It is insane how layering a first stage AMSI bypass, D/Invoking amsihook.c as a new thread (permanent AMSI bypasses), then loading additional binaries with a old school BYOVD exploit and hiding it with a userland rootkit (just r77), and persisting it with common registry keys was all that was needed to bypass most endpoint protections. Outside of the three final stage binaries, no other implant was dropped to disk except the MSI file to start up the attack chain. But even then, using mass exploitation techniques to replace the MSI spearphishing payload sufficed.
Bypassing endpoint protections with AMSI, BYOVD, and rootkit
This title was summarized by AI from the post below.
More Relevant Posts
-
A great reminder that attackers often use cleverly obfuscated payloads to exploit parsing weaknesses in WAFs and evade signature-based detection.
Cyber Security Researcher And AI Expert | Malware Analysis | Stdying OSCP | RedTeam Stuff | AI Researcher | Post-training / Reasonign Models | RAG | AI Automation | AI Agents | Agentic AI |
The payload contains '|/???/\b**\h,' which is meant to confuse WAF rules. Unusual characters are a common evasion tactic. ref : https://lnkd.in/g957cNmb #infosec #bugbountytips #cybersec
-
-
CVE-2025-60561 | *Severity:* HIGH (7.5) Bug Bounty Relevance: MEDIUM Buffer overflow vulnerability in D-Link DIR600L Ax FW116WWb01's formSetEmail function through curTime parameter. Exploitation may lead to arbitrary code execution, potentially allowing unauthorized access or privilege escalation on affected devices. Strategy: Prioritize targets utilizing D-Link DIR600L devices; analyze network traffic and payloads for signs of buffer overflow exploitation attempts. Additionally, attempt to reproduce the vulnerability using custom crafted requests with large curTime inputs. https://lnkd.in/epn9Mp9c
-
How to Check for CVE-2025-61932: Is Your LANSCOPE Endpoint Manager Vulnerable to the New RCE Attack? Read the full report on - https://lnkd.in/eWcpei-k
-
-
Hii all! 🔐 eJPT — CTF 1 (Exploitation) — Walkthrough Live I published a step-by-step walkthrough for CTF 1 from the eJPT 3.4 labs. It covers reconnaissance, vulnerability verification, exploit execution, and cleanup — with annotated screenshots and exact commands so you can reproduce everything safely in your lab. If you’re preparing for eJPT or practicing black-box penetration testing, this guide will give you practical, hands-on exercises. Feedback and suggestions welcome. Read → https://lnkd.in/gupBeKuQ #Infosec #eJPT #CTF #Pentesting #InfoSecCommunity
-
-
🔐 The Sygnia advisory on the F5 Networks breach shines a spotlight on a harsh reality: when a leading security vendor’s development systems are compromised, edge appliances and supply-chains become primary targets. Edge devices—load-balancers, VPN gateways, management interfaces—are often treated as Tier-1, yet they still face gaps like open management planes and delayed patching. Sygnia recommends treating these as “Tier-0” assets: isolate the management plane, tighten egress, pre-approve emergency change paths, and monitor for configuration drift. In one sentence: Trust is not a control. Visibility, governance, and speed are. 🛡️ #EdgeSecurity #SupplyChainRisk #VendorCompromise #CyberResilience #Sygnia #F5Breach #OperationalRisk
ICYMI: Sygnia released a new advisory on the #F5breach, where a nation-state actor infiltrated F5’s BIG-IP development systems and stole proprietary code and vulnerability data. While no backdoor was found, the stolen intelligence could accelerate exploit development and put edge appliances at immediate risk. Our experts share what security leaders need to know and how to close the disclosure-to-patch gap attackers exploit. 🛡️ Read the full advisory: https://bit.ly/4oj4bp8 📘 Additional context: Sygnia’s Velvet Ant research on F5 exploitation → https://bit.ly/48uRX8l
-
I made my TryHackMe room on NTLM Reflection (CVE-2025-33073) public. I submitted it a while ago, but never received an update. You can now join to practice the NTLM reflection vulnerability. This room covers three practical techniques you can use in real-world engagements to gain local admin access to the vulnerable systems, move laterally, and compromise the network. Room Link: https://lnkd.in/gt6y6jaS #ntlmreflection #cve202533073 #tryhackme
-
-
ICYMI: Sygnia released a new advisory on the #F5breach, where a nation-state actor infiltrated F5’s BIG-IP development systems and stole proprietary code and vulnerability data. While no backdoor was found, the stolen intelligence could accelerate exploit development and put edge appliances at immediate risk. Our experts share what security leaders need to know and how to close the disclosure-to-patch gap attackers exploit. 🛡️ Read the full advisory: https://bit.ly/4oj4bp8 📘 Additional context: Sygnia’s Velvet Ant research on F5 exploitation → https://bit.ly/48uRX8l
-
📰 "Noam Moshe, Claroty's Vulnerability Research Team Lead, joins to discuss #Team82's work on 'Turning Camera Surveillance on its Axis.' Team82 disclosed four vulnerabilities in Axis.Remoting—deserialization, a MiTM 'pass-the-challenge' NTLMSSP flaw, and an unauthenticated fallback HTTP endpoint—that enable pre-auth remote code execution against Axis Device Manager and Axis Camera Station." | via N2K | CyberWire https://hubs.li/Q03RVMNK0
-
CVE-2025-60563 | *Severity:* HIGH (7.5) Bug Bounty Relevance: MEDIUM D-Link DIR600L Ax FW116WWb01 device is vulnerable to a buffer overflow via the curTime parameter in the function formSetPortTr. Exploitation might lead to arbitrary code execution, potentially providing unauthorized access or remote command injection. Strategy: Target devices with similar firmware versions or other D-Link models; check for buffer overflow vulnerabilities in network traffic and web interfaces. https://lnkd.in/exF5pjsE
