Wild West Hackin' Fest - Deadwood 2024

This is a Dropper/Post-Exploitation Tool targeting Windows machine.

The capabilities it possesses are:
1. Indirect Dynamic Syscall
2. SSN + Syscall address sorting via Modified TartarusGate approach
3. Remote Process Injection via APC Early Bird (MITRE ATT&CK TTP: T1055.004)
4. Spawns a sacrificial Process as the target process
5. ACG(Arbitrary Code Guard)/BlockDll mitigation policy on spawned process
6. PPID spoofing (MITRE ATT&CK TTP: T1134.004)
7. Api resolving from TIB (Directly via offset (from TIB) -> TEB -> PEB -> resolve Nt Api) (MITRE ATT&CK TTP: T1106)
8. Cursed Nt API hashing
9. If blessed with Admin privilege:
Disables Event Log via killing all threads of svchost.exe, i.e. killing the whole process (responsible svchost.exe)

Version 2 is upcoming!
Will be released at BlackHat Asia 2024 at 18th of April, 2024, which has Synthetic Frame Thread Stack Spoofing version enabled.

And in the End, I will showcase my tool demo video which would perform a successful Execution of payload and provide Crystal clear Event Log against Sophos XDR enabled Environment.