C:\Users\Offensive-Panda>whoami

My name is Usman Sikander (a.k.a Offensive-Panda). I am passionate about identifying, researching advanced evasion techniques and analyzing real-world samples to extract TTPs to validate security posture through APT emulations. With a proven track record in developing undetected exploits across MITRE ATT&CK tactics and automating exploit processes, I excel in comprehensive endpoint simulations in controlled environment with the presence of security controls.

My Social Profiles

LinkedIn Medium Twitter

Defense Evasion Techniques

Welcome to the Defense Evasion Techniques Repository! This curated collection offers advanced methods to bypass sophisticated security measures in Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) systems. Aimed at cyber security professionals and researchers, these techniques are invaluable for both Red Team and Blue Team operations.This repository includes strategies for manipulating system calls, obfuscating code, managing memory to evade detection and other advanced evasion techniques. By leveraging these methods, experts can enhance penetration testing, red teaming, malware analysis, and develop more resilient defenses.

Evasion Techniques

Technique	Description
Syscalls	Exploring ways to manipulate system calls to evade detection.
Direct and Indirect Calls	Strategies for making direct and indirect function calls to evade detection mechanisms.
API Hashing	Techniques for obfuscating and altering API calls to avoid detection.
Obfuscation	Methods to obfuscate code and make it harder to analyze.
Encryption	Use of encryption to bypass static analysis of EDRs.
Egg Hunting	Syscall Instruction In-memory patching to bypass static detection.
Random Instructions and Prototypes	Use random NOP instructions and name of API, prototypes to avoid static analysis.
Mokingjay	Use of vulnerable dll to avoid detection of RWX memory region creation.
Forking Technique	Use of windows fork API to clone parent process after injecting shellcode, avoid detection of CreateRemoteThread.
Unhooking	Unhooking EDRs user mode hooks using clean copy of dll, raw copy from remote server, suspended process to bypass EDRs.
ETW Patching	Applying ETW patching to avoid event based detection.
PEB Lookup	Resolving SSN and Native API's on run-time using PEB lookup for 32bits & 64bits.
RWX Memory Block Hunt	Hunt for already created RWX region to write and execute shellcode. This technique remove the dependencies of vulnerable DLL with RWX and API to allocate RWX.
BYOVD	Bring your own vulnerable driver which involves deploying drivers that are legitimately signed and can be successfully loaded into Windows systems to execute code in kernel context.

My Blogs

Blogs	Links
Arsenal: Bypass EDR’s/XDR’s and make malware analysis harder	https://systemweakness.com/arsenal-bypass-edrs-xdr-s-and-make-malware-analysis-harder-6fde3e2884a5
On-Disk Detection: Bypass AV’s/EDR’s using syscalls with legacy instruction, series of instructions and random nop instructions	https://medium.com/system-weakness/on-disk-detection-bypass-avs-edr-s-using-syscalls-with-legacy-instruction-series-of-instructions-5c1f31d1af7d
EASE POST-EXPLOITATION: Getting elevated reverse shell using DLL Hijacking and Mock Directories	https://medium.com/system-weakness/ease-post-exploitation-getting-elevated-reverse-shell-using-dll-hijacking-and-mock-directories-2fc2c7a3cdae
AV/EDR Evasion Using Direct System Calls (User-Mode vs kernel-Mode)	https://medium.com/@merasor07/av-edr-evasion-using-direct-system-calls-user-mode-vs-kernel-mode-fad2fdfed01a
Bypass “Mimikatz” using the Process Injection Technique	https://medium.com/system-weakness/bypass-mimikatz-using-process-injection-technique-6d2a8415fcd6
Unveiling the Intricacies of AsyncRAT: A deployment in Colombia by the Blind Eagle Cyber Group	https://medium.com/@merasor07/unveiling-the-intricacies-of-asyncrat-a-deployment-in-colombia-by-the-blind-eagle-cyber-group-83b48cc415a7
Unveiling the Intricacies of SamSam Ransomware: A Comprehensive Analysis Plus Proactive Threat Emulation	https://medium.com/@merasor07/unveiling-the-intricacies-of-samsam-ransomware-a-comprehensive-analysis-plus-proactive-threat-bee37979f407
Dark Crystel RAT (DCrat) Detailed Analysis	https://medium.com/system-weakness/dark-crystel-rat-dcrat-detailed-analysis-94a2bcccd5ce

My Posts

Dirty vanity implementaion using direct syscalls	https://www.linkedin.com/posts/usman-sikander13_malwaredevelopment-syscalls-forking-activity-7193958115556343808-8UzK?utm_source=share&utm_medium=member_desktop
Mokingjay Technique Implementaion to avoid RWX region detection	https://www.linkedin.com/posts/usman-sikander13_offensivesecurity-cybersecurity-malwaredevelopement-activity-7191049164409991168-fLwR?utm_source=share&utm_medium=member_desktop
Combining Unhooking and ETW patching to dump lsass.exe memory	https://www.linkedin.com/posts/usman-sikander13_%3F%3F%3F%3F%3F%3F%3F%3F%3F-%3F%3F%3F%3F%3F%3F%3F%3F%3F-%3F%3F%3F-activity-7188865881580453890-iakH?utm_source=share&utm_medium=member_desktop
Direct syscalls to dump lsass.exe memory and offline dumping	https://www.linkedin.com/posts/usman-sikander13_offensivesecurity-lsassdump-malware-activity-7187820505746325504-l25o?utm_source=share&utm_medium=member_desktop
Remote Template Injection	https://www.linkedin.com/posts/usman-sikander13_remote-template-injection-today-i-created-activity-6936948079807844353-UQQ8?utm_source=share&utm_medium=member_desktop
Mark-of-the-Web for Red Team	https://www.linkedin.com/posts/usman-sikander13_bypass-macro-vba-activity-6900000010717458433-lAH2?utm_source=share&utm_medium=member_desktop
Memory dump using outflank dumpert and Windows process injection	https://www.linkedin.com/feed/update/urn:li:activity:7056950152242094080?utm_source=share&utm_medium=member_android
Nt-Authority Shell using Fodhelper	https://www.linkedin.com/posts/usman-sikander13_%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F-%3F%3F%3F%3F-activity-7072507221774917632-T0LK?utm_source=share&utm_medium=member_android
RWX-Memory hunt and injection with CreateRemoteThread	https://www.linkedin.com/posts/usman-sikander13_%3F%3F%3F-%3F%3F%3F%3F%3F%3F-activity-7196426924351488001-RXOk?utm_source=share&utm_medium=member_desktop
EDR Terminator (call it killer)	https://www.linkedin.com/posts/usman-sikander13_edrkiller-malwaredevelopment-mdebypass-activity-7201848552522711042-vySE?utm_source=share&utm_medium=member_desktop

Github Repo

"D3MPSEC" is a memory dumping tool designed to extract memory dump from Lsass process using various techniques, including direct system calls, randomized procedures, and prototype name obfuscation. Its primary purpose is to bypass both static and dynamic analysis techniques commonly employed by security measures.	https://github.com/Offensive-Panda/D3MPSEC
Combination of multiple evasion techniques to evade defenses. (Dirty Vanity)	https://github.com/Offensive-Panda/DV_NEW
Capture_attacks_using_honeypots	https://github.com/Offensive-Panda/Collect_Threat_Intel_AND_Malware_Using_Honeypots
Persistence_AND_Anti_Sandbox	https://github.com/Offensive-Panda/Persistence_AND_Anti_Sandbox
on-disk-detection-bypass	https://github.com/Offensive-Panda/on-disk-detection-bypass
C2_Elevated_Shell_DLL_Hijcking	https://github.com/Offensive-Panda/C2_Elevated_Shell_DLL_Hijcking
Rwx Hunting and Injection using Fork API	https://github.com/Offensive-Panda/RWX_MEMEORY_HUNT_AND_INJECTION_DV

Evasion Mastery and Deep dive into threats.

<iframe src="Defense_Evasion.pdf" width="600px" height="750px"> </iframe>

Disclaimer

The content, techniques, and tools provided in this repository are intended solely for educational and research purposes within the cybersecurity community. I explicitly disclaim any responsibility for the misuse or unlawful use of the provided materials. Any actions taken based on the information are done so at the user's own risk.