Dobin Rutishauser

I fixed the issue, but it could have some improvements: - use all (?) aliases (currently only first one) - what exactly should be shown here? Imho a detailed list...

Starting the exe, and then issuing the following command to inject into a notepad.exe:  Results in no more beacons:  When executing the command, a new notepad editor appeared....

`[attachment removed by repository owner]` The debug nimplant.bin I use 1.3: 

Thanks for the detailed answer! It is indeed an interesting question to think about. I would come to a different conclusion tho. Especially as tampering is excluded. The A/U/K level...

> You're maybe missing the `.git` directory? i have the same issue. What does that mean? in $HOME? does it need to be empty, or not? Edit: I used the...

Thats probably the AV emulator. Avred checks against/with AMSI, there may be more checks being done by the AV when actively on the system. If what you scan is a...

I recommend to add an anti-emulation to your loader, like from [supermega](https://github.com/dobin/SuperMega/tree/main/data/source/antiemulation) And i talked about it in [My first and last shellcode loader](https://docs.google.com/presentation/d/1_gwd0M49ObHZO5JtrkZl1NPwRKXWVRm_zHTDdGqRl3Q/edit?usp=sharing), and blog article [how edr works](https://blog.deeb.ch/posts/how-edr-works/)

I dont know what MDE Cloud Protection does, but its good. Seems to download more IOCs, depending on previous (there is no sending files to cloud). Avred doesnt care how...

Nice commits! And i was thinking: in recursive [_scanDataPart()](https://github.com/dobin/avred/blob/main/reducer.py#L90), each case where there are two `_scanDataPart()` invocations (like when both parts are detected), could just do both branches in a...

I have the same issue as OP. Using user-ETW (not kernel/system ETW). ImageLoad events (and ImageLoadInfo, ThreadStart, and others) have usermode callstack addresses after the kernel ones. Thats how it...