{"id":24889,"date":"2022-05-29T05:45:00","date_gmt":"2022-05-29T05:45:00","guid":{"rendered":"https:\/\/kalilinuxtutorials.com\/?p=24889"},"modified":"2022-05-23T06:18:57","modified_gmt":"2022-05-23T06:18:57","slug":"edrsandblast","status":"publish","type":"post","link":"https:\/\/kalilinuxtutorials.com\/edrsandblast\/","title":{"rendered":"EDRSandblast : Tool That Weaponize A Vulnerable Signed Driver To Bypass EDR Detections And LSASS Protection"},"content":{"rendered":"\n<p><code><strong>EDRSandBlast<\/strong><\/code>&nbsp;is a tool written in&nbsp;<strong><code>C<\/code>&nbsp;<\/strong>that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and&nbsp;<code><strong>ETW TI<\/strong><\/code>&nbsp;provider) and&nbsp;<code><strong>LSASS<\/strong><\/code>&nbsp;protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.<\/p>\n\n\n\n<p>As of release, combination of userland (<code><strong>--usermode<\/strong><\/code>) and Kernel-land (<code><strong>--kernelmode<\/strong><\/code>) techniques were used to dump&nbsp;<code><strong>LSASS<\/strong><\/code>&nbsp;memory under EDR scrutiny, without being blocked nor generating &#8220;OS Credential Dumping&#8221;-related events in the product (cloud) console. The tests were performed on 3 distinct EDR products and were successful in each case.<\/p>\n\n\n\n<h2 class=\"has-text-align-center has-vivid-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/wavestone-cdt\/EDRSandblast#description\"><\/a>Description<\/h2>\n\n\n\n<h3 class=\"has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/wavestone-cdt\/EDRSandblast#edr-bypass-through-kernel-callbacks-removal\"><\/a>EDR bypass through Kernel callbacks removal<\/h3>\n\n\n\n<p>EDR products use Kernel callbacks on Windows to be notified by the kernel of system activity, such as process and thread creation and loading of images (<strong><code>exe<\/code>&nbsp;\/&nbsp;<code>DLL<\/code><\/strong>).<\/p>\n\n\n\n<p>The Kernel callbacks are defined from user-land using a number of documented APIs (<strong><code>nt!PsSetCreateProcessNotifyRoutine<\/code>,&nbsp;<code>nt!PsSetCreateThreadNotifyRoutine<\/code><\/strong>, etc.). The user-land APIs add driver-supplied callback routines to undocumented arrays of routines in Kernel-space:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><code><strong>PspCreateProcessNotifyRoutine<\/strong><\/code>&nbsp;for process creation<\/li><li><code><strong>PspCreateThreadNotifyRoutine<\/strong><\/code>&nbsp;for thread creation<\/li><li><code><strong>PspLoadImageNotifyRoutine<\/strong><\/code>&nbsp;for image loading<\/li><\/ul>\n\n\n\n<p><code><strong>EDRSandBlast<\/strong><\/code>&nbsp;enumerates the routines defined in those arrays and remove any callback routine linked to a predefined list of EDR drivers (more than 1000 thousands drivers of security products from the&nbsp;allocated filter altitudes). The enumeration and removal are made possible through the exploitation of an arbitrary Kernel memory read \/ write vulnerability of the&nbsp;<code><strong>Micro-Star MSI Afterburner<\/strong><\/code>&nbsp;driver (<code><strong>CVE-2019-16098<\/strong><\/code>). The enumeration and removal code is largely inspired from&nbsp;br-sn&#8217;s CheekyBlinder project.<\/p>\n\n\n\n<p>The offsets of the aforementioned arrays are hardcoded in the&nbsp;<code><strong>NtoskrnlOffsets.csv<\/strong><\/code>&nbsp;file for more than 350 versions of the Windows Kernel&nbsp;<code><strong>ntoskrnl.exe<\/strong><\/code>. The choice of going with hardcoded offsets instead of pattern searches is justified by the fact that the undocumented APIs responsible for Kernel callbacks addition \/ removal are subject to change and that any attempt to write Kernel memory at the wrong address may (and often will) result in a&nbsp;<strong><code>Bug Check<\/code>&nbsp;(<code>Blue<\/code><\/strong><code> <strong>Screen of Death<\/strong><\/code>). For more information on how the offsets were gathered, refer to&nbsp;Offsets section.<\/p>\n\n\n\n<h3 class=\"has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/wavestone-cdt\/EDRSandblast#edr-bypass-through-deactivation-of-the-etw-microsoft-windows-threat-intelligence-provider\"><\/a>EDR bypass through deactivation of the ETW Microsoft-Windows-Threat-Intelligence provider<\/h3>\n\n\n\n<p>The&nbsp;<code><strong>ETW Microsoft-Windows-Threat-Intelligence<\/strong><\/code>&nbsp;provider log data about the usages of some Windows API commonly used maliciously. This include the&nbsp;<code><strong>nt!MiReadWriteVirtualMemory<\/strong><\/code>&nbsp;API, called by&nbsp;<code><strong>nt!NtReadVirtualMemory<\/strong><\/code>&nbsp;(which is used to dump&nbsp;<code><strong>LSASS<\/strong><\/code>&nbsp;memory) and monitored by the&nbsp;<code><strong>nt!EtwTiLogReadWriteVm<\/strong><\/code>&nbsp;function.<\/p>\n\n\n\n<p>EDR products can consume the logs produced by the&nbsp;<code><strong>ETW TI<\/strong><\/code>&nbsp;provider through services or processes running as, respectively,&nbsp;<code><strong>SERVICE_LAUNCH_PROTECTED_ANTIMALWARE_LIGH<\/strong>T<\/code>&nbsp;or&nbsp;<strong><code>PS_PROTECTED_ANTIMALWARE_LIGHT<\/code>,<\/strong> and associated with an&nbsp;<code><strong>Early Launch Anti Malware (ELAM)<\/strong><\/code>&nbsp;driver.<\/p>\n\n\n\n<p>As published by&nbsp;<code><strong>slaeryan<\/strong><\/code>&nbsp;in a&nbsp;<code><strong>CNO Development Labs<\/strong><\/code>&nbsp;blog post, the&nbsp;<strong><code>ETW TI<\/code>&nbsp;<\/strong>provider can be disabled altogether by patching, in kernel memory, its&nbsp;<code><strong>ProviderEnableInfo<\/strong><\/code>&nbsp;attribute to&nbsp;<code><strong>0x0<\/strong><\/code>. Refer to the great aforementioned blog post for more information on the technique.<\/p>\n\n\n\n<p>Similarly to the Kernel callbacks removal, the necessary&nbsp;<code><strong>ntoskrnl.exe<\/strong><\/code>&nbsp;offsets (<strong><code>nt!EtwThreatIntProvRegHandleOffset<\/code>,&nbsp;<code>_ETW_REG_ENTRY<\/code>&#8216;s&nbsp;<code>GuidEntry<\/code><\/strong>, and&nbsp;<strong><code>_ETW_GUID_ENTRY<\/code>&#8216;s&nbsp;<code>ProviderEnableInfo<\/code><\/strong>) are hardcoded in the&nbsp;<code><strong>NtoskrnlOffsets.csv<\/strong><\/code>&nbsp;file for a number of the Windows Kernel versions.<\/p>\n\n\n\n<h3 class=\"has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/wavestone-cdt\/EDRSandblast#edr-bypass-through-userland-hooking-bypass\"><\/a>EDR bypass through userland hooking bypass<\/h3>\n\n\n\n<h4 class=\"has-text-align-center wp-block-heading\"><a href=\"https:\/\/github.com\/wavestone-cdt\/EDRSandblast#how-userland-hooking-works\"><\/a>How userland hooking works<\/h4>\n\n\n\n<p>In order to easily monitor actions that are performed by processes, EDR products often deploy a mechanism called&nbsp;<em>userland hooking<\/em>. First, EDR products register a kernel callback (usually&nbsp;<em>image loading<\/em>&nbsp;or&nbsp;<em>process creation<\/em>&nbsp;callbacks, see above) that allows them to be notified upon each process start.<\/p>\n\n\n\n<p>When a process is loaded by Windows, and before it actually starts, the EDR is able to inject some custom DLL into the process address space, which contains its monitoring logic. While loading, this DLL injects &#8220;<em>hooks<\/em>&#8221; at the start of every function that is to be monitored by the EDR. At runtime, when the monitored functions are called by the process under surveillance, these hooks redirect the control flow to some supervision code present in the EDR&#8217;s DLL, which allows it to inspect arguments and return values of these calls.<\/p>\n\n\n\n<p>Most of the time, monitored functions are system calls (such as&nbsp;<strong><code>NtReadVirtualMemory<\/code>,&nbsp;<code>NtOpenProcess<\/code><\/strong>, etc.), whose implementations reside in&nbsp;<code><strong>ntdll.dll<\/strong><\/code>. Intercepting calls to&nbsp;<code><strong>Nt*<\/strong><\/code>&nbsp;functions allows products to be as close as possible to the userland \/ kernel-land boundary (while remaining in userland), but functions from some higher-level DLLs may also be monitored as well.<\/p>\n\n\n\n<p>Bellow are examples of the same function, before and after beeing hooked by the EDR product:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>NtProtectVirtualMemory proc near<br>mov r10, rcx<br>mov eax, 50h<br>test byte ptr ds:7FFE0308h, 1<br>jnz short loc_18009D1E5<br>syscall<br>retn<br>loc_18009D1E5:<br>int 2Eh<br>retn<br>NtProtectVirtualMemory endp<\/strong><\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>NtProtectVirtualMemory proc near<br>jmp sub_7FFC74490298 ; &#8211;&gt; &#8220;hook&#8221;, jump to EDR analysis function<br>int 3 ; overwritten instructions<br>int 3 ; overwritten instructions<br>int 3 ; overwritten instructions<br>test byte_7FFE0308, 1 ; &lt;&#8211; execution resumes here after analysis<br>jnz short loc_7FFCB44AD1E5<br>syscall<br>retn<br>loc_7FFCB44AD1E5:<br>int 2Eh<br>retn<br>NtProtectVirtualMemory endp<\/strong><\/p>\n\n\n\n<h4 class=\"has-light-green-cyan-background-color has-background wp-block-heading\">Hooks detection<\/h4>\n\n\n\n<p>Userland hooks have the &#8220;weakness&#8221; to be located in userland memory, which means they are directly observable and modifiable by the process under scrutiny. To automatically detect hooks in the process address space, the main idea is to compare the differences between the original DLL on disk and the library residing in memory, that has been potentially altered by an EDR. To perform this comparison, the following steps are followed by EDRSandblast:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The list of all loaded DLLs is enumerated thanks to the&nbsp;<code><strong>InLoadOrderModuleList<\/strong><\/code>&nbsp;located int the&nbsp;<code><strong>PEB<\/strong><\/code>&nbsp;(to avoid calling any API that could be monitored and suspicious)<\/li><li>For each loaded DLL, its content on disk is read and its headers parsed. The corresponding library, residing in memory, is also parsed to identify sections, exports, etc.<\/li><li>Relocations of the DLL are parsed and applied, by taking the base address of the corresponding loaded library into account. This allows the content of both the in-memory library and DLL originating from disk to have the exact same content (on sections where relocations are applied), and thus making the comparison reliable.<\/li><li>Exported functions are enumerated and the first bytes of the &#8220;in-memory&#8221; and &#8220;on-disk&#8221; versions are compared. Any difference indicates an alteration that has been made after the DLL was loaded, and thus is very probably an EDR hook.<\/li><\/ul>\n\n\n\n<p>Note: The process can be generalized to find differences anywhere in non-writable sections and not only at the start of exported functions, for example if EDR products start to apply hooks in the middle of function \ud83d\ude42 Thus not used by the tool, this has been implemented in&nbsp;<code><strong>findDiffsInNonWritableSections<\/strong><\/code>.<\/p>\n\n\n\n<p>In order to bypass the monitoring performed by these hooks, multiples techniques are possible, and each has benefits and drawbacks.<\/p>\n\n\n\n<h4 class=\"has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/wavestone-cdt\/EDRSandblast#hook-bypass-using--unhooking\"><\/a>Hook bypass using &#8230; unhooking<\/h4>\n\n\n\n<p>The most intuitive method to bypass the hook-based monitoring is to remove the hooks. Since the hooks are present in memory that is reachable by the process itself, to remove a hook, the process can simply:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Change the permissions on the page where the hook is located (RX -&gt; RWX or RW)<\/li><li>Write the original bytes that are known thanks to the on-disk DLL content<\/li><li>Change back the permissions to RX<\/li><\/ul>\n\n\n\n<p>This approach is fairly simple, and can be used to remove every detected hook all at once. Performed by an offensive tool at its beginning, this allows the rest of the code to be completely unaware of the hooking mechnanism and perform normally without being monitored.<\/p>\n\n\n\n<p>However, it has two main drawbacks. The EDR is probably monitoring the use of&nbsp;<code>NtProtectVirtualMemory<\/code>, so using it to change the permissions of the page where the hooks have been installed is (at least conceptually) a bad idea. Also, if a thread is executed by the EDR and periodically check the integrity of the hooks, this could also trigger some detection.<\/p>\n\n\n\n<p>For implementation details, check the&nbsp;<code><strong>unhook()<\/strong><\/code>&nbsp;function&#8217;s code path when&nbsp;<code><strong>unhook_method<\/strong><\/code>&nbsp;is&nbsp;<strong><code>UNHOOK_WITH_NTPROTECTVIRTUALMEMORY<\/code>.<\/strong><\/p>\n\n\n\n<p><strong>Important note: for simplicity, this technique is implemented in EDRSandblast as the base technique used to&nbsp;<em>showcase<\/em>&nbsp;the other bypass techniques; each of them demonstrates how to obtain an unmonitored version of&nbsp;<code>NtProtectVirtualMemory<\/code>, but performs the same operation afterward (unhooking a specific hook).<\/strong><\/p>\n\n\n\n<h4 class=\"has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/wavestone-cdt\/EDRSandblast#hook-bypass-using-a-custom-trampoline\"><\/a>Hook bypass using a custom trampoline<\/h4>\n\n\n\n<p>To bypass a specific hook, it is possible to simply &#8220;jump over&#8221; and execute the rest of the function as is. First, the original bytes of the monitored function, that have been overwritten by the EDR to install the hook, must be recovered from the DLL file. In our previous code example, this would be the bytes corresponding to the following instructions:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>mov r10, rcx<br>mov eax, 50h<\/strong><\/p>\n\n\n\n<p>Identifying these bytes is a simple task since we are able to perform a clean&nbsp;<em>diff<\/em>&nbsp;of both the memory and disk versions of the library, as previously described. Then, we assemble a jump instruction that is built to redirect the control flow to the code following immediately the hook, at address&nbsp;<code><strong>NtProtectVirtualMemory + sizeof(overwritten_instructions)<\/strong><\/code><\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>jmp NtProtectVirtualMemory+8<\/strong><\/p>\n\n\n\n<p>Finally, we concatenate these opcodes, store them in (newly) executable memory and keep a pointer to them. This object is called a &#8220;<em>trampoline<\/em>&#8221; and can then be used as a function pointer, strictly equivalent to the original&nbsp;<code><strong>NtProtectVirtualMemory<\/strong><\/code>&nbsp;function.<\/p>\n\n\n\n<p>The main benefit of this technique as for every techniques bellow, is that the hook is never erased, so any integrity check performed on the hooks by the EDR should pass. However, it requires to allocate writable then executable memory, which is typical of a shellcode allocation, thus attracting the EDR&#8217;s scrutiny.<\/p>\n\n\n\n<p>For implementation details, check the&nbsp;<code><strong>unhook()<\/strong><\/code>&nbsp;function&#8217;s code path when&nbsp;<code><strong>unhook_method<\/strong><\/code>&nbsp;is&nbsp;<code><strong>UNHOOK_WITH_INHOUSE_NTPROTECTVIRTUALMEMORY_TRAMPOLINE<\/strong><\/code>. Please remember the technique is only showcased in our implementation and is, in the end, used to&nbsp;<strong>remove<\/strong>&nbsp;hooks from memory, as every technique bellow.<\/p>\n\n\n\n<h4 class=\"has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/wavestone-cdt\/EDRSandblast#hook-bypass-using-the-own-edrs-trampoline\"><\/a>Hook bypass using the own EDR&#8217;s trampoline<\/h4>\n\n\n\n<p>The EDR product, in order for its hook to work, must save somewhere in memory the opcodes that it has removed. Worst (<em>or &#8220;better&#8221;, from the attacker point of view<\/em>), to effectively use the original instructions the EDR has probably allocated itself a&nbsp;<em>trampoline<\/em>&nbsp;somewhere to execute the original function after having intercepted the call.<\/p>\n\n\n\n<p>This trampoline can be searched for and used as a replacement for the hooked function, without the need to allocate executable memory, or call any API except&nbsp;<code><strong>VirtualQuery<\/strong><\/code>, which is most likely not monitored being an innocuous function.<\/p>\n\n\n\n<p>To find the trampoline in memory, we browse the whole address space using&nbsp;<code><strong>VirtualQuery<\/strong><\/code>&nbsp;looking for commited and executable memory. For each such region of memory, we scan it to look for a jump instruction that targets the address following the overwritten instructions (<code><strong>NtProtectVirtualMemory+8<\/strong><\/code>&nbsp;in our previous example). The trampoline can then be used to call the hooked function without triggering the hook.<\/p>\n\n\n\n<p>This technique works surprisingly well as it recovers nearly all trampolines on tested EDR. For implementation details, check the&nbsp;<code><strong>unhook()<\/strong><\/code>&nbsp;function&#8217;s code path when&nbsp;<code><strong>unhook_method<\/strong><\/code>&nbsp;is&nbsp;<code><strong>UNHOOK_WITH_EDR_NTPROTECTVIRTUALMEMORY_TRAMPOLINE<\/strong><\/code>.<\/p>\n\n\n\n<h4 class=\"has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/wavestone-cdt\/EDRSandblast#hook-bypass-using-duplicate-dll\"><\/a>Hook bypass using duplicate DLL<\/h4>\n\n\n\n<p>Another simple method to get access to an unmonitored version of&nbsp;<code><strong>NtProtectVirtualMemory<\/strong><\/code>&nbsp;function is to load a duplicate version of the&nbsp;<code><strong>ntdll.dll<\/strong><\/code>&nbsp;library into the process address space. Since two identical DLLs can be loaded in the same process, provided they have different names, we can simply copy the legitimate&nbsp;<code><strong>ntdll.dll<\/strong><\/code>&nbsp;file into another location, load it using&nbsp;<strong><code>LoadLibrary<\/code>&nbsp;<\/strong>(or reimplement the loading process), and access the function using&nbsp;<code><strong>GetProcAddress<\/strong><\/code>&nbsp;for example.<\/p>\n\n\n\n<p>This technique is very simple to understand and implement, and have a decent chance of success, since most of EDR products does not re-install hooks on newly loaded DLLs once the process is running. However, the major drawback is that copying Microsoft signed binaries under a different name is often considered as suspicious by EDR products as itself.<\/p>\n\n\n\n<p>This technique is nevertheless implemented in&nbsp;<code><strong>EDRSandblast<\/strong><\/code>. For implementation details, check the&nbsp;<code><strong>unhook()<\/strong><\/code>&nbsp;function&#8217;s code path when&nbsp;<code><strong>unhook_method<\/strong><\/code>&nbsp;is&nbsp;<strong><code>UNHOOK_WITH_DUPLICATE_NTPROTECTVIRTUALMEMORY<\/code>.<\/strong><\/p>\n\n\n\n<h4 class=\"has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/wavestone-cdt\/EDRSandblast#hook-bypass-using-direct-syscalls\"><\/a>Hook bypass using direct syscalls<\/h4>\n\n\n\n<p>In order to use system calls related functions, one program can reimplement syscalls (in assembly) in order to call the corresponding OS features without actually touching the code in&nbsp;<code><strong>ntdll.dll<\/strong><\/code>, which might be monitored by the EDR. This completely bypasses any userland hooking done on syscall functions in&nbsp;<code><strong>ntdll.dll<\/strong><\/code>.<\/p>\n\n\n\n<p>This nevertheless has some drawbacks. First, this implies being able to know the list of syscall numbers of functions the program needs, which changes for each version of Windows. Also, functions that are not technically syscalls (e.g.&nbsp;<strong><code>LoadLibraryX<\/code>\/<code>LdrLoadDLL<\/code><\/strong>) could be monitored as well, and cannot simply be reimplemented using a syscall.<\/p>\n\n\n\n<p>This technique is implemented in EDRSandblast. As previously stated, it is only used to execute&nbsp;<code><strong>NtProtectVirtualMemory<\/strong><\/code>&nbsp;safely, and remove all detected hooks. However, in order not to rely on hardcoded offsets, a small heuristic is implemented to search for&nbsp;<code><strong>mov eax, imm32<\/strong><\/code>&nbsp;instruction at the start of the&nbsp;<code><strong>NtProtectVirtualMemory<\/strong><\/code>&nbsp;function and recover the syscall number from it if found (otherwise relying on hardcoded offset for known Windows versions).<\/p>\n\n\n\n<p>For implementation details, check the&nbsp;<code><strong>unhook(<\/strong>)<\/code>&nbsp;function&#8217;s code path when&nbsp;<code><strong>unhook_method<\/strong><\/code>&nbsp;is&nbsp;<code><strong>UNHOOK_WITH_DIRECT_SYSCALL<\/strong><\/code>.<\/p>\n\n\n\n<h3 class=\"has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/wavestone-cdt\/EDRSandblast#runasppl-bypass\"><\/a>RunAsPPL bypass<\/h3>\n\n\n\n<p>The&nbsp;<code><strong>Local Security Authority (LSA) Protection<\/strong><\/code>&nbsp;mechanism, first introduced in Windows 8.1 and Windows Server 2012 R2, leverage the&nbsp;<code><strong>Protected Process Light (PPL)<\/strong><\/code>&nbsp;technology to restrict access to the&nbsp;<strong><code>LSASS<\/code>&nbsp;<\/strong>process. The&nbsp;<code><strong>PPL<\/strong><\/code>&nbsp;protection regulates and restricts operations, such as memory injection or memory dumping of protected processes, even from a process holding the&nbsp;<code><strong>SeDebugPrivilege<\/strong><\/code>&nbsp;privilege. Under the process protection model, only processes running with higher protection levels can perform operations on protected processes.<\/p>\n\n\n\n<p>The&nbsp;<code><strong>_EPROCESS<\/strong><\/code>&nbsp;structure, used by the Windows kernel to represent a process in kernel memory, includes a&nbsp;<code><strong>_PS_PROTECTION<\/strong><\/code>&nbsp;field defining the protection level of a process through its&nbsp;<strong><code>Type<\/code>&nbsp;(<code>_PS_PROTECTED_TYPE<\/code>)<\/strong> and&nbsp;<strong><code>Signer<\/code>&nbsp;(<code>_PS_PROTECTED_SIGNER<\/code><\/strong>) attributes.<\/p>\n\n\n\n<p>By writing in kernel memory, the EDRSandblast process is able to upgrade its own protection level to&nbsp;<code><strong>PsProtectedSignerWinTcb-Light<\/strong><\/code>. This level is sufficient to dump the&nbsp;<code><strong>LSASS<\/strong><\/code>&nbsp;process memory, since it &#8220;dominates&#8221; to&nbsp;<code><strong>PsProtectedSignerLsa-Light<\/strong><\/code>, the protection level of the&nbsp;<code><strong>LSASS<\/strong><\/code>&nbsp;process running with the&nbsp;<code><strong>RunAsPPL<\/strong><\/code>&nbsp;mechanism.<\/p>\n\n\n\n<p><code><strong>EDRSandBlast<\/strong><\/code>&nbsp;implements the self protection as follow:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>open a handle to the current process<\/li><li>leak all system handles using&nbsp;<code><strong>NtQuerySystemInformatio<\/strong>n<\/code>&nbsp;to find the opened handle on the current process, and the address of the current process&#8217;&nbsp;<strong><code>EPROCESS<\/code>&nbsp;<\/strong>structure in kernel memory.<\/li><li>use the arbitrary read \/ write vulnerability of the&nbsp;<code><strong>Micro-Star MSI Afterburner<\/strong><\/code>&nbsp;driver to overwrite the&nbsp;<code><strong>_PS_PROTECTION<\/strong><\/code>&nbsp;field of the current process in kernel memory. The offsets of the&nbsp;<code><strong>_PS_PROTECTION<\/strong><\/code>&nbsp;field relative to the&nbsp;<code><strong>EPROCESS<\/strong><\/code>&nbsp;structure (defined by the&nbsp;<code><strong>ntoskrnl<\/strong><\/code>&nbsp;version in use) are hardcoded in the&nbsp;<code><strong>NtoskrnlOffsets.csv<\/strong><\/code>&nbsp;file.<\/li><\/ul>\n\n\n\n<h3 class=\"has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/wavestone-cdt\/EDRSandblast#credential-guard-bypass\"><\/a>Credential Guard bypass<\/h3>\n\n\n\n<p>Microsoft&nbsp;<code><strong>Credential Guard<\/strong><\/code>&nbsp;is a virtualization-based isolation technology, introduced in Microsoft&#8217;s&nbsp;<code><strong>Windows 10 (Enterprise edition)<\/strong><\/code>&nbsp;which prevents direct access to the credentials stored in the&nbsp;<code><strong>LSASS<\/strong><\/code>&nbsp;process.<\/p>\n\n\n\n<p>When&nbsp;<code><strong>Credentials Guard<\/strong><\/code>&nbsp;is activated, an&nbsp;<code><strong>LSAIso<\/strong><\/code>&nbsp;(<em>LSA Isolated<\/em>) process is created in&nbsp;<code><strong>Virtual Secure Mode<\/strong><\/code>, a feature that leverages the virtualization extensions of the CPU to provide added security of data in memory. Access to the&nbsp;<code><strong>LSAIso<\/strong><\/code>&nbsp;process are restricted even for an access with the&nbsp;<code><strong>NT AUTHORITY\\SYSTEM<\/strong><\/code>&nbsp;security context. When processing a hash, the&nbsp;<code><strong>LSA<\/strong><\/code>&nbsp;process perform a&nbsp;<code><strong>RPC<\/strong><\/code>&nbsp;call to the&nbsp;<code><strong>LSAIso<\/strong><\/code>&nbsp;process, and waits for the&nbsp;<code><strong>LSAIso<\/strong><\/code>&nbsp;result to continue. Thus, the&nbsp;<code><strong>LSASS<\/strong><\/code>&nbsp;process won&#8217;t contain any secrets and in place will store&nbsp;<code><strong>LSA Isolated Data<\/strong><\/code>.<\/p>\n\n\n\n<p>As stated in original research conducted by&nbsp;<strong><code>N4kedTurtle<\/code>: &#8220;<code>Wdigest<\/code><\/strong>&nbsp;can be enabled on a system with Credential Guard by patching the values of&nbsp;<code><strong>g_fParameter_useLogonCredential<\/strong><\/code>&nbsp;and&nbsp;<code><strong>g_IsCredGuardEnabled<\/strong><\/code>&nbsp;in memory&#8221;. The activation of&nbsp;<code><strong>Wdigest<\/strong><\/code>&nbsp;will result in cleartext credentials being stored in&nbsp;<code><strong>LSASS<\/strong><\/code>&nbsp;memory for any new interactive logons (without requiring a reboot of the system). Refer to the&nbsp;original research blog post&nbsp;for more details on this technique.<\/p>\n\n\n\n<p><code><strong>EDRSandBlast<\/strong><\/code>&nbsp;simply make the original PoC a little more opsec friendly and provide support for a number of&nbsp;<code><strong>wdigest.dll<\/strong><\/code>&nbsp;versions (through hardcoded offsets for&nbsp;<code><strong>g_fParameter_useLogonCredential<\/strong><\/code>&nbsp;and&nbsp;<strong><code>g_IsCredGuardEnabled<\/code>)<\/strong>.<\/p>\n\n\n\n<h3 class=\"has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/wavestone-cdt\/EDRSandblast#ntoskrnl-and-wdigest-offsets\"><\/a>ntoskrnl and wdigest offsets<\/h3>\n\n\n\n<p>The required&nbsp;<code><strong>ntoskrnl.exe<\/strong><\/code>&nbsp;and&nbsp;<code><strong>wdigest.dll<\/strong><\/code>&nbsp;offsets (mentioned above) are extracted using&nbsp;<code><strong>r2pipe<\/strong><\/code>, as implemented in the&nbsp;<strong><code>ExtractOffsets.py<\/code>&nbsp;<code>Python<\/code><\/strong>&nbsp;script. In order to support more Windows versions, the&nbsp;<code><strong>ntoskrnl.exe<\/strong><\/code>&nbsp;and&nbsp;<code><strong>wdigest.dll<\/strong><\/code>&nbsp;referenced by&nbsp;Winbindex&nbsp;can be automatically downloaded (and their offsets extracted). This allows to extract offsets from nearly all files that were ever published in Windows update packages (to date 350+&nbsp;<code><strong>ntoskrnl.exe<\/strong><\/code>&nbsp;and 30+&nbsp;<code><strong>wdigest.dll<\/strong><\/code>&nbsp;versions).<\/p>\n\n\n\n<h2 class=\"has-text-align-center has-vivid-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/wavestone-cdt\/EDRSandblast#usage\"><\/a>Usage<\/h2>\n\n\n\n<p>The vulnerable<strong>&nbsp;<code>RTCore64.sys<\/code><\/strong>&nbsp;driver can be retrieved at:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>http:\/\/download-eu2.guru3d.com\/afterburner\/%5BGuru3D.com%5D-MSIAfterburnerSetup462Beta2.zip<\/strong><\/p>\n\n\n\n<h2 class=\"has-text-align-center has-vivid-green-cyan-background-color has-background wp-block-heading\">Quick usage<\/h2>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>Usage: EDRSandblast.exe [-h | &#8211;help] [-v | &#8211;verbose] [&#8211;usermode [&#8211;unhook-method ]] [&#8211;kernelmode] [&#8211;dont-unload-driver] [&#8211;dont-restore-callbacks] [&#8211;driver ] [&#8211;service ] [&#8211;nt-offsets ] [&#8211;wdigest-offsets ] [&#8211;add-dll ]* [-o | &#8211;dump-output ]<\/strong><\/p>\n\n\n\n<h2 class=\"has-text-align-center has-vivid-green-cyan-background-color has-background wp-block-heading\">Options<\/h2>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>-h | &#8211;help Show this help message and exit.<br>-v | &#8211;verbose Enable a more verbose output.<br>Actions mode:<br>audit Display the user-land hooks and \/ or Kernel callbacks without taking actions.<br>dump Dump the LSASS process, by default as &#8216;lsass&#8217; in the current directory or at the<br>specified file using -o | &#8211;output .<br>cmd Open a cmd.exe prompt.<br>credguard Patch the LSASS process&#8217; memory to enable Wdigest cleartext passwords caching even if<br>Credential Guard is enabled on the host. No kernel-land actions required.<br>&#8211;usermode Perform user-land operations (DLL unhooking).<br>&#8211;kernelmode Perform kernel-land operations (Kernel callbacks removal and ETW TI disabling).<br>&#8211;unhook-method<br>Choose the userland un-hooking technique, from the following:<br>1 (Default) Uses the (probably monitored) NtProtectVirtualMemory function in ntdll to remove all<br>present userland hooks.<br>2 Constructs a &#8216;unhooked&#8217; (i.e. unmonitored) version of NtProtectVirtualMemory, by<br>allocating an executable trampoline jumping over the hook, and remove all present<br>userland hooks.<br>3 Searches for an existing trampoline allocated by the EDR itself, to get an &#8216;unhooked&#8217;<br>(i.e. unmonitored) version of NtProtectVirtualMemory, and remove all present userland<br>hooks.<br>4 Loads an additional version of ntdll library into memory, and use the (hopefully<br>unmonitored) version of NtProtectVirtualMemory present in this library to remove all<br>present userland hooks.<br>5 Allocates a shellcode that uses a direct syscall to call NtProtectVirtualMemory,<br>and uses it to remove all detected hooks<br>Other options:<br>&#8211;dont-unload-driver Keep the Micro-Star MSI Afterburner vulnerable driver installed on the host<br>Default to automatically unsinstall the driver.<br>&#8211;dont-restore-callbacks Do not restore the EDR drivers&#8217; Kernel Callbacks that were removed.<br>Default to restore the callbacks.<br>&#8211;driver Path to the Micro-Star MSI Afterburner vulnerable driver file.<br>Default to &#8216;RTCore64.sys&#8217; in the current directory.<br>&#8211;service Name of the vulnerable service to intall \/ start.<br>&#8211;nt-offsets Path to the CSV file containing the required ntoskrnl.exe&#8217;s offsets.<br>Default to &#8216;NtoskrnlOffsets.csv&#8217; in the current directory.<br>&#8211;wdigest-offsets Path to the CSV file containing the required wdigest.dll&#8217;s offsets<br>(only for the &#8216;credguard&#8217; mode).<br>Default to &#8216;WdigestOffsets.csv&#8217; in the current directory.<br>&#8211;add-dll Loads arbitrary libraries into the process&#8217; address space, before starting<br>anything. This can be useful to audit userland hooking for DLL that are not<br>loaded by default by this program. Use this option multiple times to load<br>multiple DLLs all at once.<br>Example of interesting DLLs to look at: user32.dll, ole32.dll, crypt32.dll,<br>samcli.dll, winhttp.dll, urlmon.dll, secur32.dll, shell32.dll\u2026<br>-o | &#8211;output Output path to the dump file that will be generated by the &#8216;dump&#8217; mode.<br>Default to &#8216;lsass&#8217; in the current direc<\/strong>tory.<\/p>\n\n\n\n<h3 class=\"has-text-align-center wp-block-heading\">Build<\/h3>\n\n\n\n<p><code><strong>EDRSandBlast<\/strong><\/code>&nbsp;(x64 only) was built on Visual Studio 2019 (Windows SDK Version:&nbsp;<strong><code>10.0.19041.0<\/code>&nbsp;a<\/strong>nd Platform Toolset:&nbsp;<code><strong>Visual Studio 2019 (v142)<\/strong><\/code>).<\/p>\n\n\n\n<h3 class=\"has-text-align-center wp-block-heading\"><a href=\"https:\/\/github.com\/wavestone-cdt\/EDRSandblast#extractoffsetspy-usage\"><\/a>ExtractOffsets.py usage<\/h3>\n\n\n\n<p>Note that&nbsp;<code><strong>ExtractOffsets.py<\/strong><\/code>&nbsp;has only be tested on Windows.<\/p>\n\n\n\n<h1 class=\"has-text-align-center has-vivid-green-cyan-background-color has-background wp-block-heading\">Installation of Python dependencies<\/h1>\n\n\n\n<p>pip.exe install -m .\\requirements.txt<\/p>\n\n\n\n<h1 class=\"has-text-align-center has-vivid-green-cyan-background-color has-background wp-block-heading\">Script usage<\/h1>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>ExtractOffsets.py [-h] -i INPUT [-o OUTPUT] [-d] mode<br>positional arguments:<br>mode ntoskrnl or wdigest. Mode to download and extract offsets for either ntoskrnl or wdigest<br>optional arguments:<br>-h, &#8211;help show this help message and exit<br>-i INPUT, &#8211;input INPUT<br>Single file or directory containing ntoskrnl.exe \/ wdigest.dll to extract offsets from.<br>If in dowload mode, the PE downloaded from MS symbols servers will be placed in this folder.<br>-o OUTPUT, &#8211;output OUTPUT<br>CSV file to write offsets to. If the specified file already exists, only new ntoskrnl versions will be<br>downloaded \/ analyzed.<br>Defaults to NtoskrnlOffsets.csv \/ WdigestOffsets.csv in the current folder.<br>-d, &#8211;dowload Flag to download the PE from Microsoft servers using list of vers<\/strong>ions from winbindex.m417z.com.<\/p>\n\n\n\n<h2 class=\"has-light-green-cyan-background-color has-background wp-block-heading\">Detection<\/h2>\n\n\n\n<p>From the defender (EDR vendor, Microsoft, SOC analysts looking at EDR&#8217;s telemetry, &#8230;) point of view, multiple indicators can be used to detect or prevent this kind of techniques.<\/p>\n\n\n\n<h3 class=\"has-text-align-center wp-block-heading\"><a href=\"https:\/\/github.com\/wavestone-cdt\/EDRSandblast#driver-whitelisting\"><\/a>Driver whitelisting<\/h3>\n\n\n\n<p>Since every action performed by the tool in kernel-mode memory relies on a vulnerable driver to read\/write arbitrary content, driver loading events should be heaviliy scrutinized by EDR product (or SOC analysts), and raise an alert at any uncommon driver loading, or even block known vulnerable drivers. This latter approach is even&nbsp;recommended by Microsoft themselves: any HVCI (<em>Hypervisor-protected code integrity<\/em>) enabled Windows device embeds a drivers blocklist, and this will be progressively become a default behaviour on Windows (it already is on Windows 11).<\/p>\n\n\n\n<h3 class=\"has-text-align-center wp-block-heading\"><a href=\"https:\/\/github.com\/wavestone-cdt\/EDRSandblast#kernel-memory-integrity-checks\"><\/a>Kernel-memory integrity checks<\/h3>\n\n\n\n<p>Since an attacker could still use an unknown vulnerable driver to perform the same actions in memory, the EDR driver could periodically check that its kernel callbacks are still registered, directly by inspecting kernel memory (like this tool does), or simply by triggering events (process creation, thread creation, image loading, etc.) and checking the callback functions are indeed called by the executive kernel.<\/p>\n\n\n\n<p>As a side note, this type of data structure could be protected via the recent&nbsp;Kernel Data Protection (KDP)&nbsp;mechanism, which relies on Virtual Based Security, in order to make the kernel callbacks array non-writable without calling the right APIs.<\/p>\n\n\n\n<p>The same logic could apply to sensitive ETW variables such as the&nbsp;<code><strong>ProviderEnableInfo<\/strong><\/code>, abused by this tool to disable the ETW Threat Intelligence events generation.<\/p>\n\n\n\n<h3 class=\"has-text-align-center wp-block-heading\"><a href=\"https:\/\/github.com\/wavestone-cdt\/EDRSandblast#user-mode-detection\"><\/a>User-mode detection<\/h3>\n\n\n\n<p>The first indicator that a process is actively trying to evade user-land hooking is the file accesses to each DLL corresponding to loaded modules; in a normal execution, a userland process rarely needs to read DLL files outside of a&nbsp;<code><strong>LoadLibrary<\/strong><\/code>&nbsp;call, especially&nbsp;<strong><code>ntdll.dll<\/code>.<\/strong><\/p>\n\n\n\n<p>In order to protect API hooking from being bypassed, EDR products could periodically check that hooks are not altered in memory, inside each monitored process.<\/p>\n\n\n\n<p>Finally, to detect hooking bypass (abusing a trampoline, using direct syscalls, etc.) that does not imply the hooks removal, EDR products could potentially rely on kernel callbacks associated to the abused syscalls (ex.&nbsp;<code><strong>PsCreateProcessNotifyRoutine<\/strong><\/code>&nbsp;for&nbsp;<code><strong>NtCreateProcess<\/strong><\/code>&nbsp;syscall,&nbsp;<code><strong>ObRegisterCallbacks<\/strong><\/code>&nbsp;for&nbsp;<code><strong>NtOpenProcess<\/strong><\/code>&nbsp;syscall, etc.), and perform user-mode call-stack analysis in order to determine if the syscall was triggered from a normal path (<strong><code>kernel32.dll<\/code>&nbsp;-&gt;&nbsp;<code>ntdll.dll<\/code><\/strong>&nbsp;-&gt; syscall) or an abnormal one (ex.&nbsp;<code><strong>program.exe<\/strong><\/code>&nbsp;-&gt; direct syscall).<\/p>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-16018d1d wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button is-style-outline is-style-outline--1\"><a class=\"wp-block-button__link has-vivid-cyan-blue-background-color has-background\" href=\"https:\/\/github.com\/wavestone-cdt\/EDRSandblast\"><strong>Download<\/strong><\/a><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>EDRSandBlast&nbsp;is a tool written in&nbsp;C&nbsp;that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and&nbsp;ETW TI&nbsp;provider) and&nbsp;LSASS&nbsp;protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring. As of release, combination of userland (&#8211;usermode) and Kernel-land (&#8211;kernelmode) techniques were used to dump&nbsp;LSASS&nbsp;memory under EDR scrutiny, without being blocked nor generating &#8220;OS Credential [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":24907,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEis_yOn1e7YGn9RW3PLi0WLWCk14vFXkxVX_AzaQul9EivkoleX1A3USFk-KAecfpaK67268iDAMNKcSDOKKDk-v1Jmlz2HeGPPQnVaD-UjcJgskpUXIKP4CZbCyNuLWFk9ExY9LyjyvL-nyw4gg_XKuqKjrZLBRK4nY067CFLRnxqMx_len7iJdPqm\/s728\/mimikatzremoved.png","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[28],"tags":[5223,5220,5224,5222,5221],"class_list":["post-24889","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kali","tag-edr-detections","tag-edrsandblast","tag-lsass-protection","tag-vulnerable-signed-driver","tag-weaponize"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>EDRSandblast : Tool That Weaponize A Vulnerable Signed Driver<\/title>\n<meta name=\"description\" content=\"EDRSandBlast\u00a0is a tool written in\u00a0C\u00a0that weaponize a vulnerable signed driver to bypass EDR detections and\u00a0LSASS\u00a0protections.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/kalilinuxtutorials.com\/edrsandblast\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"EDRSandblast : Tool That Weaponize A Vulnerable Signed Driver\" \/>\n<meta property=\"og:description\" content=\"EDRSandBlast\u00a0is a tool written in\u00a0C\u00a0that weaponize a vulnerable signed driver to bypass EDR detections and\u00a0LSASS\u00a0protections.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/kalilinuxtutorials.com\/edrsandblast\/\" \/>\n<meta property=\"og:site_name\" content=\"Kali Linux Tutorials\" \/>\n<meta property=\"article:published_time\" content=\"2022-05-29T05:45:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEis_yOn1e7YGn9RW3PLi0WLWCk14vFXkxVX_AzaQul9EivkoleX1A3USFk-KAecfpaK67268iDAMNKcSDOKKDk-v1Jmlz2HeGPPQnVaD-UjcJgskpUXIKP4CZbCyNuLWFk9ExY9LyjyvL-nyw4gg_XKuqKjrZLBRK4nY067CFLRnxqMx_len7iJdPqm\/s728\/mimikatzremoved.png\" \/>\n<meta name=\"author\" content=\"R K\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEis_yOn1e7YGn9RW3PLi0WLWCk14vFXkxVX_AzaQul9EivkoleX1A3USFk-KAecfpaK67268iDAMNKcSDOKKDk-v1Jmlz2HeGPPQnVaD-UjcJgskpUXIKP4CZbCyNuLWFk9ExY9LyjyvL-nyw4gg_XKuqKjrZLBRK4nY067CFLRnxqMx_len7iJdPqm\/s728\/mimikatzremoved.png\" \/>\n<meta name=\"twitter:creator\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:site\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"R K\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/edrsandblast\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/edrsandblast\/\"},\"author\":{\"name\":\"R K\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\"},\"headline\":\"EDRSandblast : Tool That Weaponize A Vulnerable Signed Driver To Bypass EDR Detections And LSASS Protection\",\"datePublished\":\"2022-05-29T05:45:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/edrsandblast\/\"},\"wordCount\":3697,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/edrsandblast\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEis_yOn1e7YGn9RW3PLi0WLWCk14vFXkxVX_AzaQul9EivkoleX1A3USFk-KAecfpaK67268iDAMNKcSDOKKDk-v1Jmlz2HeGPPQnVaD-UjcJgskpUXIKP4CZbCyNuLWFk9ExY9LyjyvL-nyw4gg_XKuqKjrZLBRK4nY067CFLRnxqMx_len7iJdPqm\/s728\/mimikatzremoved.png\",\"keywords\":[\"EDR Detections\",\"EDRSandblast\",\"LSASS Protection\",\"Vulnerable Signed Driver\",\"Weaponize\"],\"articleSection\":[\"Kali Linux\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/edrsandblast\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/edrsandblast\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/edrsandblast\/\",\"name\":\"EDRSandblast : Tool That Weaponize A Vulnerable Signed Driver\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/edrsandblast\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/edrsandblast\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEis_yOn1e7YGn9RW3PLi0WLWCk14vFXkxVX_AzaQul9EivkoleX1A3USFk-KAecfpaK67268iDAMNKcSDOKKDk-v1Jmlz2HeGPPQnVaD-UjcJgskpUXIKP4CZbCyNuLWFk9ExY9LyjyvL-nyw4gg_XKuqKjrZLBRK4nY067CFLRnxqMx_len7iJdPqm\/s728\/mimikatzremoved.png\",\"datePublished\":\"2022-05-29T05:45:00+00:00\",\"description\":\"EDRSandBlast\u00a0is a tool written in\u00a0C\u00a0that weaponize a vulnerable signed driver to bypass EDR detections and\u00a0LSASS\u00a0protections.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/edrsandblast\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/edrsandblast\/#primaryimage\",\"url\":\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEis_yOn1e7YGn9RW3PLi0WLWCk14vFXkxVX_AzaQul9EivkoleX1A3USFk-KAecfpaK67268iDAMNKcSDOKKDk-v1Jmlz2HeGPPQnVaD-UjcJgskpUXIKP4CZbCyNuLWFk9ExY9LyjyvL-nyw4gg_XKuqKjrZLBRK4nY067CFLRnxqMx_len7iJdPqm\/s728\/mimikatzremoved.png\",\"contentUrl\":\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEis_yOn1e7YGn9RW3PLi0WLWCk14vFXkxVX_AzaQul9EivkoleX1A3USFk-KAecfpaK67268iDAMNKcSDOKKDk-v1Jmlz2HeGPPQnVaD-UjcJgskpUXIKP4CZbCyNuLWFk9ExY9LyjyvL-nyw4gg_XKuqKjrZLBRK4nY067CFLRnxqMx_len7iJdPqm\/s728\/mimikatzremoved.png\",\"width\":\"728\",\"height\":\"380\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"name\":\"Kali Linux Tutorials\",\"description\":\"Kali Linux Tutorials\",\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\",\"name\":\"Kali Linux Tutorials\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"contentUrl\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"width\":272,\"height\":90,\"caption\":\"Kali Linux Tutorials\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/CyberEdition\",\"https:\/\/www.threads.com\/@cybersecurityedition\",\"https:\/\/www.linkedin.com\/company\/cyberedition\",\"https:\/\/www.instagram.com\/cybersecurityedition\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\",\"name\":\"R K\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"caption\":\"R K\"},\"url\":\"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"EDRSandblast : Tool That Weaponize A Vulnerable Signed Driver","description":"EDRSandBlast\u00a0is a tool written in\u00a0C\u00a0that weaponize a vulnerable signed driver to bypass EDR detections and\u00a0LSASS\u00a0protections.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/kalilinuxtutorials.com\/edrsandblast\/","og_locale":"en_US","og_type":"article","og_title":"EDRSandblast : Tool That Weaponize A Vulnerable Signed Driver","og_description":"EDRSandBlast\u00a0is a tool written in\u00a0C\u00a0that weaponize a vulnerable signed driver to bypass EDR detections and\u00a0LSASS\u00a0protections.","og_url":"https:\/\/kalilinuxtutorials.com\/edrsandblast\/","og_site_name":"Kali Linux Tutorials","article_published_time":"2022-05-29T05:45:00+00:00","og_image":[{"url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEis_yOn1e7YGn9RW3PLi0WLWCk14vFXkxVX_AzaQul9EivkoleX1A3USFk-KAecfpaK67268iDAMNKcSDOKKDk-v1Jmlz2HeGPPQnVaD-UjcJgskpUXIKP4CZbCyNuLWFk9ExY9LyjyvL-nyw4gg_XKuqKjrZLBRK4nY067CFLRnxqMx_len7iJdPqm\/s728\/mimikatzremoved.png","type":"","width":"","height":""}],"author":"R K","twitter_card":"summary_large_image","twitter_image":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEis_yOn1e7YGn9RW3PLi0WLWCk14vFXkxVX_AzaQul9EivkoleX1A3USFk-KAecfpaK67268iDAMNKcSDOKKDk-v1Jmlz2HeGPPQnVaD-UjcJgskpUXIKP4CZbCyNuLWFk9ExY9LyjyvL-nyw4gg_XKuqKjrZLBRK4nY067CFLRnxqMx_len7iJdPqm\/s728\/mimikatzremoved.png","twitter_creator":"@CyberEdition","twitter_site":"@CyberEdition","twitter_misc":{"Written by":"R K","Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/kalilinuxtutorials.com\/edrsandblast\/#article","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/edrsandblast\/"},"author":{"name":"R K","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad"},"headline":"EDRSandblast : Tool That Weaponize A Vulnerable Signed Driver To Bypass EDR Detections And LSASS Protection","datePublished":"2022-05-29T05:45:00+00:00","mainEntityOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/edrsandblast\/"},"wordCount":3697,"commentCount":0,"publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/edrsandblast\/#primaryimage"},"thumbnailUrl":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEis_yOn1e7YGn9RW3PLi0WLWCk14vFXkxVX_AzaQul9EivkoleX1A3USFk-KAecfpaK67268iDAMNKcSDOKKDk-v1Jmlz2HeGPPQnVaD-UjcJgskpUXIKP4CZbCyNuLWFk9ExY9LyjyvL-nyw4gg_XKuqKjrZLBRK4nY067CFLRnxqMx_len7iJdPqm\/s728\/mimikatzremoved.png","keywords":["EDR Detections","EDRSandblast","LSASS Protection","Vulnerable Signed Driver","Weaponize"],"articleSection":["Kali Linux"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/kalilinuxtutorials.com\/edrsandblast\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/kalilinuxtutorials.com\/edrsandblast\/","url":"https:\/\/kalilinuxtutorials.com\/edrsandblast\/","name":"EDRSandblast : Tool That Weaponize A Vulnerable Signed Driver","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/edrsandblast\/#primaryimage"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/edrsandblast\/#primaryimage"},"thumbnailUrl":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEis_yOn1e7YGn9RW3PLi0WLWCk14vFXkxVX_AzaQul9EivkoleX1A3USFk-KAecfpaK67268iDAMNKcSDOKKDk-v1Jmlz2HeGPPQnVaD-UjcJgskpUXIKP4CZbCyNuLWFk9ExY9LyjyvL-nyw4gg_XKuqKjrZLBRK4nY067CFLRnxqMx_len7iJdPqm\/s728\/mimikatzremoved.png","datePublished":"2022-05-29T05:45:00+00:00","description":"EDRSandBlast\u00a0is a tool written in\u00a0C\u00a0that weaponize a vulnerable signed driver to bypass EDR detections and\u00a0LSASS\u00a0protections.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/kalilinuxtutorials.com\/edrsandblast\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/edrsandblast\/#primaryimage","url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEis_yOn1e7YGn9RW3PLi0WLWCk14vFXkxVX_AzaQul9EivkoleX1A3USFk-KAecfpaK67268iDAMNKcSDOKKDk-v1Jmlz2HeGPPQnVaD-UjcJgskpUXIKP4CZbCyNuLWFk9ExY9LyjyvL-nyw4gg_XKuqKjrZLBRK4nY067CFLRnxqMx_len7iJdPqm\/s728\/mimikatzremoved.png","contentUrl":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEis_yOn1e7YGn9RW3PLi0WLWCk14vFXkxVX_AzaQul9EivkoleX1A3USFk-KAecfpaK67268iDAMNKcSDOKKDk-v1Jmlz2HeGPPQnVaD-UjcJgskpUXIKP4CZbCyNuLWFk9ExY9LyjyvL-nyw4gg_XKuqKjrZLBRK4nY067CFLRnxqMx_len7iJdPqm\/s728\/mimikatzremoved.png","width":"728","height":"380"},{"@type":"WebSite","@id":"https:\/\/kalilinuxtutorials.com\/#website","url":"https:\/\/kalilinuxtutorials.com\/","name":"Kali Linux Tutorials","description":"Kali Linux Tutorials","publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/kalilinuxtutorials.com\/#organization","name":"Kali Linux Tutorials","url":"https:\/\/kalilinuxtutorials.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/","url":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","contentUrl":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","width":272,"height":90,"caption":"Kali Linux Tutorials"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/CyberEdition","https:\/\/www.threads.com\/@cybersecurityedition","https:\/\/www.linkedin.com\/company\/cyberedition","https:\/\/www.instagram.com\/cybersecurityedition\/"]},{"@type":"Person","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad","name":"R K","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","caption":"R K"},"url":"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/"}]}},"jetpack_featured_media_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEis_yOn1e7YGn9RW3PLi0WLWCk14vFXkxVX_AzaQul9EivkoleX1A3USFk-KAecfpaK67268iDAMNKcSDOKKDk-v1Jmlz2HeGPPQnVaD-UjcJgskpUXIKP4CZbCyNuLWFk9ExY9LyjyvL-nyw4gg_XKuqKjrZLBRK4nY067CFLRnxqMx_len7iJdPqm\/s728\/mimikatzremoved.png","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":29883,"url":"https:\/\/kalilinuxtutorials.com\/edrsandblast-godfault-advanced-edr-bypass-tool\/","url_meta":{"origin":24889,"position":0},"title":"EDRSandblast-GodFault: Advanced EDR Bypass Tool","author":"Varshini","date":"September 1, 2023","format":false,"excerpt":"EDRSandblast-GodFault is an advanced EDR bypass tool aimed at security researchers and organizations. Its purpose is to evaluate the effectiveness of current EDR systems by simulating real-world attack techniques. Use this tool responsibly and only on systems where you have explicit authorization. Integrates\u00a0GodFault\u00a0into\u00a0EDR Sandblast, achieving the same result without the\u2026","rel":"","context":"In &quot;Cyber security&quot;","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiDbD2wSviPLwGP6NqKuD-5bHIk0GFVgRAKEU7cwJyZZPg_596ijY_3954xF3F48BVnzuYo9-rxuC9g3wFYqVoXOWD_9kwgRWUcU4ExyqGg-Mkl-S4lpQWMoi3HQXXNUbQbk7idKRDzKVr7_Nh4Q97YNpuP3XyTiF1gK_I0pLv1UkaH9857M-z6MGLksHnB\/s16000\/EDR.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiDbD2wSviPLwGP6NqKuD-5bHIk0GFVgRAKEU7cwJyZZPg_596ijY_3954xF3F48BVnzuYo9-rxuC9g3wFYqVoXOWD_9kwgRWUcU4ExyqGg-Mkl-S4lpQWMoi3HQXXNUbQbk7idKRDzKVr7_Nh4Q97YNpuP3XyTiF1gK_I0pLv1UkaH9857M-z6MGLksHnB\/s16000\/EDR.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiDbD2wSviPLwGP6NqKuD-5bHIk0GFVgRAKEU7cwJyZZPg_596ijY_3954xF3F48BVnzuYo9-rxuC9g3wFYqVoXOWD_9kwgRWUcU4ExyqGg-Mkl-S4lpQWMoi3HQXXNUbQbk7idKRDzKVr7_Nh4Q97YNpuP3XyTiF1gK_I0pLv1UkaH9857M-z6MGLksHnB\/s16000\/EDR.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiDbD2wSviPLwGP6NqKuD-5bHIk0GFVgRAKEU7cwJyZZPg_596ijY_3954xF3F48BVnzuYo9-rxuC9g3wFYqVoXOWD_9kwgRWUcU4ExyqGg-Mkl-S4lpQWMoi3HQXXNUbQbk7idKRDzKVr7_Nh4Q97YNpuP3XyTiF1gK_I0pLv1UkaH9857M-z6MGLksHnB\/s16000\/EDR.webp?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":38660,"url":"https:\/\/kalilinuxtutorials.com\/how-edr-killers-bypass-security-tools\/","url_meta":{"origin":24889,"position":1},"title":"How EDR Killers Bypass Security Tools","author":"0xSnow","date":"March 19, 2026","format":false,"excerpt":"Endpoint Detection and Response (EDR) solutions have become a cornerstone of modern cybersecurity, designed to detect and stop advanced threats in real time. However, attackers are increasingly deploying EDR killers, specialized techniques and tools designed to disable, evade, or bypass these protections before launching their primary payload. Traditionally, EDR bypass\u2026","rel":"","context":"In &quot;Cyber security&quot;","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"EDR killers","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjvN_o79il97rOLvL2xX6koI3IzYR_Kz0W8O4BPjwE3MJHoB6ut7mNTF0ku8DoGohe06M7JrQsJyUBLA-kcIp7rkROy2AMBejvM9aSs9eUMIHIdzRiZGo2QpRCYEAY4I1WXjKQsDHLU7-TPdYfBOw_9CTNOn_bZdMj1fVkBdJyjCGBkxMhaTC_3PEhRmU8\/s700\/EDR%20killers.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjvN_o79il97rOLvL2xX6koI3IzYR_Kz0W8O4BPjwE3MJHoB6ut7mNTF0ku8DoGohe06M7JrQsJyUBLA-kcIp7rkROy2AMBejvM9aSs9eUMIHIdzRiZGo2QpRCYEAY4I1WXjKQsDHLU7-TPdYfBOw_9CTNOn_bZdMj1fVkBdJyjCGBkxMhaTC_3PEhRmU8\/s700\/EDR%20killers.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjvN_o79il97rOLvL2xX6koI3IzYR_Kz0W8O4BPjwE3MJHoB6ut7mNTF0ku8DoGohe06M7JrQsJyUBLA-kcIp7rkROy2AMBejvM9aSs9eUMIHIdzRiZGo2QpRCYEAY4I1WXjKQsDHLU7-TPdYfBOw_9CTNOn_bZdMj1fVkBdJyjCGBkxMhaTC_3PEhRmU8\/s700\/EDR%20killers.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjvN_o79il97rOLvL2xX6koI3IzYR_Kz0W8O4BPjwE3MJHoB6ut7mNTF0ku8DoGohe06M7JrQsJyUBLA-kcIp7rkROy2AMBejvM9aSs9eUMIHIdzRiZGo2QpRCYEAY4I1WXjKQsDHLU7-TPdYfBOw_9CTNOn_bZdMj1fVkBdJyjCGBkxMhaTC_3PEhRmU8\/s700\/EDR%20killers.jpg?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":37246,"url":"https:\/\/kalilinuxtutorials.com\/kernel-callbacks-removal\/","url_meta":{"origin":24889,"position":2},"title":"Kernel Callbacks Removal : Bypassing EDR Detections","author":"Varshini","date":"March 24, 2025","format":false,"excerpt":"Kernel callbacks are essential components used by Endpoint Detection and Response (EDR) systems to monitor system events, such as process creation, image loading, and registry modifications. However, attackers have developed techniques to remove these callbacks, effectively blinding EDRs and allowing malicious activities to go undetected. Tools And Techniques Custom Callbacks\u2026","rel":"","context":"In &quot;Cyber security&quot;","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/03\/Kernel-Callbacks-Removal-.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/03\/Kernel-Callbacks-Removal-.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/03\/Kernel-Callbacks-Removal-.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/03\/Kernel-Callbacks-Removal-.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/03\/Kernel-Callbacks-Removal-.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/03\/Kernel-Callbacks-Removal-.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":35596,"url":"https:\/\/kalilinuxtutorials.com\/awesome-edr-bypass\/","url_meta":{"origin":24889,"position":3},"title":"Awesome EDR Bypass : A Comprehensive Guide For Ethical Hackers","author":"Varshini","date":"January 2, 2025","format":false,"excerpt":"EDR bypass technology is not just for attackers. Many malware now have EDR bypass capabilities, knowledge that pentesters and incident responders should also be aware of. This repository is not intended to be used to escalate attacks. Use it for ethical hacking. PoC trickster0\/TartarusGate: TartarusGate, Bypassing EDRs am0nsec\/HellsGate: Original C\u2026","rel":"","context":"In &quot;Cyber security&quot;","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhVTVrDfdHPNRElUbpPw_tvW5AwqBKo6aT_BPiSDbVANiKT5zDLza02RARdWbz92DVkEtwdIl6-LF_SiNDEBnlz8IUuOBkKt-NiPyMQkMMLL-cnxRVCPwjctjANd0kjESyNRQtjWobW4vlStkW-9EPJTIEFrsq4b3s4z0LmpsEpVaXZ4A1hl4PPPHZjB_1A\/s1600\/Awesome%20EDR%20Bypass.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhVTVrDfdHPNRElUbpPw_tvW5AwqBKo6aT_BPiSDbVANiKT5zDLza02RARdWbz92DVkEtwdIl6-LF_SiNDEBnlz8IUuOBkKt-NiPyMQkMMLL-cnxRVCPwjctjANd0kjESyNRQtjWobW4vlStkW-9EPJTIEFrsq4b3s4z0LmpsEpVaXZ4A1hl4PPPHZjB_1A\/s1600\/Awesome%20EDR%20Bypass.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhVTVrDfdHPNRElUbpPw_tvW5AwqBKo6aT_BPiSDbVANiKT5zDLza02RARdWbz92DVkEtwdIl6-LF_SiNDEBnlz8IUuOBkKt-NiPyMQkMMLL-cnxRVCPwjctjANd0kjESyNRQtjWobW4vlStkW-9EPJTIEFrsq4b3s4z0LmpsEpVaXZ4A1hl4PPPHZjB_1A\/s1600\/Awesome%20EDR%20Bypass.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhVTVrDfdHPNRElUbpPw_tvW5AwqBKo6aT_BPiSDbVANiKT5zDLza02RARdWbz92DVkEtwdIl6-LF_SiNDEBnlz8IUuOBkKt-NiPyMQkMMLL-cnxRVCPwjctjANd0kjESyNRQtjWobW4vlStkW-9EPJTIEFrsq4b3s4z0LmpsEpVaXZ4A1hl4PPPHZjB_1A\/s1600\/Awesome%20EDR%20Bypass.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhVTVrDfdHPNRElUbpPw_tvW5AwqBKo6aT_BPiSDbVANiKT5zDLza02RARdWbz92DVkEtwdIl6-LF_SiNDEBnlz8IUuOBkKt-NiPyMQkMMLL-cnxRVCPwjctjANd0kjESyNRQtjWobW4vlStkW-9EPJTIEFrsq4b3s4z0LmpsEpVaXZ4A1hl4PPPHZjB_1A\/s1600\/Awesome%20EDR%20Bypass.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhVTVrDfdHPNRElUbpPw_tvW5AwqBKo6aT_BPiSDbVANiKT5zDLza02RARdWbz92DVkEtwdIl6-LF_SiNDEBnlz8IUuOBkKt-NiPyMQkMMLL-cnxRVCPwjctjANd0kjESyNRQtjWobW4vlStkW-9EPJTIEFrsq4b3s4z0LmpsEpVaXZ4A1hl4PPPHZjB_1A\/s1600\/Awesome%20EDR%20Bypass.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":25265,"url":"https:\/\/kalilinuxtutorials.com\/nanodump\/","url_meta":{"origin":24889,"position":4},"title":"Nanodump : A Crappy LSASS Dumper With No ASCII Art","author":"R K","date":"June 19, 2022","format":false,"excerpt":"Nanodump, a flexible tool that creates a minidump of the LSASS process. Features It uses syscalls (with\u00a0SysWhispers2) for most operations.Syscalls are called from an\u00a0ntdll\u00a0address to bypass some syscall detections.It sets the syscall callback hook to NULL.Windows APIs are called using dynamic invoke.You can choose to download the dump without touching\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiENqdJgkaKOZyrSip4JpvgCc11J3ltKXyqXatcgV-lb51ne0HFzgDv7Arz615o2IjKIMAXAuV2GOG6IdOAf8UTyaxGLe0ZKuM5f_XmPf-elci0irrjb-VYujcBVv5SWimshUFrU5cmJ8jfiBnMiiNhcdz97Zt4R7-8m5ayuax3zY320-yLsBH2F_3m\/s728\/nanodump-a-crappy-lsass-dumper-with-no-ascii-art.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiENqdJgkaKOZyrSip4JpvgCc11J3ltKXyqXatcgV-lb51ne0HFzgDv7Arz615o2IjKIMAXAuV2GOG6IdOAf8UTyaxGLe0ZKuM5f_XmPf-elci0irrjb-VYujcBVv5SWimshUFrU5cmJ8jfiBnMiiNhcdz97Zt4R7-8m5ayuax3zY320-yLsBH2F_3m\/s728\/nanodump-a-crappy-lsass-dumper-with-no-ascii-art.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiENqdJgkaKOZyrSip4JpvgCc11J3ltKXyqXatcgV-lb51ne0HFzgDv7Arz615o2IjKIMAXAuV2GOG6IdOAf8UTyaxGLe0ZKuM5f_XmPf-elci0irrjb-VYujcBVv5SWimshUFrU5cmJ8jfiBnMiiNhcdz97Zt4R7-8m5ayuax3zY320-yLsBH2F_3m\/s728\/nanodump-a-crappy-lsass-dumper-with-no-ascii-art.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiENqdJgkaKOZyrSip4JpvgCc11J3ltKXyqXatcgV-lb51ne0HFzgDv7Arz615o2IjKIMAXAuV2GOG6IdOAf8UTyaxGLe0ZKuM5f_XmPf-elci0irrjb-VYujcBVv5SWimshUFrU5cmJ8jfiBnMiiNhcdz97Zt4R7-8m5ayuax3zY320-yLsBH2F_3m\/s728\/nanodump-a-crappy-lsass-dumper-with-no-ascii-art.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":29935,"url":"https:\/\/kalilinuxtutorials.com\/combine\/","url_meta":{"origin":24889,"position":5},"title":"Combine Tool &#8211; Bypass EDRs &#038; Secure Windows Credentials","author":"Varshini","date":"September 1, 2023","format":false,"excerpt":"By readapting the safetydump rust library (many thanks to the author!!!), I have been able to EASILY bypass all the countermeasures put in place by most EDRs, except Kaspersky EDR, and TrendMicro (new detection, from a couple hours ago) dbghelp!MiniDumpWriteDump with a custom callback could be used, until a year\u2026","rel":"","context":"In &quot;Hacking Tools&quot;","block_context":{"text":"Hacking Tools","link":"https:\/\/kalilinuxtutorials.com\/category\/hacking-tools\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgfpYdI4QnsbOVxwNhhhX5A7q5jZE9nY6_h7PCYabZlgqhNnzNcChbk8Na8lDh7gdCCElWkTdVKUYKQxchvEw1fJX_u-e8LgJdF7vlDQPA_2hsVENOC7E5wG8BNTJW5kcd5w41ivH3q5c4mKPqxnuXYShz1zvV5yVKhMegIcStP03SRcEgKK0VSdNNJLw\/s1600\/combine%20%281%29.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgfpYdI4QnsbOVxwNhhhX5A7q5jZE9nY6_h7PCYabZlgqhNnzNcChbk8Na8lDh7gdCCElWkTdVKUYKQxchvEw1fJX_u-e8LgJdF7vlDQPA_2hsVENOC7E5wG8BNTJW5kcd5w41ivH3q5c4mKPqxnuXYShz1zvV5yVKhMegIcStP03SRcEgKK0VSdNNJLw\/s1600\/combine%20%281%29.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgfpYdI4QnsbOVxwNhhhX5A7q5jZE9nY6_h7PCYabZlgqhNnzNcChbk8Na8lDh7gdCCElWkTdVKUYKQxchvEw1fJX_u-e8LgJdF7vlDQPA_2hsVENOC7E5wG8BNTJW5kcd5w41ivH3q5c4mKPqxnuXYShz1zvV5yVKhMegIcStP03SRcEgKK0VSdNNJLw\/s1600\/combine%20%281%29.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgfpYdI4QnsbOVxwNhhhX5A7q5jZE9nY6_h7PCYabZlgqhNnzNcChbk8Na8lDh7gdCCElWkTdVKUYKQxchvEw1fJX_u-e8LgJdF7vlDQPA_2hsVENOC7E5wG8BNTJW5kcd5w41ivH3q5c4mKPqxnuXYShz1zvV5yVKhMegIcStP03SRcEgKK0VSdNNJLw\/s1600\/combine%20%281%29.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgfpYdI4QnsbOVxwNhhhX5A7q5jZE9nY6_h7PCYabZlgqhNnzNcChbk8Na8lDh7gdCCElWkTdVKUYKQxchvEw1fJX_u-e8LgJdF7vlDQPA_2hsVENOC7E5wG8BNTJW5kcd5w41ivH3q5c4mKPqxnuXYShz1zvV5yVKhMegIcStP03SRcEgKK0VSdNNJLw\/s1600\/combine%20%281%29.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgfpYdI4QnsbOVxwNhhhX5A7q5jZE9nY6_h7PCYabZlgqhNnzNcChbk8Na8lDh7gdCCElWkTdVKUYKQxchvEw1fJX_u-e8LgJdF7vlDQPA_2hsVENOC7E5wG8BNTJW5kcd5w41ivH3q5c4mKPqxnuXYShz1zvV5yVKhMegIcStP03SRcEgKK0VSdNNJLw\/s1600\/combine%20%281%29.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/24889","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/comments?post=24889"}],"version-history":[{"count":13,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/24889\/revisions"}],"predecessor-version":[{"id":25003,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/24889\/revisions\/25003"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media\/24907"}],"wp:attachment":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media?parent=24889"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/categories?post=24889"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/tags?post=24889"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}