0x00Check's Projects
Amaterasu terminates, or inhibits, protected processes such as application control and AV/EDR solutions by leveraging the Sysinternals Process Explorer driver to kill a process's handles from kernel mode.
Identify and exploit leaked handles for local privilege escalation.
PowerShell script to find NTDLL functions that may be hooked by AV or EDR by comparing what exists on disk with the loaded ntdll module.
PowerShell script to retrieve the system call numbers for Nt/Zw functions exported in NTDLL.
KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.
PowerShell script to append data to executables without invalidating their digital signature. (MS13-098)
PIF is a tool that facilitates injecting & executing arbitrary code in remote processes through various process injection techniques.
Minimal driver that calls PsSetCreateProcessNotifyRoutineEx and writes basic process information to the kernel debugger. For educational purposes.