Weaponization

Stage either the shellcode, the decryption key or both
- Lets you prevent execution
- Can be used to "kill" a stager effectively
- Maybe manual approval for staging and execution
Environmental keying where possible
- Control where your payload can land - not sandboxes
Set kill dates - end of engagement or whenever you will no longer need them. Might prevent it from executing in automated sandboxes if discovered in the future, also good practice to not leave live malware on client networks

Make each disk artifact unique - polymorphic encoders e.g. SGN and randomize certain elements between binaries e.g. decryption key, filename, shellcode padding etc.
- Consider automating this process
- Can be linked to staging and phishing infra
- Prevents IR from just searching for the hash/filename of an artifact across the entire organization
If you can, sign your binaries. If not, try to sideload into a well known but unsigned process
- Sideloading unsigned DLLs into signed processes might trigger an alert on unsigned DLL load
- Querying for unsigned binaries is a common practice
Don't sideload into System32 built-ins
- These are well known
- Their intended DLL load location is usually C:\Windows\System32 - yours will stick out
- MDE/ATP has built-in detections to catch these
- Instead consider sideloading into less common apps you mind find on the box, or bringing your own sideload target

Last updated 2 years ago

Stage either the shellcode, the decryption key or both
- Lets you prevent execution
- Can be used to "kill" a stager effectively
- Maybe manual approval for staging and execution
Environmental keying where possible
- Control where your payload can land - not sandboxes
Set kill dates - end of engagement or whenever you will no longer need them. Might prevent it from executing in automated sandboxes if discovered in the future, also good practice to not leave live malware on client networks

Make each disk artifact unique - polymorphic encoders e.g. SGN and randomize certain elements between binaries e.g. decryption key, filename, shellcode padding etc.
- Consider automating this process
- Can be linked to staging and phishing infra
- Prevents IR from just searching for the hash/filename of an artifact across the entire organization
If you can, sign your binaries. If not, try to sideload into a well known but unsigned process
- Sideloading unsigned DLLs into signed processes might trigger an alert on unsigned DLL load
- Querying for unsigned binaries is a common practice
Don't sideload into System32 built-ins
- These are well known
- Their intended DLL load location is usually C:\Windows\System32 - yours will stick out
- MDE/ATP has built-in detections to catch these
- Instead consider sideloading into less common apps you mind find on the box, or bringing your own sideload target

Last updated 2 years ago