Booz Allen Commercial delivers advanced cyber defenses to the Fortune 500 and Global 2000. We are technical practitioners and cyber-focused management consultants with unparalleled experience – we know how cyber-attacks happen and how to defend against them.
Our strategy and technology consultants have empowered our international clients with the knowledge and experience they need to build their own local resources and capabilities.
In facing challenges of modernization, our Middle East and North Africa clients have complex requirements that benefit from our proven experience in guiding major programs and projects for governments and private-sector organizations. The services we offer in UAE, Qatar, Egypt, Turkey, Kuwait, Morocco, Jordan, and other regional countries build on our consulting legacy.
Our clients call upon us to work on their hardest problems—delivering effective health care, protecting warfighters and their families, keeping our national infrastructure secure, bringing into focus the traditional boundaries between consumer products and manufacturing as those boundaries blur.
Booz Allen was founded on the notion that we could help companies succeed by bringing them expert, candid advice and an outside perspective on their business. The analysis and perspective generated by that talent can be found in the case studies and thought leadership produced by our people.
Learn more about Booz Allen's diverse culture and environment of inclusion that fosters respect and opportunity for all employees.
We've come a long way delivering innovative solutions. But our next chapter is still being written.
Our 22,600 engineers, scientists, software developers, technologists, and consultants live to solve problems that matter. We’re proud of the diversity throughout our organization, from our most junior ranks to our board of directors and leadership team.
Booz Allen takes pride in a culture that encourages and rewards the many dimensions of leadership—innovative thinking, active collaboration, and personal service. We’re particularly proud of the diversity of our Leadership Team and Board of Directors, among the most diverse in corporate America today.
In this increasingly interconnected world, keeping up with a constantly evolving threat landscape is critical and complex. Cyber threat actors continuously refine their tools and tactics to gain access to and exploit their victims’ environments, forcing network defenders into a perpetual state of reactivity. Today, defenders must not only match the dynamic, innovative level of tradecraft exerted by their attackers—but stay one step ahead.
In this series, we’ll share threat intelligence techniques for uncovering malicious cyber activity in a network environment and detecting cyber threat actors in the early stages of operations. As we walk through several techniques, insights from our seasoned team provide concrete steps that network defenders, red teams, and other cybersecurity professionals can take to further protect their organizations.
Metasploit is an open-source penetration testing framework that provides a one-stop shop for the development, delivery, and execution of software exploits and other malicious payloads. The framework is a favorite among penetration testers and cyberthreat actors, and is employed by some of the most sophisticated cybercriminal and state-sponsored actors.  
Since Metasploit is used for both legitimate and malicious purposes, it's important that cybersecurity professionals—both those that defend networks and those that test their security—understand how it works. Network defenders need to understand how to detect the tools on the wire and on a host and penetration testers need to understand how to use the tools to maximum effect, and how to modify them so that they slip past their network defending counterparts.
Writing rules to detect the generic presence of shellcode is often a great way to find new, undiscovered payloads and exploits, but getting a payload to execute on a victim’s machine is not as trivial as calling exec(). When using shellcode, there are several steps authors must accomplish to successfully execute their payload:
In this series, we’ll explain these different stages in detail, provide samples and signatures for blue teams, and give advice for red teams on how to make the payload more resistant to signatures.
Many of the methods that we’ll discuss have been around for a long time and continue to prove reliable in the detection of new weaponized payloads. We hope that this series can help consolidate knowledge around shellcode and encoders to broaden understanding in the industry amongst defenders.
Metasploit and antivirus (AV) vendors have a cat and mouse relationship, but the framework’s encoders—and encoders in general—are typically not designed to allow payloads to bypass AV. Although encoders may be useful for bypassing trivial detection signatures, their primary use is to modify payloads so that they can be paired with an exploit.
In most cases, encoders are used to remove bad characters that would break if an exploit is left in a payload (e.g., spaces and tabs). When encoding a payload, attackers force scanners to be reactive by either writing signatures for an encoder block or by forcing a game of emulation . Multiple malware families often use the same encoder on shellcode or payloads, so writing signatures on these common encoders will help network defenders quickly detect and analyze multiple malware families.
Now that we covered the basics, our next post will walk through components of Shikata Ga Nai, a Metasploit shellcode encoding tool. We’ll demonstrate how the encoder obfuscates payloads and how to write signatures to detect payloads encoded with Shikata Ga Nai. We’ll also provide suggestions on how the tool may be modified to help penetration testers slip encoded payloads past blue teams.
Learn more about Booz Allen’s approach to Managed Threat Services
We offer these recommendations for informational use only and do not make any warranties or other promises they will be effective in managing cyber threats. If you would like assistance in addressing a type of threat, please feel free to contact us.
External References and Examples: