The goal of this project was to create my own red team campaign that would emulate some of the TTPs from the above campaign analysis

BreadBear

A PoC~ish of https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/

The goal of this project was to create my own red team campaign that would emulate some of the TTPs from the above campaign analysis. During my endeavor I decdied to switch from a complete mimick to a substitute / exclude / improve upon certain tactics that I deemed unnecessary. I will write an accompanying blog post which will be linked here once it is published.

However, here are some features which I believe are worth noting for this project:

  • Initial payload delievery is done from an automatic download via a website hosted on IPFS.
  • Executed Payload Dynamically resolves all sensitive functions
  • Unhooks DLLs using native API's / syscalls & HellsGate technique to bypass AV/EDR.
  • Deletes itself from disk while running.
  • Hides console window
  • Strings obfuscated - but i was super lazy w/ this since it's just a PoC. Somehow still bypasses all detection engines on antiscan.me
  • Disables ETW
  • Downloads a base64 encoded version of stage3 from discord CDN.
  • Reflectively Loads stage3 in memory / executes to launch shell back.
  • Stage3 can be swapped between a file encryptor payload or C2 implant as show in the below videos:

Stage2 downloading and executing a stage3 payload that is a Metasploit implant from discord CDN.

malwareStage2.mp4

Stage2 downloading and executing a stage3 payload that is a file encryptor payload from discord CDN, stage2 is still deleted from downloads folder.

stage3.mp4
Owner
BreadMan
A hacker trying to do fun stuff
BreadMan
Similar Resources

Another try to re-create Project Astoria , or some bridge between A and W...

Bridge 1.0.10.0 Forked from: https://github.com/DroidOnUWP/Bridge Abstract Another "Project Astoria" remake (UWP) Original status: Forgotten (?) My ac

Nov 15, 2022

Threat Emulation and Red Teaming Framework, The Hacking Software for normal people.

Threat Emulation and Red Teaming Framework, The Hacking Software for normal people.

The Remote Hacker Probe is a Threat Emulation and Red Teaming Framework built to be easy to use. The Remote Hacker Probe is Feature Rich! Including, K

Jan 5, 2023

Violent Fungus is a command and control (C2) software suite, providing red teams post-exploitation persistence and other juicy stuff.

Violent Fungus is a command and control (C2) software suite, providing red teams post-exploitation persistence and other juicy stuff.

Sep 7, 2022

The MLX90614 is an Infra Red thermometer for noncontact temperature measurements.

The MLX90614 is an Infra Red thermometer for noncontact temperature measurements.

The MLX90614 is an Infra Red thermometer for noncontact temperature measurements.

Dec 23, 2022

Remote hacker probe - Threat Emulation and Red Teaming Framework, The Hacking Software for normal people.

Remote hacker probe - Threat Emulation and Red Teaming Framework, The Hacking Software for normal people.

The Remote Hacker Probe is a Threat Emulation and Red Teaming Framework built to be easy to use. The Remote Hacker Probe is Feature Rich! Including, K

Dec 27, 2022

Team 3's final project for ECE 485/585 F'21

ECE585_Team3 Team 3's final project for ECE 485/585 F'21 Braden Harwood, Stephen Short, Michael Weston, Drew Seidel *Information sourced from Dr. Faus

Dec 10, 2021

This is a product / project developed by a team of Five Members including Mithilesh Ghadge for the Engineering Clinics at Vellore Institute Of Technology

UltrasonicSensorGlasses-for-blind-people This is a product / project developed by a team of Five Members including Mithilesh Ghadge for the Engineerin

Oct 14, 2021

DigiMahal is the First Project of Our Team in Sharif University of Technology for Basics of Programming That in this Code we Implemented an Online Shop like DigiKala

DigiMahal is the First Project of Our Team in Sharif University of Technology for Basics of Programming That in this Code we Implemented an Online Shop like DigiKala

DigiMahal is the First Project of Our Team in Sharif University of Technology for Basics of Programming That in this Code we Implemented an Online Shop like DigiKala.

Jul 23, 2022

It is a C / C++ console based project made by team: return 0.

LU Student Assistant In the latest version release v1.02, we add time and date in our system. It is a C / C++ project made by team: return 0. It is ve

Feb 1, 2022
Matryoshka loader is a tool that red team operators can leverage to generate shellcode for Microsoft Office document phishing payloads.

Overview Matryoshka loader is a tool that red team operators can leverage to generate shellcode for an egghunter to bypass size-limitations and perfor

Dec 15, 2022
This repo contains information about EDRs that can be useful during red team exercise.

EDRs This repo contains information about EDRs that can be useful during red team exercise. patch_syscall_dynamically64.c This proof-of-concept is res

Dec 29, 2022
The goal of this project is to create the function get_next_line.c which

The goal of this project is to create the function get_next_line.c which, when called in a loop, will then allow the available text in the file descriptor to be read one line at a time until the end of the file. The program must compile with the flag-D BUFFER_SIZE=xx which will be used as the buffer size for the read calls in get_next_line.

Jul 26, 2022
Probabilistic Risk Analysis Tool (fault tree analysis, event tree analysis, etc.)

SCRAM SCRAM is a Command-line Risk Analysis Multi-tool. This project aims to build a command line tool for probabilistic risk analysis. SCRAM is capab

Dec 30, 2022
Libft is an individual project at 42 that requires us to re-create some standard C library functions including some additional ones that can be used later to build a library of useful functions for the rest of the program.
Libft is an individual project at 42 that requires us to re-create some standard C library functions including some additional ones that can be used later to build a library of useful functions for the rest of the program.

Libft is an individual project at 42 that requires us to re-create some standard C library functions including some additional ones that can be used later to build a library of useful functions for the rest of the program.

Jan 1, 2023
Original hVNC has been recoded to work with all version of windows above XP. Thanks to the original author for this wonderful tool.

hVNC - Recoded This is the recoded version of the hVNC found in TinyNuke trojan. Compiling Compile tested with Visual Studio 2017. No compile errors.

Jan 22, 2022
Publish any data structures you would like to.

Data structures and Algorithms Languages used here: C C# C++ Go Java JavaScript Python Rust Algorithms and languages used C Program to delete a node f

Dec 31, 2021
Here is the Tempus game in C language in collaboration with MrTNTX. It is above all a work for ESTACA.
Here is the Tempus game in C language in collaboration with MrTNTX. It is above all a work for ESTACA.

Tempus Ce projet est notre projet de fin de 1erannée dans la matière algorithmique à l'ESTACA. Il a pour but de créer notre version du jeu Tempus en f

Apr 2, 2022
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors".
 	Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as

COBALT STRIKE 4.4 Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to exe

Aug 21, 2022
User-mode trap-and-emulate hypervisor for RISC-V

URVirt URVirt is a U-mode trap-and-emulate hypervisor for RISC-V. Related projects RVirt is an S-mode trap-and-emulate hypervisor for RISC-V. It runs

Sep 16, 2022