Turul Implants
Turul Implants are written in C#, leveraging the findings from our ongoing research into our MalwareGAN which was initally presented in the link below. The thinking has evolved enomously since then:
There are no low level abuse mechanisms involved: there are no syscalls, nor in memory shellcode encyption and works - currently somewhat naively implemented - on leveraging the mathematical blindspots of these systems.
Implant Type | E5 Defender | Sophos EDR | Crowd Strike |
---|---|---|---|
DLL | ✔ | ✔ | Untested |
EXE | ✔ | ✔ | Untested |
XLL | ✔ | ✔ | ✔ |
It is certain that the Turul Implants can bypass more EDRs out of the box, but we have not fully tested them on other EDRs (yet - owing to not having access yet).
An earlier video showing this against Crowdstrike and E5 ATP in parellel, but more videos to come within the next two weeks showing implant and loader generation and deployment into a Virtual machine. Numerous Virtual Machines will be showcased with whatever EDRs we can get hold of and buy, to present the capability, alongside those that have in built NDR modules, as does E5 ATP.
Last updated