BallisKit

MacroPack new version is out! 🥳
With improved EDR evasion profiles and all kind of ready to use initial access formats and scenario!

Also now everything can be leveraged with the new BallisKit GUI! 😎

#redteam

MacOS Redteam 4: Initial Access with AppleScript MacOS is often considered well protected, largely due to Gatekeeper. However, some execution vectors still operate under a different trust…

DarwinOps just leveled up 🚀 Now supports AppleScript (SCPT), a format actively abused for macOS phishing. Plus new Ruby, VSCode , NPM & Homebrew payloads. A true macOS red team Swiss Army knife.

AppleScript initial access guide 👇

blog.balliskit.com/macos-redtea...

Tutorial: DLL Sideloading and function proxying with ShellcodePack DLL sideloading is a technique that allows an attacker to have a legitimate signed application run some malicious code on Windows. It work…

Tutorial: DLL Sideloading and function proxying with ShellcodePack

BallisKit ShellcodePack version 2.8.0 is available! This version comes with a new GUI, EDR evasion methods as well as enhanced DLL sideloading/hijacking.

You can find the tutorial here:
blog.balliskit.com/tutorial-dll...

MacOS Redteam 3: Initial Access with DarwinOps PKG State of the art:

PKG is a kind of MacOS MSI equivalent.
It's also used as an initial access payload!
Read how DarwinOps can be used to generate PKG for redteams.
We also included a method to run the PKG without admin privileges
-> Reduced number of clicks!

#redteam

blog.balliskit.com/macos-redtea...

We are preparing a new version of ShellcodePack!
-> Automated and improved DLL sideloading/proxying capacity
-> AppDomain injection
-> New Responsive GUI!
-> Many more new features

And of course up to date EDR evasion :)

#shellcodepack

MacroPack v2.8.7 is out!
New GUI & updated EDR evasion! New features include Advanced LNK spoofing, expanded .NET obfuscation, and ML-evasion.
For authorized red-team use!

#RedTeam #offensivesecurity

MacOS red-team made practical — Objective-C implant for DarwinOps!
Private Mythic C2 implant: lightweight (in-memory shellcode), post-exploitation, EDR & MDM evasion, integrates with DarwinOps + GateKeeper bypass.

Contact us for more details!
#RedTeam #macOS

The next version of MacroPack is going to be huge! A new GUI, updated EDR bypass profiles, new evasion options, and many other things :)

#redteam

macOS DYLIB Injection at Scale: Designing a Self-Sufficient Loader Let’s explore Dylib injection and Dylib proxying on macOS (the equivalent of Windows DLL injection)

Binary injection vulnerabilities can be found in many MacOS apps. Those may be abused to bypass EDR, hide backdoor, access memory, or bypass TCC!

DarwinOps provides
- An advanced injection vulnerability scanner
- A redteam scenario to exploit them

#redteam

blog.balliskit.com/macos-dylib-...

ShellcodePack 2.7.5 is now available!

It includes updated bypass profiles for major EDRs
We also improved:
- ML detection evasion
- ETW Patch
- CallStack Spoofing

ShellcodePack can be used to weaponize any raw shellcode or PE including DotNET, Go, and Rust :)

#redteam

Initial Access on MacOS made easy !
DarwinOps now supports DMG phishing profiles!
Those are on shelf realistic templates with Gatekeeper bypass techniques :)

This version also introduce a binary injection vulnerability scanner for MacOS!

#redteam

MacOS DMG phishing templates are coming in the next DarwinOps release!
Ready to use, configurable, and with new GateKeeper bypass strategies!

#redteam

We are adding a binary injection vulnerability scanner to DarwinOps!
-> A DarwinOps JXA template
-> Scan for Injection vulnerabilities in binaries and Apps

Vulnerable binaries could be abused to bypass EDR, hide a backdoor, access memory, or bypass TCC!

#redteam

Obfuscation and weaponization of .NET assemblies using MacroPack For a couple of years now, .NET have been the go to language for a lot of famous offensive security tools like Rubeus, SeatBelt…

Here is a reminder that a Powerful DotNET obfuscator is available in MacroPack. Assembly level obfuscation (or course). With the latest 2.7.5 it supports all your favorite #redteam DotNET tools!
And tested on major EDRs :)

blog.balliskit.com/obfuscation-...

MacOS security is very different from Windows.
DarwinOps, our redteam tool targeting MacOS can help you tackle that issue!

@antoineds.bsky.social just posted on our blog to help you understand the basics of initial access on MacOS with DarwinOps

#redteam

Tutorial: Mythic Apollo with BallisKit MacroPack and ShellcodePack Learn how to weaponize Mythic Apollo with BallisKit redteaming tools

New tuto! Weaponize Mythic Apollo using MacroPack and ShellcodePack. Tested on EDRs of course.

blog.balliskit.com/tutorial-myt...

#redteam

A new version of MacroPack Pro with improved DotNET obfuscator, new shellcode launcher, improved clickonce, and more will be released soon! Also, after Sliver, we a preparing tutorials with Mythic Apollo and Havoc 😎

#redteam

YouTube video by Sevagas Rubeus and Mythic Apollo DotNET Payload Obfuscation with MacroPack

Rubeus and Mythic Apollo DotNET Payload Obfuscation with MacroPack!

This video demonstrates the next MacroPack Pro features:
- DotNET obfuscation and evasion
- EDR Bypass ready to use profiles
- Compatibility with Mythic Apollo stager

#redteam

youtu.be/mzuT1MAQSXY

Tutorial: Sliver C2 with BallisKit MacroPack and ShellcodePack In this tutorial, we are going to see how to drop Sliver implants while evading security solutions using BallisKit tooling for Redteam.

How to weaponize Sliver C2 and evade EDRs?
With BallisKit ShellcodePack and MacroPack of course!
Checkout this new tutorial on our blog!

#redteam

blog.balliskit.com/tutorial-sli...

macOS DYLIB Injection at Scale: Designing a Self-Sufficient Loader Let’s explore Dylib injection and Dylib proxying on macOS (the equivalent of Windows DLL injection)

DLL injection and DLL proxying on macOS? Yes it is possible! Checkout this blog by @antoineds.bsky.social
about macOS automated DYLIB injection!

blog.balliskit.com/macos-dylib-...

#redteam

Tutorial: Sliver C2 with BallisKit MacroPack and ShellcodePack In this tutorial, we are going to see how to drop Sliver implants while evading security solutions using BallisKit tooling for Redteam.

How to weaponize Sliver C2 and evade EDRs?
With BallisKit ShellcodePack and MacroPack of course!
Checkout this new tutorial on our blog!

#redteam

blog.balliskit.com/tutorial-sli...

When Osascript Goes Undetected: A Look at EDR Network Blind Spots Discover how JXA subprocesses and custom network extensions can silently bypass macOS EDRs by evading audit and PID-based detection.

Bypassing EDRs on MacOS can be a challenge.
In our new blog post, @antoineds.bsky.social describes how EDRs leverage MacOS Network Extension to detect C2s and how to bypass this kind of detection using Mythic Apfell as an example.

#redteam

blog.balliskit.com/when-osascri...

For us, EDR bypass is not just a buzzword.
MacroPack, ShellcodePack, and DarwinOps all come with bypass presets for major EDRs and Antivirus
Those presets are regularly updated and tested!

If you want to see a demo or an equivalent screenshot for the major EDRs contact us !

#redteam

Loading a shellcode from a file/URL with ShellcodePack Shellcode in EXE files can sometimes be detected during static analysis, requiring various kinds of obfuscation to bypass EDRs. This…

Balliskit Evasion Tip 🤖
To help with static analysis detection by EDR,
ShellcodePack implements a method to load a shellcode from a separate file or from an URL

This tutorial explains how to use that option!

#redteam

blog.balliskit.com/loading-a-sh...

Setup and weaponize Mythic C2 using DarwinOps to target MacOS We’ll look at how to set up Mythic C2 and its Apfell implant on MacOS. We will weaponize that implant to bypass EDRs using BallisKit…

Redteaming on MacOS is hard... But BallisKit can help you!
You can use DarwinOps to weaponize a Mythic C2 implant for MacOS and bypass EDRs!
Checkout this blog Post by @antoinedss

#redteam

blog.balliskit.com/setup-and-we...

Obfuscate SharpHound? It's now possible with MacroPack. An version of MacroPack Pro was just released to improve our DotNET obfuscator!
We now support packages build with tools like Costura!
We tested we could obfuscate SharpHound, KrbRelay, and Mythic Apollo agent

Obfuscation and weaponization of .NET assemblies using MacroPack For a couple of years now, .NET have been the go to language for a lot of famous offensive security tools like Rubeus, SeatBelt…

You need to run Rubeus, Seatbelt, or other .NET tool on an EDR protected machine?
Well with the new version, MacroPack Pro is now also a powerful assembly obfuscation/weaponization tool ! 😎

We wrote a tutorial about that here:
blog.balliskit.com/obfuscation-...

We updated our "DLL Hijacking with ShellcodePack" tutorial following the release of version 2.7.2 😎

blog.balliskit.com/dll-hijackin...

Did you know ShellcodePack can be used to pack and weaponize third party exe, dll, .NET in addition to raw shellcodes?
Example with Mimikatz!
#redteam

YouTube video by Offensive X OFFENSIVEX Hacking Conference 2024 - Emeric Nasi

The video for my Advance Initial Access talk at Offensive X last year is available!
#redteam

Watch the talk here:
youtu.be/bA2p27gQK4M?...