References
- Process Hacker: https://processhacker.sourceforge.io/
- API monitor: http://www.rohitab.com/apimonitor
- AMSI bypass list by S3cur3Th1sSh1t: https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
- AMSI bypass list by Pentestlaboratories: https://pentestlaboratories.com/2021/05/17/amsi-bypass-methods/
- Invoke-Obfuscation script: https://github.com/danielbohannon/Invoke-Obfuscation
- Nishang project: https://github.com/samratashok/nishang
- Powercat: https://github.com/besimorhino/powercat
- Persistence via AMSI: https://pentestlab.blog/2021/05/17/persistence-amsi/
- Threat Hunting AMSI bypasses by Pentest Laboratories: https://pentestlaboratories.com/2021/06/01/threat-hunting-amsi-bypasses/
- Hunt for AMSI bypasses by F-Secure: https://blog.f-secure.com/hunting-for-amsi-bypasses/
- Tiraniddo’s research about Applocker internals: https://www.tiraniddo.dev/2019/11/the-internals-of-applocker-part-1.html
- Sensitive PowerShell capabilities constrained by CLM: https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/#what-does-constrained-language-constrain
- AppLocker beginners guide: https://www.hackingarticles.in/windows-applocker-policy-a-beginners-guide/
- AppLocker bypass using InstallUtil: https://www.ired.team/offensive-security/code-execution/t1118-installutil
- AppLocker bypass using MSBuild: https://www.ired.team/offensive-security/code-execution/using-msbuild-to-execute-shellcode-in-c
- AppLocker bypass list project: https://github.com/api0cradle/UltimateAppLockerByPassList
- PowerShdll project uses PowerShell automation DLLs: https://github.com/p3nt4/PowerShdll
- PSBypassCLM project to create a wrapper over InstalUtil: https://github.com/padovah4ck/PSByPassCLM
- Bypass-CLM project to patch the return value: https://github.com/calebstewart/bypass-clm
- Bypass CLM with the help of COM: https://blog.xpnsec.com/constrained-language-mode-bypass/
- Bypass CLM by setting the HKCU environment value: https://sp00ks-git.github.io/posts/CLM-Bypass/
- AaronLocker project: https://github.com/microsoft/AaronLocker
- Deploy WDAC and AppLocker: https://improsec.com/tech-blog/one-thousand-and-one-application-blocks
- Sysmon: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- Sysmon Community Guide: https://github.com/trustedsec/SysmonCommunityGuide
- Sysmon config version by SwiftOnSecurity: https://github.com/SwiftOnSecurity/sysmon-config
- Sysmon config version by Florian Roth: https://github.com/Neo23x0/sysmon-config
- Sysmon config version by Olaf Hartong: https://github.com/olafhartong/sysmon-modular
- ScriptBlock Logging bypass by cobbr.io: https://cobbr.io/ScriptBlock-Logging-Bypass.html
- ScriptBlock Warning Event Logging by cobbr.io: https://cobbr.io/ScriptBlock-Warning-Event-Logging-Bypass.html
- DeepBlue: https://github.com/sans-blue-team/DeepBlueCLI
- Newish bypasses Part 1: https://www.bc-security.org/post/powershell-logging-obfuscation-and-some-newish-bypasses-part-1/
- Newish bypasses Part 2: https://www.bc-security.org/post/powershell-logging-obfuscation-and-some-newish-bypasses-part-2/
- PowerShell Protect Module: https://blog.ironmansoftware.com/protect-logging-bypass/
- Bypass of EnableTranscripting: https://avantguard.io/en/blog/powershell-enhanced-logging-capabilities-bypass
- Invisi-Shell tool: https://github.com/OmerYa/Invisi-Shell and https://www.youtube.com/watch?v=Y3oMEiySxcc
- Stracciatella tool: https://github.com/mgeeky/Stracciatella
- Detect Sysmon: https://www.ired.team/offensive-security/enumeration-and-discovery/detecting-sysmon-on-the-victim-host
- Sysmon tampering: https://medium.com/@olafhartong/endpoint-detection-superpowers-on-the-cheap-part-3-sysmon-tampering-49c2dc9bf6d9
- Phant0m tool: https://github.com/hlldz/Phant0m
- SysmonQuiet: https://github.com/ScriptIdiot/SysmonQuiet
- SysmonEnte: https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html
- Shhmon: https://github.com/matterpreter/Shhmon
- ETW beginner’s guide: https://bmcder.com/blog/a-begginers-all-inclusive-guide-to-etw
- Detect malicious usage of .NET part 1: https://blog.f-secure.com/detecting-malicious-use-of-net-part-1/
- Detect malicious usage of .NET part 2: https://blog.f-secure.com/detecting-malicious-use-of-net-part-2/
- SilkETW: https://github.com/mandiant/SilkETW
- Seatbelt: https://github.com/GhostPack/Seatbelt
- ConfuserEx: https://github.com/mkaring/ConfuserEx
- Bypass ETW by neutering the EtwEventWrite API: https://whiteknightlabs.com/2021/12/11/bypassing-etw-for-fun-and-profit/
- Patch EtwEventWrite API: https://blog.xpnsec.com/hiding-your-dotnet-etw/
- TamperETW: https://github.com/outflanknl/TamperETW
- Evade ETW and AMSI: https://pre.empt.blog/2023/maelstrom-6-working-with-amsi-and-etw-for-red-and-blue
- Tampering with ETW: https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
