This is not "yet another payload obfuscation" talk but the story of how we found an intriguing way to hide stageless payloads and eventually evaded some sophisticated EDRs we faced. We'll cover some topics like x86-64 ASM (superficially), PECOFF, binary Shannon entropy and bin-rev. Also, live-demos!
Sometimes we just can't afford the luxury of staging our C2 payloads but need to bring them along as part of the initial payload we deliver. This can become quite the challenge as modern AVs and EDRs feature some pretty sophisticated static and dynamic analysis strategies. One strategy, detection of high file entropy, proved to be an unexpected but annoying challenge we needed to overcome during an assessment. The specific EDR we faced just wouldn't let our binaries pass - so we went to find a solution.
In this talk, they'll tell the story of our journey to solving this problem;
-explaining what the Shannon entropy is, how it's used by EDRs and how we can counter it,
-dissecting the PECOFF format to try and find some cozy places for our shellcode to hide,
-looking into the contents of .text sections (x86-64 ASM) and how we can try and hide our secrets there,
-writing a tool that transforms our payload into something that looks benign and features a low entropy,
-dissecting the generated & seemingly benign binary in Ghidra and
-drawing conclusions about our approach.
They'll also open-source the abovementioned tool so you can look into it yourself! Also, there will be live-demos!
7 сен 2024
