frostbyte: combines different defense evasion techniques to build better redteam payloads
In the past few days, I’ve been experimenting with the AppDomain manager injection technique and had decent success with it in my previous Red Team engagements against certain EDRs. Although this is really good for the initial access vector, I wanted to release a POC which will help hiding your shellcode elsewhere. No more shellcode embedded DLL files!
Although it is an excellent technique when used independently when coupled with a delivery technique like sending a C# ClickOnce inside an ISO/ZIP/VHD/VHDX file. The real problem is that 1 out of 10 times the DLL for the appdomain was detected by AI/ML heuristics of the AV/EDR. This is because the DLL file needs to be dropped on the disk before initializing the appdomain. Ignoring the remote DLL loads for the time being (UNC paths in .config), the DLL for the appdomain would contain the shellcode and I strongly felt that is the reason for a probable static detection because the rest of the code which is WINAPI calls can be dynamically resolved and pretty well obfuscated.
I wanted to enhance this technique in terms of minimizing what the DLL would initially hold. I started by dropping encrypted shellcode in a separate file on disk along with the injector DLL but then I came across this amazing blog from Checkpoint on Zloader’s Campaign
TLDR version: We can embed arbitrary data into some fields within the PE in a way that would not break the files Signature. So our data will get embedded and the exe will still remain digitally signed.
More info on this.
So the idea is to embed an encrypted shellcode stub into a known signed executable and still manage to keep it signed like how the Zloader malware did. By doing so the AppDomain Manager DLL will no longer contain the shellcode within itself, but will just have the logic to parse the shellcode from the PE binary that loads it to decrypt and execute as a seperate thread. Doing this might decrease the static detection rate for the DLL while your shellcode is nicely placed inside a signed binary.
I was trying to achieve this by manually tampering with the ZLoader samples I got from VirusTotal, but later found about a project which had already implemented all of these techniques pretty well – Sigflip. In this POC I leveraged Sigflip’s loader code to build the AppDomain DLL and SigFlip injector to embed the encrypted shellcode into our C# exe.
Large blobs of shellcode like Cobalt Strike’s Stageless shellcode will no longer reside on an unsigned DLL on disk, irrespective of the obfuscation/encoding techniques used. The DLL is cleaner, smaller, and stealthier with minimal code thereby reducing the changes of detection.