Progolue:
Up to now few days I have been experimenting with the AppDomain supervisor injection approach had a good success with it in my earlier Purple Group engagements in opposition to sure EDRs. Though, that is actually good for preliminary entry vector, I wished to launch a POC which is able to assist hiding your shellcode elsewhere. No extra shellcode embedded DLL recordsdata!
The Drawback!
Though it is a superb approach when used independently, however when coupled with a supply approach like sending a C# ClickOnce inside an ISO/ZIP/VHD/VHDX file. The actual drawback is 1 out of 10 occasions the DLL for the appdomain was detected by AI/ML heurestics of the AV/EDR. It’s because the DLL file must be dropped on the disk earlier than initializing the appdomain. Ignoring the distant DLL masses in the intervening time (UNC paths in .config), the DLL for the appdomain would comprise the shellcode and I strongly felt that’s the reason for a possible static detection, as a result of the remainder of the code which is WINAPI calls will be dynamically resolved and fairly properly obfuscated.
I wished to boost this system when it comes to minimizing what the DLL would initially maintain. I began by dropping encrypted shellcode in a separate file on disk together with the injector DLL however then I got here throughout this superb weblog from Checkpoint on Zloader’s Marketing campaign
TLDR model: We are able to embed arbitrary information into some fields throughout the PE in a method that will not break the recordsdata Signature. So our information will get embedded and the exe will nonetheless stay digitally signed.
Extra information on this – https://www.blackhat.com/docs/us-16/supplies/us-16-Nipravsky-Certificates-Bypass-Hiding-And-Executing-Malware-From-A-Digitally-Signed-Executable-wp.pdf
So the concept is to embed an encrypted shellcode stub right into a recognized signed executable and nonetheless handle to maintain it signed like how the Zloader malware did. By doing so the AppDomain Supervisor DLL will not comprise the shellcode inside itself, however will simply have the logic to parse the shellcode from the PE binary that masses it to decrypt and execute as a seperate thread. Doing this would possibly lower the static detection charge for the DLL whereas your shellcode is properly positioned inside a signed binary.
I used to be making an attempt to attain this by manually tampering with the ZLoader samples I received from VirusTotal, however later discovered a few undertaking which had already carried out all of those strategies fairly properly – Sigflip. On this POC I leveraged Sigflip’s loader code to construct the AppDomain DLL and SigFlip injector to embed the encrypted shellcode into our C# exe.
Benefits:
Giant blobs of shellcode like Cobalt Strike’s Stageless shellcode will not reside on an unsigned DLL on disk, no matter the obfuscation / encoding strategies used. The DLL is cleaner, smaller and stealthier with minimal code thereby decreasing the modifications of detection.
Working
Steps to construct Signed Shellcode Executable
- Decide any x64 Signed C# binary of your alternative, a binary inside which you desire to cobalt strike beacon to reside and execute: E.g.: CasPol.exe and many others.
- Generate your Cobalt Strike Stageless Shellcode – x64-stageless.bin
- Place each of them right into a folder the place SigFlip can also be current and run the under command:
SigFlip.exe -i "Z:ZLoaderCasPol.exe" "Z:ZLoaderx64-stageless.bin" "Z:ZLoaderupdate.exe" "S3cretK3y"
- Due to SigFlip now you have got a (home windows signed?) binary named
replace.exe
which can be a digitally signed PE with encrypted shellcode embedded in it.
Steps to construct the AppDomain Loader DLL
- Take the C# Template Code from right here
- Change your encryption secret key with the one you selected whereas operating SigFlip at Line:163 (you might need to regulate just a few bytes to verify in case your CS shellcode is correctly decrypted)
- Change with the binary path at Line:146
- Change the log file paths in traces: 158,165
- Compile the code as DLL utilizing the next command –
csc /goal:library /out:take a look at.dll take a look at.cs
- Place the compiled DLL and the replace.exe.config file in identical folder the place your signed shellcode exe was positioned.
- Execute replace.exe.
Conslusion:
This POC is simply an thought I had in thoughts to membership two completely completely different protection evasive strategies collectively that will assist me and different Purple Teamers in constructing higher preliminary execution payloads for his or her operations. This undertaking makes use of AppDomain Supervisor Injection for example, however this concept is relevant for different injection strategies as properly like – DLL SideLoading, DLL Hijacking and many others
Full Credit to med0x2e, this POC is constructed primarily based on his SigFlip Mission