AQUARMOURY: tool suite consisting of miscellaneous offensive tooling
AQUARMOURY
This is a tool suite consisting of miscellaneous offensive tooling aimed at red teamers/penetration testers to primarily aid in Defense Evasion TA0005
Goblin
First module released as part of the AQUARMOURY suite to disable Windows Event and Sysmon logging.
Goblin is a module to enumerate all the threads of the EventLog Service Module(wevtsvc.dll) and kill them in an effort to disable the EventLog service from registering any new events even though the service appears to be running. Disabling Windows Event Logging and Sysmon logging paves the way for operators to perform Post-Exploitation activities safely and stealthily.
Additionally, it also allows us to “revive” the EventLog service again without requiring a reboot after we are done with Post-Ex activities.
This tool was created to aid red team operators/penetration testers and to learn the inner workings of Windows Event Logging.
Check it out here.
Brownie
A framework to rapidly prototype DLL Hijacks.
Brownie is a platform to rapidly prototype and weaponize DLL hijacks. In particular, we are interested in DLL Search Order Hijacking to sideload our malicious code by a signed and legitimate executable. It is sometimes wrongly(or rightly?) known as DLL Sideloading which has a very specific definition.
We are particularly interested in how this technique is an interesting(and often underrated) alternative to Code Injection that shares the same objectives i.e. to evade AV/EDRs by executing malicious code from the address space of a “trusted” process. We won’t be looking at DLL hijacks for LPE or even Persistence as such although it can certainly be adapted for the latter purpose quite easily.
This post will be heavily borrowing from public research and it was a personal note before I decided to release it by packaging it up nicely with a bow.
Check it out here.
Wraith
A stealthy native loader to deliver Stage-1/Beaconing implant OR Stage-2/Post-Ex RAT in-memory covertly and securely.
Wraith is a native loader designed to pave the way for the arrival of a Stage-1/Beaconing implant or Stage-2/Post-Ex implant in-memory securely and stealthily. Specially designed to operate in heavily-monitored environments, it is designed with PSP Evasion as its primary goal.
Check it out here.
Shellycoat
A module to bypass UM/User-Mode/Ring-3 hooks utilized by security products and aid in evasion.
Shellycoat is a utility designed to aid in bypassing User-Mode hooks utilized by AV/NGAV/EDR/Sandboxes/DLP etc. to gain visibility into potentially suspicious actions since SSDT hooking was made obsolete with the advent of Kernel Patch Protection(KPP)/Patch Guard in x64 systems.
Check it out here.
Copyright (C) 2020 slaeryan
