The new release of ZAIUX Framework brings several enhancements to support your Red-Team during engagements where both commercial and open-source tools may fail.
First, a new Sleep Obfuscation technique, which doesn’t rely on any public methods, has been added. This new technique relies on “Special” APCs and is capable of evading even the most aggressive memory scanner, including the latest release of Hunt-Sleeping-Beacons by @thefLink.
Hunt-Sleeping-Beacons is an advanced call-stack scanner which is capable to detect C2 implants while they’re sleeping in memory via different Sleep-Obfuscation techniques. The author of the tool did a great work by implementing several IOCs checks including Unbacked Memory, Module Stomping, suspicious usage of APC, Timers, Return-Address-Spoofing, and so on.
For this reason, Hunt-Sleeping-Beacons has become a nightmare for Red-Teams, which typically deploy a C2 Implant.
ZAIUX Framework’s customers will benefit from the new updates, which will allow them to operate under-the-radar and evade both open-source memory scanners and commercial EDRs.
Here we can see the typical Hunt-Sleeping-Beacons detection when a suspicious Waitable-Timer is detected:
By changing the Sleep-Obfuscation technique to the “Special” APC, which can be done on-the-fly, we can see that the detection disappears:
A comprehensive list of the new features, alongside those requested by customers, is presented here:
- The Team-Server has been completely re-written in Go, allowing for a more robust architecture and the ability to compact the server into a stand-alone executable.
- The Operator Client, available for both Windows and Linux, has been updated to include more features and improved management capabilities.
- A new ETW (Userland) bypass technique, which doesn’t rely on byte-patching, hardware-breakpoints or public-known methods, has been added.
- The ROP and JOP gadgets search algorithm has been updated, making it faster and more reliable.
- Support for ICMP request and hostname resolution directly from the Implant has been added.
- The license key verification mechanism and watermarking has been updated to block possible misuse of the software.
Are you interested in seeing a POC of ZAIUX Framework and learning how to elevate the capabilities of your Red Team to the next level?
Reach out to us by sending a request, and we will get back to you to schedule a POC with your team.