stars: ✭ 67 (-50.37%)
Mutual labels:  detection
FCOS.Pytorch
fcos implementation in pytorch1.x
Stars: ✭ 84 (-37.78%)
Mutual labels:  detection
EVTX-ETW-Resources
Event Tracing For Windows (ETW) Resources
Stars: ✭ 142 (+5.19%)
Mutual labels:  detection
MonoRUn
[CVPR'21] MonoRUn: Monocular 3D Object Detection by Reconstruction and Uncertainty Propagation
Stars: ✭ 85 (-37.04%)
Mutual labels:  detection
View All Similar Projects ➔

TiEtwAgent - ETW-based process injection detection

msbuild

This project was created to research, build and test different memory injection detection use cases and bypass techniques. The agent utilizes Microsoft-Windows-Threat-Intelligence event tracing provider, as a more modern and stable alternative to Userland-hooking, with the benefit of Kernel-mode visibility.

The project depends on the microsoft/krabsetw library for ETS setup and consumption.

An accompanying blog post can be found here: https://blog.redbluepurple.io/windows-security-research/kernel-tracing-injection-detection

gif

Adding new detections

Detection functions can be easily added in DetectionLogic.cpp, and called from detect_event(GenericEvent evt) for any source event type. Support for new event fields can be easily added by appending their name to the map in GenericEvent class declaration.

Setup instructions

Assuming you do not have a Microsoft-trusted signing certificate:

  • Put your machine in the test signing mode with bcdedit
  • Generate a self-signed certificate with ELAM and Code Signing EKU
  • Sign TiEtwAgent.exe and your ELAM driver with the certificate
  • ./TiEtwAgent install
  • net start TiEtwAgent
  • Look for logs, by default in C:\Windows\Temp\TiEtwAgent.txt

TODO

  • PPL Service, event parsing
  • First detection
  • Detection lifecycle
  • Risk based lifecycle

PS. If you do not want to write an ELAM driver, you can get one from https://github.com/pathtofile/PPLRunner/tree/main/elam_driver

Special thanks to @pathtofile for the post here: https://blog.tofile.dev/2020/12/16/elam.html

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].