Stealthy Persistence With Non-Existent Executable File
I. INTRO One of the daily tasks of Pentesters or Redteamers is to establish and maintain persistence to ensure access to a compromised system…
Category: Zerosalarium
Break The Protective Shell Of Windows Defender With The Folder Redirect Technique
I. INTRO During penetration testing or red team activities, the attackers are constantly pursued by Antivirus and Endpoint Detection and Response (EDR) systems. There are…
Old But Gold, Dumping LSASS With Windows Error Reporting On Modern Windows 11
I. LEAD-IN As we know, after an attacker gains control of a machine on the network, the most common action they take is to…
A Tool That Puts EDRs And Antivirus Into A Coma State
I. STARTER Currently, in addition to merely focusing on avoiding scrutiny from EDRs (Endpoint Detection and Response) and Antivirus, the trend of using BYOVD (Bring…
Books on Programming and Cybersecurity recommended by Zero Salarium Researchers
Books Recommended by Zero Salarium Programming is the backbone of the digital world. If you want to sharpen your cybersecurity skills, it’s the cornerstone you…
Abusing Whitelisted Programs for Arbitrary Writes
I. OVERVIEW During the penetration testing process or red team activities, attackers always need to find a safe spot to drop their payloads, and such…
Using EDR-Redir To Break EDR Via Bind Link and Cloud Filter
I. OVERVIEW Endpoint Detection and Response (EDR) always provides strong protection for its executable file locations. If an attacker can interfere with these locations,…
Blind EDR With Fake Program Files
I. INTRODUCTION In previous articles, I demonstrated using Windows’ bind link feature to block or redirect Antivirus/EDR from accessing their executable folder. You can…
EDRStartupHinder: EDR Startup Process Blocker
I. OVERVIEW Continuing the series of studies on exploiting the Bindlink API to tamper with Antivirus/EDRs. This time, I will use “bindflt.sys” to prevent…
The Service Run Failed Successfully
I. LEAD-IN In the process of red-teaming, what we often do during lateral movement is perform remote execution through other machines in the network. Depending…
Inject Malicious Code Into Antivirus
I. STARTER When conducting penetration testing on target machines, our actions will be ruthlessly monitored and judged by Antivirus. If deemed dangerous, our payload…
Inject Malicious Code Into Antivirus
I. STARTER When conducting penetration testing on target machines, our actions will be ruthlessly monitored and judged by Antivirus. If deemed dangerous, our payload…