├── README.org └── techniques └── injectionTechniques ├── apiHashing ├── README.md ├── bin │ └── api_hashing.exe ├── detection │ ├── apiHashing.png │ ├── apiHashingYaraRuleByFrank.png │ ├── cff.png │ └── console.png └── poc │ ├── api_hashing.c │ └── build.sh ├── apiHooking ├── README.md ├── bin │ └── api_hooking_1.exe └── poc │ ├── build.sh │ └── msgbox.c ├── apiHooking_iat ├── README.md ├── bin │ ├── api_hooking_ait.exe │ └── evil.dll ├── defense │ ├── importDirectory.png │ ├── patched.png │ ├── peSieve.png │ ├── report.png │ └── unpatched.png └── poc │ ├── api_hooking_iat.c │ ├── build.sh │ └── evil.c ├── dllHollowing ├── README.org ├── bin │ ├── dll_hollow.exe │ ├── dll_hollowing.exe │ ├── dll_hollowing_cs.exe │ ├── dll_hollowing_remote_mine.exe │ ├── dll_hollowing_remote_process_cs.exe │ ├── image (1).png │ └── image.png ├── detection │ ├── bin │ │ ├── checkAmsi.exe │ │ ├── checkObfusString.exe │ │ ├── detectHollowing.exe │ │ ├── dllDetectDllHollowing.dll │ │ ├── dllHollowingMonLoader.exe │ │ ├── dllMemcpyMon.dll │ │ ├── dllMon.exe │ │ ├── entryPointCheck.exe │ │ ├── loadLibraryMon.dll │ │ ├── loadLibraryMon.exe │ │ ├── memcpyEntrypPoint.exe │ │ ├── memcpyMon.exe │ │ ├── memoryProtection.exe │ │ ├── monitorEntryPoint.exe │ │ ├── shellCodeDump.exe │ │ ├── unexpectedDlls.exe │ │ └── writeExecuteCheck.exe │ ├── checkAmsi.c │ ├── checkObfusString.c │ ├── cppDllHollowing.cpp │ ├── dllDetectDllHollowing.c │ ├── dllHollowingMonLoader.c │ ├── dllLoadLibraryMon.c │ ├── dllMemcpyMon.c │ ├── dllMon.c │ ├── elasticTeam.toml │ ├── entryPointCheck.c │ ├── images │ │ └── entryPointChanged.png │ ├── loadLibraryMon.c │ ├── loadLibraryMonPid.c │ ├── memcpyEntryPoint.c │ ├── memcpyMon.c │ ├── memoryProtection.c │ ├── monitorEntryPoint.c │ ├── shellCodeDump.c │ ├── unexptectedDlls.c │ └── writeExecuteCheck.c ├── include │ ├── dllMemcpyMon.h │ └── shared.h └── poc │ ├── build.sh │ ├── dll_hollowing.c │ ├── dll_hollowing.cs │ ├── dll_hollowing_remote_process.cs │ └── dll_hollowing_remote_process_mine.c ├── dllSetHook ├── README.md ├── bin │ ├── dll_sethook.exe │ └── evil.dll ├── detection │ └── validation │ │ ├── hollowHunter.png │ │ ├── hollowHunterDump.png │ │ └── importTable.png └── poc │ ├── build.sh │ ├── dll_sethook.c │ └── evil.c ├── presentationTexasCyber └── TrustedSec_TexasCyberSummit_2023.pptx ├── processHollowing ├── README.md ├── bin │ └── process_hollow.exe └── poc │ ├── build.sh │ └── process_hollowing.c ├── queueuserapc ├── README.md ├── bin │ └── queueuserapc.exe ├── detection │ └── validation │ │ ├── processAccess1.png │ │ └── processAccess2.png └── poc │ ├── build.sh │ └── queueuserapc.c ├── reflectiveDLL ├── README.md ├── bin │ ├── reflect_dll.exe │ └── spawn_calc.dll ├── detection │ ├── apiDetection │ │ ├── demoDll.cpp │ │ ├── dllInjector.cpp │ │ ├── dllReflectDetect.cpp │ │ ├── reflectDetect_backup.cpp │ │ └── reflectiveDllMon.cpp │ ├── bin │ │ ├── demoDll.dll │ │ ├── dllInjector.exe │ │ ├── dllReflectDetect.dll │ │ └── relfectiveDllMon.exe │ └── validation │ │ ├── bestDetectionLogic.png │ │ ├── createProcess.png │ │ ├── createProcessSysmon.png │ │ ├── ghettoEDR.png │ │ ├── noEdr.png │ │ └── research.png └── poc │ ├── build.sh │ └── reflective_dll.c ├── shellcode_ntmapviewsection ├── README.md ├── bin │ ├── sc_mapSection.exe │ └── spawn_calc.x64.sc ├── detection │ ├── apiCalls.png │ ├── apisYar.png │ ├── generic_detect.yar │ ├── networkYar.png │ └── poc_apis.yar └── poc │ ├── build.sh │ └── sc_mapsection.c └── syscall_queueuserapc ├── bin └── syscall_queueuserapc.exe └── poc ├── Syscalls.h ├── build.sh └── queueuserapc.c /README.org: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/README.org -------------------------------------------------------------------------------- /techniques/injectionTechniques/apiHashing/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /techniques/injectionTechniques/apiHashing/bin/api_hashing.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/apiHashing/bin/api_hashing.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/apiHashing/detection/apiHashing.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/apiHashing/detection/apiHashing.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/apiHashing/detection/apiHashingYaraRuleByFrank.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/apiHashing/detection/apiHashingYaraRuleByFrank.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/apiHashing/detection/cff.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/apiHashing/detection/cff.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/apiHashing/detection/console.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/apiHashing/detection/console.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/apiHashing/poc/api_hashing.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/apiHashing/poc/api_hashing.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/apiHashing/poc/build.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/apiHashing/poc/build.sh -------------------------------------------------------------------------------- /techniques/injectionTechniques/apiHooking/README.md: -------------------------------------------------------------------------------- 1 | ## API Hooking - Trampoline 2 | 3 | -------------------------------------------------------------------------------- /techniques/injectionTechniques/apiHooking/bin/api_hooking_1.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/apiHooking/bin/api_hooking_1.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/apiHooking/poc/build.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/apiHooking/poc/build.sh -------------------------------------------------------------------------------- /techniques/injectionTechniques/apiHooking/poc/msgbox.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/apiHooking/poc/msgbox.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/apiHooking_iat/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /techniques/injectionTechniques/apiHooking_iat/bin/api_hooking_ait.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/apiHooking_iat/bin/api_hooking_ait.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/apiHooking_iat/bin/evil.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/apiHooking_iat/bin/evil.dll -------------------------------------------------------------------------------- /techniques/injectionTechniques/apiHooking_iat/defense/importDirectory.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/apiHooking_iat/defense/importDirectory.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/apiHooking_iat/defense/patched.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/apiHooking_iat/defense/patched.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/apiHooking_iat/defense/peSieve.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/apiHooking_iat/defense/peSieve.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/apiHooking_iat/defense/report.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/apiHooking_iat/defense/report.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/apiHooking_iat/defense/unpatched.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/apiHooking_iat/defense/unpatched.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/apiHooking_iat/poc/api_hooking_iat.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/apiHooking_iat/poc/api_hooking_iat.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/apiHooking_iat/poc/build.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/apiHooking_iat/poc/build.sh -------------------------------------------------------------------------------- /techniques/injectionTechniques/apiHooking_iat/poc/evil.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/apiHooking_iat/poc/evil.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/README.org: -------------------------------------------------------------------------------- 1 | #+title: DLL Hollowing (TrustedSec Blog Post) 2 | -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/bin/dll_hollow.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/bin/dll_hollow.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/bin/dll_hollowing.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/bin/dll_hollowing.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/bin/dll_hollowing_cs.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/bin/dll_hollowing_cs.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/bin/dll_hollowing_remote_mine.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/bin/dll_hollowing_remote_mine.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/bin/dll_hollowing_remote_process_cs.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/bin/dll_hollowing_remote_process_cs.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/bin/image (1).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/bin/image (1).png -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/bin/image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/bin/image.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/bin/checkAmsi.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/bin/checkAmsi.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/bin/checkObfusString.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/bin/checkObfusString.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/bin/detectHollowing.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/bin/detectHollowing.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/bin/dllDetectDllHollowing.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/bin/dllDetectDllHollowing.dll -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/bin/dllHollowingMonLoader.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/bin/dllHollowingMonLoader.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/bin/dllMemcpyMon.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/bin/dllMemcpyMon.dll -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/bin/dllMon.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/bin/dllMon.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/bin/entryPointCheck.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/bin/entryPointCheck.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/bin/loadLibraryMon.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/bin/loadLibraryMon.dll -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/bin/loadLibraryMon.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/bin/loadLibraryMon.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/bin/memcpyEntrypPoint.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/bin/memcpyEntrypPoint.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/bin/memcpyMon.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/bin/memcpyMon.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/bin/memoryProtection.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/bin/memoryProtection.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/bin/monitorEntryPoint.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/bin/monitorEntryPoint.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/bin/shellCodeDump.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/bin/shellCodeDump.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/bin/unexpectedDlls.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/bin/unexpectedDlls.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/bin/writeExecuteCheck.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/bin/writeExecuteCheck.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/checkAmsi.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/checkAmsi.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/checkObfusString.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/checkObfusString.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/cppDllHollowing.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/cppDllHollowing.cpp -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/dllDetectDllHollowing.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/dllDetectDllHollowing.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/dllHollowingMonLoader.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/dllHollowingMonLoader.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/dllLoadLibraryMon.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/dllLoadLibraryMon.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/dllMemcpyMon.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/dllMemcpyMon.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/dllMon.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/dllMon.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/elasticTeam.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/elasticTeam.toml -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/entryPointCheck.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/entryPointCheck.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/images/entryPointChanged.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/images/entryPointChanged.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/loadLibraryMon.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/loadLibraryMon.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/loadLibraryMonPid.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/loadLibraryMonPid.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/memcpyEntryPoint.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/memcpyEntryPoint.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/memcpyMon.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/memcpyMon.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/memoryProtection.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/memoryProtection.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/monitorEntryPoint.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/monitorEntryPoint.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/shellCodeDump.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/shellCodeDump.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/unexptectedDlls.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/unexptectedDlls.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/detection/writeExecuteCheck.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/detection/writeExecuteCheck.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/include/dllMemcpyMon.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/include/dllMemcpyMon.h -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/include/shared.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/include/shared.h -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/poc/build.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/poc/build.sh -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/poc/dll_hollowing.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/poc/dll_hollowing.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/poc/dll_hollowing.cs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/poc/dll_hollowing.cs -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/poc/dll_hollowing_remote_process.cs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/poc/dll_hollowing_remote_process.cs -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllHollowing/poc/dll_hollowing_remote_process_mine.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllHollowing/poc/dll_hollowing_remote_process_mine.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllSetHook/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllSetHook/bin/dll_sethook.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllSetHook/bin/dll_sethook.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllSetHook/bin/evil.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllSetHook/bin/evil.dll -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllSetHook/detection/validation/hollowHunter.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllSetHook/detection/validation/hollowHunter.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllSetHook/detection/validation/hollowHunterDump.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllSetHook/detection/validation/hollowHunterDump.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllSetHook/detection/validation/importTable.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllSetHook/detection/validation/importTable.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllSetHook/poc/build.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllSetHook/poc/build.sh -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllSetHook/poc/dll_sethook.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllSetHook/poc/dll_sethook.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/dllSetHook/poc/evil.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/dllSetHook/poc/evil.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/presentationTexasCyber/TrustedSec_TexasCyberSummit_2023.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/presentationTexasCyber/TrustedSec_TexasCyberSummit_2023.pptx -------------------------------------------------------------------------------- /techniques/injectionTechniques/processHollowing/README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /techniques/injectionTechniques/processHollowing/bin/process_hollow.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/processHollowing/bin/process_hollow.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/processHollowing/poc/build.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/processHollowing/poc/build.sh -------------------------------------------------------------------------------- /techniques/injectionTechniques/processHollowing/poc/process_hollowing.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/processHollowing/poc/process_hollowing.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/queueuserapc/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/queueuserapc/README.md -------------------------------------------------------------------------------- /techniques/injectionTechniques/queueuserapc/bin/queueuserapc.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/queueuserapc/bin/queueuserapc.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/queueuserapc/detection/validation/processAccess1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/queueuserapc/detection/validation/processAccess1.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/queueuserapc/detection/validation/processAccess2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/queueuserapc/detection/validation/processAccess2.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/queueuserapc/poc/build.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/queueuserapc/poc/build.sh -------------------------------------------------------------------------------- /techniques/injectionTechniques/queueuserapc/poc/queueuserapc.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/queueuserapc/poc/queueuserapc.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/reflectiveDLL/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/reflectiveDLL/README.md -------------------------------------------------------------------------------- /techniques/injectionTechniques/reflectiveDLL/bin/reflect_dll.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/reflectiveDLL/bin/reflect_dll.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/reflectiveDLL/bin/spawn_calc.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/reflectiveDLL/bin/spawn_calc.dll -------------------------------------------------------------------------------- /techniques/injectionTechniques/reflectiveDLL/detection/apiDetection/demoDll.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/reflectiveDLL/detection/apiDetection/demoDll.cpp -------------------------------------------------------------------------------- /techniques/injectionTechniques/reflectiveDLL/detection/apiDetection/dllInjector.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/reflectiveDLL/detection/apiDetection/dllInjector.cpp -------------------------------------------------------------------------------- /techniques/injectionTechniques/reflectiveDLL/detection/apiDetection/dllReflectDetect.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/reflectiveDLL/detection/apiDetection/dllReflectDetect.cpp -------------------------------------------------------------------------------- /techniques/injectionTechniques/reflectiveDLL/detection/apiDetection/reflectDetect_backup.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/reflectiveDLL/detection/apiDetection/reflectDetect_backup.cpp -------------------------------------------------------------------------------- /techniques/injectionTechniques/reflectiveDLL/detection/apiDetection/reflectiveDllMon.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/reflectiveDLL/detection/apiDetection/reflectiveDllMon.cpp -------------------------------------------------------------------------------- /techniques/injectionTechniques/reflectiveDLL/detection/bin/demoDll.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/reflectiveDLL/detection/bin/demoDll.dll -------------------------------------------------------------------------------- /techniques/injectionTechniques/reflectiveDLL/detection/bin/dllInjector.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/reflectiveDLL/detection/bin/dllInjector.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/reflectiveDLL/detection/bin/dllReflectDetect.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/reflectiveDLL/detection/bin/dllReflectDetect.dll -------------------------------------------------------------------------------- /techniques/injectionTechniques/reflectiveDLL/detection/bin/relfectiveDllMon.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/reflectiveDLL/detection/bin/relfectiveDllMon.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/reflectiveDLL/detection/validation/bestDetectionLogic.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/reflectiveDLL/detection/validation/bestDetectionLogic.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/reflectiveDLL/detection/validation/createProcess.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/reflectiveDLL/detection/validation/createProcess.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/reflectiveDLL/detection/validation/createProcessSysmon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/reflectiveDLL/detection/validation/createProcessSysmon.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/reflectiveDLL/detection/validation/ghettoEDR.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/reflectiveDLL/detection/validation/ghettoEDR.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/reflectiveDLL/detection/validation/noEdr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/reflectiveDLL/detection/validation/noEdr.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/reflectiveDLL/detection/validation/research.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/reflectiveDLL/detection/validation/research.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/reflectiveDLL/poc/build.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/reflectiveDLL/poc/build.sh -------------------------------------------------------------------------------- /techniques/injectionTechniques/reflectiveDLL/poc/reflective_dll.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/reflectiveDLL/poc/reflective_dll.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/shellcode_ntmapviewsection/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/shellcode_ntmapviewsection/README.md -------------------------------------------------------------------------------- /techniques/injectionTechniques/shellcode_ntmapviewsection/bin/sc_mapSection.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/shellcode_ntmapviewsection/bin/sc_mapSection.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/shellcode_ntmapviewsection/bin/spawn_calc.x64.sc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/shellcode_ntmapviewsection/bin/spawn_calc.x64.sc -------------------------------------------------------------------------------- /techniques/injectionTechniques/shellcode_ntmapviewsection/detection/apiCalls.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/shellcode_ntmapviewsection/detection/apiCalls.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/shellcode_ntmapviewsection/detection/apisYar.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/shellcode_ntmapviewsection/detection/apisYar.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/shellcode_ntmapviewsection/detection/generic_detect.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/shellcode_ntmapviewsection/detection/generic_detect.yar -------------------------------------------------------------------------------- /techniques/injectionTechniques/shellcode_ntmapviewsection/detection/networkYar.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/shellcode_ntmapviewsection/detection/networkYar.png -------------------------------------------------------------------------------- /techniques/injectionTechniques/shellcode_ntmapviewsection/detection/poc_apis.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/shellcode_ntmapviewsection/detection/poc_apis.yar -------------------------------------------------------------------------------- /techniques/injectionTechniques/shellcode_ntmapviewsection/poc/build.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/shellcode_ntmapviewsection/poc/build.sh -------------------------------------------------------------------------------- /techniques/injectionTechniques/shellcode_ntmapviewsection/poc/sc_mapsection.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/shellcode_ntmapviewsection/poc/sc_mapsection.c -------------------------------------------------------------------------------- /techniques/injectionTechniques/syscall_queueuserapc/bin/syscall_queueuserapc.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/syscall_queueuserapc/bin/syscall_queueuserapc.exe -------------------------------------------------------------------------------- /techniques/injectionTechniques/syscall_queueuserapc/poc/Syscalls.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/syscall_queueuserapc/poc/Syscalls.h -------------------------------------------------------------------------------- /techniques/injectionTechniques/syscall_queueuserapc/poc/build.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/syscall_queueuserapc/poc/build.sh -------------------------------------------------------------------------------- /techniques/injectionTechniques/syscall_queueuserapc/poc/queueuserapc.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/trustedsec/TCS_InjectionTechniques/HEAD/techniques/injectionTechniques/syscall_queueuserapc/poc/queueuserapc.c --------------------------------------------------------------------------------