CodeX's Terminal Window
  • root@codex
  • 🐙Red Team
    • Red Team OPSEC
      • Initial Recon
      • Weaponization
      • Infrastructure
        • Example Red Team Infra
        • Cobalt Strike Redirectors
        • Using SSH Tunneling to secure C2 infra
      • Phishing
      • Internal Recon
      • Lateral Movement
      • Post-Exploitation
      • Exfiltration
      • Cleanup
    • Red Team TTPs
      • Active Directory
      • Persistence
      • Exfiltration
      • Phishing
      • Windows Bypasses
    • Red Team Dev
      • Extending Havoc C2
        • Third Party Agents
          • 1: Understanding the interface
          • 2: Writing the agent
          • 3: Writing the agent handler
          • 4: Testing the agent
      • Loader Dev
        • In Memory OPSEC
          • PE Structures
          • Memory Permissions and Allocation Types
          • In Memory Signatures
          • Thread Stack
          • Windows Events
          • Userland Hooks
          • AMSI & ETW
        • Evasion Adventures
        • Loader basics
        • Sleep masking
        • Mimikatz vs Windows Defender
        • Indirect syscalls
    • Cobalt Strike
      • Modifying the Sleep Mask Kit
      • Discord Beacon Notifications
      • Evading Hunt-Sleeping-Beacons
      • Beacon Object Files
    • Misc. Interesting Stuff
  • 🛡️Blue Team
    • Detecting Cobalt Strike
      • Sleep Mask Kit IOCs
      • Hunting Beacon in the heap
      • Decrypting C2 traffic with known key
  • 🚩CTF Solutions
    • Cyber Defenders Discovery Camp 2021
      • 👁️‍🗨️Lets Go Hunting
      • 🐧Linux Rules The World!
      • 📻Going active
      • 🗄️File it away
      • 😷Behind the mask
  • Box challenges
    • 📦Box Writeups
  • Me myself and I
    • root@codex #
Powered by GitBook
On this page
  • Hinder analysis
  • Hinder detection and response
  1. Red Team
  2. Red Team OPSEC

Weaponization

Hinder analysis

  • Stage either the shellcode, the decryption key or both

    • Lets you prevent execution

    • Can be used to "kill" a stager effectively

    • Maybe manual approval for staging and execution

  • Environmental keying where possible

    • Control where your payload can land - not sandboxes

  • Set kill dates - end of engagement or whenever you will no longer need them. Might prevent it from executing in automated sandboxes if discovered in the future, also good practice to not leave live malware on client networks

Hinder detection and response

  • Make each disk artifact unique - polymorphic encoders e.g. SGN and randomize certain elements between binaries e.g. decryption key, filename, shellcode padding etc.

    • Consider automating this process

    • Can be linked to staging and phishing infra

    • Prevents IR from just searching for the hash/filename of an artifact across the entire organization

  • If you can, sign your binaries. If not, try to sideload into a well known but unsigned process

    • Sideloading unsigned DLLs into signed processes might trigger an alert on unsigned DLL load

    • Querying for unsigned binaries is a common practice

  • Don't sideload into System32 built-ins

    • These are well known

    • Their intended DLL load location is usually C:\Windows\System32 - yours will stick out

    • MDE/ATP has built-in detections to catch these

    • Instead consider sideloading into less common apps you mind find on the box, or bringing your own sideload target

PreviousInitial ReconNextInfrastructure

Last updated 2 years ago

🐙