CodeX's Terminal Window
  • root@codex
  • 🐙Red Team
    • Red Team OPSEC
      • Initial Recon
      • Weaponization
      • Infrastructure
        • Example Red Team Infra
        • Cobalt Strike Redirectors
        • Using SSH Tunneling to secure C2 infra
      • Phishing
      • Internal Recon
      • Lateral Movement
      • Post-Exploitation
      • Exfiltration
      • Cleanup
    • Red Team TTPs
      • Active Directory
      • Persistence
      • Exfiltration
      • Phishing
      • Windows Bypasses
    • Red Team Dev
      • Extending Havoc C2
        • Third Party Agents
          • 1: Understanding the interface
          • 2: Writing the agent
          • 3: Writing the agent handler
          • 4: Testing the agent
      • Loader Dev
        • In Memory OPSEC
          • PE Structures
          • Memory Permissions and Allocation Types
          • In Memory Signatures
          • Thread Stack
          • Windows Events
          • Userland Hooks
          • AMSI & ETW
        • Evasion Adventures
        • Loader basics
        • Sleep masking
        • Mimikatz vs Windows Defender
        • Indirect syscalls
    • Cobalt Strike
      • Modifying the Sleep Mask Kit
      • Discord Beacon Notifications
      • Evading Hunt-Sleeping-Beacons
      • Beacon Object Files
    • Misc. Interesting Stuff
  • 🛡️Blue Team
    • Detecting Cobalt Strike
      • Sleep Mask Kit IOCs
      • Hunting Beacon in the heap
      • Decrypting C2 traffic with known key
  • 🚩CTF Solutions
    • Cyber Defenders Discovery Camp 2021
      • 👁️‍🗨️Lets Go Hunting
      • 🐧Linux Rules The World!
      • 📻Going active
      • 🗄️File it away
      • 😷Behind the mask
  • Box challenges
    • 📦Box Writeups
  • Me myself and I
    • root@codex #
Powered by GitBook
On this page
  • Disk artifacts
  • Execution techniques
  1. Red Team
  2. Red Team Dev
  3. Loader Dev

Loader basics

Loader opsec quick reference

PreviousEvasion AdventuresNextSleep masking

Last updated 2 years ago

Disk artifacts

  • When dropping binaries to disk

    • Code Signing

    • Fake signature (LimeLighter, sigthief)

    • Convincing file properties

    • Copyright info

    • Date and time

    • File name

    • Encrypt any malicious code

Execution techniques

  • CreateRemoteThread

    • Remote injection - beacon lives in another process

    • Can blend in, but remember to spoof thread start address. Otherwise will show as 0x0 thread start address

      • You can hook an NTDLL function like in to create a thread with a nice looking thread start. However, private bytes will show NTDLL modifications.

    • Memory page will NOT be module backed

  • Early bird

    • Remote injection - beacon lives in another process

    • Evades DLL userland hooks

    • Memory page will NOT be module backed

  • Thread hijack

    • Remote injection - beacon lives in another process

    • Thread will be completely normal on thread creation prior to hijack - memory scanners like to scan at create time

    • Memory page will NOT be module backed

  • Module stomping

  • Local exec

    • Beacon will live in local process - may be good or bad depending on context

    • No remote process access

    • Memory page MAY be module backed (if you are running from a module on disk e.g. EXE or DLL it will be)

    • Generally less suspicious than remote injection

  • Hollowing variants - run PE in memory

    • Standard hollowing

      • PE image will be of type MEM_COMMIT - not normal

    • Doppelganging

      • PE image will be of type MEM_IMAGE - normal

      • uses TxF

    • Transacted Hollowing/Phantom DLL hollowing

      • PE image will be of type MEM_IMAGE - normal

      • uses TxF

      • Hybrid of doppelganging and standard hollowing

  • Reflective DLL injection

    • Easy to dev payload - no need for actual shellcode

    • IAT hooks can be applied to the reflective DLL instead - stealthier than hooking the loaded copy of NTDLL/Kernel32

-- TO BE CONTINUED --

🐙
DripLoader
https://github.com/slaeryan/DetectCobaltStomp