PRAKASH YADAV

Ethical Hacker | Red Team Specialist

Website | LinkedIn | +91-8879315257 | [email protected]

Technical Skills

• Ability to understand and develop complex Malware Payloads and Offensive security tools
• Extract TTPs from malware samples and use them to create custom malware payloads for attack simulation
• Understanding of internals of modern Antivirus and EDR like behavioral detection, memory scanning, kernel callbacks
• Knowledge of EDR/AV evasion techniques
• Practical Knowledge in MITRE ATT&CK and Cyber Kill Chain to map Cyber attacks
• Experience in using C2 framework for post exploitation activity and payload generation
• Perform in-depth malware analysis using static and dynamic methods
• Write basic python scripts for automation and tooling

Programming Languages and Tools

• Programming: C, Assembly, Python (basic level)

• C2 Frameworks: Metasploit, Sliver
• x64dbg, WinDbg, Ghidra, DnSpy, Process Hacker, Wireshark, Nmap

Project Experience
Offensive Security

Tool: Morpher ongoing

• A command-line based tool to automatically backdoor executables and inject loaders and payloads with AV evasion capability.
• The tool is being implemented to include executable tracing functionality at runtime for determining injection point.
• It will include a metamorphic engine to change the loader used at byte level every time a new payload is being created.

Tool: Command and control framework ongoing

• Demo1
o The demo demonstrates capability to bypass Comodo Next-Generation Antivirus
o Implemented API unhooking to remove AV hooks on ntdll APIs
o Used self-injection technique instead of process injection to circumvent remote memory allocation restriction
• Demo2
o The demo demonstrates capability to bypass Windows Defender Cloud enabled protection
o Used a unique payload decryption technique in which the payload is decrypted just before execution preventing
detection during thread creation through memory scanning.
• Demo3
o The demo demonstrates the runtime AV testing capability of the C&C using custom process injection commands
• Notable Features implemented in the tool
o Reflective DLL loading for implant
o Runtime decryption of uploaded payload to prevent detection using memory scanning
o Downloading and uploading files & option for executing 3rd stage payloads locally or in remote process
o Command to detect API hooks implemented by AV/EDR
o Unhook command to remove ntdll API hooks implemented by AV/EDR
o Ability to use win32, native APIs or direct syscalls for many commands at runtime

Open Source: Custom GetProcAddress and GetModuleHandle implementation Link 12/23-12/23

• An open-source project focused on providing a custom implementation of Windows API GetProcAddress and
GetModuleHandle functions for Offensive Security purposes like AV/EDR bypass.
• Implemented functionality for dynamic API address resolution at runtime and DLL address retrieval from memory without
using any Windows APIs
• Designed the project with a focus on flexibility, allowing users to easily integrate it into their own red teaming projects
Write-up: Implementing custom malware loader Link 03/23– 03/23
• The write-up goes into the details of implementing a custom malware loader that can run a 2nd stage payload to test detection
capabilities of endpoint protection.
• Developed a 2-stage malware consisting of a custom stage1 loader to deploy a stage2 payload
• Used Windows APIs to retrieve encrypted payloads from the resource section, preventing payload detection by Anti-virus

Write-up: Retrieving native API address and syscall IDs at runtime Link 12/22-12/22
• The write-up gives a clear and detailed explanation of how to retrieve API address dynamically from memory at runtime,
showing evasive capabilities of modern malware.
• Researched the internal data structures for Windows operating system to understand how to enumerate and retrieve
information about mapped DLLs in memory of process
• Programmed shellcode for dynamic API address resolution by parsing PE file header in memory at runtime

Malware Reverse Engineering

Bumblebee malware analysis Link 8/22-8/22

• Analyzed and explained the inline API hooking mechanism used by the malware to avoid analysis and hide suspicious activity
• Provided details of unique anti-debugging functionality implemented in the malware

Emotet malware analysis Link 3/22-4/22

• Reverse engineered code used to resolve API address dynamically.
• Explained in detail the encryption mechanism used for encryption of exfiltrated data

Guloader malware analysis Link 2/22-3/22

• Performed code analysis to extract various anti-debugging and anti-vm functionalities
• Provided details about the shellcode injection technique used by the malware for executing final payload

Trickbot malware analysis Link 1/22-2/22

• Reverse engineered obfuscated VBA code and bat file code
• Performed dynamic analysis of the final DLL payload to extract network based and host-based IOCs
• Listed MITRE ATT&CK TTPs for creating detections

Work History

Python Developer for Data Science, HL Investrade

Mumbai, India 12/16-02/17
• Achieved significant reduction in data size by implementing dimensionality reduction algorithm in python on financial data
• Led team members in incorporating object-oriented design principles in implementation of machine learning algorithms

Education

Bachelors in Information Technology, University of Pune

Pune, India 02/12-06/16

Languages

English Advanced
German B2
Hindi Fluent