Loader basics

Loader opsec quick reference

Disk artifacts

• When dropping binaries to disk

  • Code Signing

  • Fake signature (LimeLighter, sigthief)

  • Convincing file properties

  • Copyright info

  • Date and time

  • File name

  • Encrypt any malicious code

Execution techniques

• CreateRemoteThread

  • Remote injection - beacon lives in another process

  • Can blend in, but remember to spoof thread start address. Otherwise will show as 0x0 thread start address

    • You can hook an NTDLL function like in DripLoader to create a thread with a nice looking thread start. However, private bytes will show NTDLL modifications.

  • Memory page will NOT be module backed

• Early bird

  • Remote injection - beacon lives in another process

  • Evades DLL userland hooks

  • Memory page will NOT be module backed

• Thread hijack

  • Remote injection - beacon lives in another process

  • Thread will be completely normal on thread creation prior to hijack - memory scanners like to scan at create time

  • Memory page will NOT be module backed

• Module stomping

  • https://github.com/slaeryan/DetectCobaltStomp

• Local exec

  • Beacon will live in local process - may be good or bad depending on context

  • No remote process access

  • Memory page MAY be module backed (if you are running from a module on disk e.g. EXE or DLL it will be)

  • Generally less suspicious than remote injection

• Hollowing variants - run PE in memory

  • Standard hollowing

    • PE image will be of type MEM_COMMIT - not normal

  • Doppelganging

    • PE image will be of type MEM_IMAGE - normal

    • uses TxF

  • Transacted Hollowing/Phantom DLL hollowing

    • PE image will be of type MEM_IMAGE - normal

    • uses TxF

    • Hybrid of doppelganging and standard hollowing

• Reflective DLL injection

  • Easy to dev payload - no need for actual shellcode

  • IAT hooks can be applied to the reflective DLL instead - stealthier than hooking the loaded copy of NTDLL/Kernel32

-- TO BE CONTINUED --