Creating an OPSEC safe loader for Red Team Operations

As Red Teamers, we need an OPSEC safe method to execute shellcode via a range of initial access vectors. Things are getting more and more difficult with Endpoint and Detection (EDR) products improving, making it more challenging to get an implant.

This post is going to present a slightly new method for bypassing EDR, commonly known as CreateThreadPoolWait. However, instead of using kernel32.dll we will use ntdll.dll.

 GitHub: https://github.com/nettitude/Tartarus-TpAllocInject

The loader published above uses the the bypass technique …

access detection edr endpoint forensics implant initial access loader making operations opsec products red team red team operations safe shellcode team things