Saving executables to disk is like telling EDRs that "Hey! Take a look at this thing I just fetched from the Internet!". No Red-Teamer wants that at the end of the day. That's why we are here to help!
For example, Havoc native payloads get flagged by the defender pretty easy:
However, you can run the same in-memory without spawnning a new process using the repository as:
Here in an example of the tool bypassing SentinelOne to run mimikatz
Compiling is as easy as:
C:\Users\User\Codes\exe_who> cargo build --release
- Patch ETW
- Patch AMSI
- Sandbox Detection
- User Activity Detection
- Check for Sandbox Drivers
- Check for Sleep Patching
- Check Filename Hash
- Check for EDR drivers
- Fetch PEs and DLLs and run them in-memory