DarkWidow: a Dropper/Post Exploitation Tool targeting Windows

by do son ·

Remote Process Injection
Successful Execution WithOut Creating Alert on Sofos XDR EndPoint

DarkWidow

This is a Dropper/Post Exploitation Tool (or can be used in both situations) targeting Windows.

Successful Execution WithOut Creating an Alert on Sofos XDR EndPoint

Capabilities:

  1. Indirect Dynamic Syscall
  2. SSN + Syscall address sorting via Modified TartarusGate approach
  3. Remote Process Injection via APC Early Bird (MITRE ATT&CK TTP: T1055.004)
  4. Spawns a sacrificial Process as the target process
  5. ACG(Arbitrary Code Guard)/BlockDll mitigation policy on the spawned process
  6. PPID spoofing (MITRE ATT&CK TTP: T1134.004)
  7. Api resolving from TIB (Directly via offset (from TIB) -> TEB -> PEB -> resolve Nt Api) (MITRE ATT&CK TTP: T1106)
  8. Cursed Nt API hashing
  9. EDR/Ring-3/UserLand hook Bypass
  10. The syscall and return statement are executed from the memory of ntdll.dll
  11. EDR detection based on checking the return address in the call stack can be bypassed.

Install & Use

Copyright (c) 2023 Soumyani1

Tags: DarkWidowremote process injection