Skip to content

cailllev/Decondition-Enumerator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
Bind-Link-PS
Bind-Link-PS
 
 
LsassReader
LsassReader
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
Decondition-Enumerator.sln
Decondition-Enumerator.sln
 
 
LICENSE.txt
LICENSE.txt
 
 
README.md
README.md
 
 

Repository files navigation

Decondition Enumerator

see https://blog.levi.wiki/post/2025-12-05-decondition-everything

TL;DR: MDE has some "behaviour tracking" thresholds, allowing interesting deconditioning attacks:

Direct Deconditioning

with LSASS dumping as an example

  • direct: open lsass and call MiniDumpWriteDump --> block
  • decondition: open any non-critical process and call MiniDumpWriteDump (20x), then open lsass and call MiniDumpWriteDump --> ok

Indirect Deconditioning

with LSASS dumping as an example

  • A.exe.exe opens lsass and calls MiniDumpWriteDump --> block
  • A'.exe, deconditions (20x), then opens lsass and calls MiniDumpWriteDump --> ok
  • A.exe opens lsass and calls MiniDumpWriteDump --> ok A'.exe deconditioned lsass dumping for all exes similar to A'.exe, or even ALL exes (TODO verify)

Silo-Binding Behaviour Bypass (Deconditioning)

see https://insomnihack.ch/talks/silo-binding-uncovering-the-ghost-in-the-silo/

  • Invoke-Mimikatz from powershell.exe -> detected by AMSI (as expected)
  • Invoke-Mimikatz from powershell.exe, but PS binded to TiWorker.exe -> ignored by AMSI, works (unexpected)

About

some research on EDR deconditioning

Resources

Readme

License

AGPL-3.0 license
Activity

Stars

12 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages