nccgroup / DetectWindowsCopyOnWriteForAPI
Enumerate various traits from Windows processes as an aid to threat hunting
☆183Updated 2 years ago
Related projects ⓘ
Alternatives and complementary repositories for DetectWindowsCopyOnWriteForAPI
- Combining Sealighter with unpatched exploits to run the Threat-Intelligence ETW Provider☆162Updated last year
- Experiment on reproducing Obfuscate & Sleep☆138Updated 3 years ago
- ☆206Updated 2 years ago
- Detect strange memory regions and DLLs☆168Updated 2 years ago
- ☆128Updated 2 years ago
- Building and Executing Position Independent Shellcode from Object Files in Memory☆153Updated 3 years ago
- Execute PowerShell code at the antimalware-light protection level.☆137Updated last year
- Tools and technical write-ups describing attacking techniques that rely on concealing code execution on Windows☆197Updated 2 years ago
- WTSRM☆199Updated 2 years ago
- ☆105Updated last year
- Evasive Process Hollowing Techniques☆134Updated 4 years ago
- Rogue Assembly Hunter is a utility for discovering 'interesting' .NET CLR modules in running processes.☆115Updated 2 years ago
- ☆111Updated 2 years ago
- Mochi is a proof-of-concept C++ loader that leverages the ChaiScript embedded scripting language to execute code.☆97Updated 2 years ago
- You shall pass☆248Updated 2 years ago
- different ntdll unhooking techniques : unhooking ntdll from disk, from KnownDlls, from suspended process, from remote server (fileless)☆175Updated last year
- Achieve execution using a custom keyboard layout☆161Updated last year
- A fake AMSI Provider which can be used for persistence.☆139Updated 3 years ago
- Use to copy a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.☆111Updated 3 years ago
- Project to check which Nt/Zw functions your local EDR is hooking☆179Updated 3 years ago
- Example code for EDR bypassing☆146Updated 5 years ago
- EDRSandblast-GodFault☆240Updated last year
- Files for http://blog.deniable.org/posts/windows-callbacks/☆67Updated 2 years ago
- A Poc on blocking Procmon from monitoring network events☆97Updated 2 years ago
- The code is a pingback to the Dark Vortex blog: https://0xdarkvortex.dev/hiding-memory-allocations-from-mdatp-etwti-stack-tracing/☆158Updated last year
- ☆179Updated 2 years ago