In-Memory Evasion Course

I wanted to take a moment to talk about process injection and memory manipulation, and a recent course I saw on the topic. There are many different techniques for process injection, many of these are well known and implemented in examples on github, for example, one of the most popular is reflective DLL injection. Raphael Mudge recently put out an amazing course on using these techniques in your implants titled, In-Memory Evasion. Similar to his last course, Advanced Threat Tactics, and his Tradecraft series prior to that, this is short course for Red Teamers to step up their operations through implementing various tactics and techniques. This also isn't so much of a course, as it is a long multipart lecture, coming in at just under two hours. While Raffi's course focuses heavily on process injection in Windows, similar techniques exist for both Linux and OS X. In Raffi's first video he provides several tools you can use to detect evidence of in-memory process tampering. PE-Sieve is another great tool for this end. Another awesome tool when playing w/ memory injection is sRDI, which is easy-mode for getting dlls or shellcode into memory. You also can't talk about in-memory evasion without mentioning Gargoyle, an amazing PoC for evading in memory scanning techniques by keeping parts of the implant memory encrypted when not in use. Overall the course is fantastic, essentially purple teaming itself throughout. The course shows how to generate attacks and then detect them in memory. I like this course a lot because you can both directly apply the techniques shown with Cobalt Strike, or you can easily abstract the techniques and implement them in the language of your choice. Further, if you are using Cobalt Strike, BlueScreenOfJeff recently put out Opsec Safe Profiles, code that will discover detection capabilities enabled on the victim machine and will disable agent commands that would trigger said detection. Check out the course below and let me know what you think in the comments!