Booz Allen Hamilton Booz Allen Hamilton
Booz | Allen | Hamilton ®
Perspectives

Introducing the Shellcode Signatures Series

A deep-dive series on detecting evasive shellcode techniques

In this increasingly interconnected world, keeping up with a constantly evolving threat landscape is critical and complex. Cyber threat actors continuously refine their tools and tactics to gain access to and exploit their victims’ environments, forcing network defenders into a perpetual state of reactivity. Today, defenders must not only match the dynamic, innovative level of tradecraft exerted by their attackers—but stay one step ahead.

In this series, we’ll share threat intelligence techniques for uncovering malicious cyber activity in a network environment and detecting cyber threat actors in the early stages of operations. As we walk through several techniques, insights from our seasoned team provide concrete steps that network defenders, red teams, and other cybersecurity professionals can take to further protect their organizations.

Why Metasploit Is a Tool Worth Learning

Metasploit is an open-source penetration testing framework that provides a one-stop shop for the development, delivery, and execution of software exploits and other malicious payloads. The framework is a favorite among penetration testers and cyberthreat actors, and is employed by some of the most sophisticated cybercriminal and state-sponsored actors. [1] [2]

Since Metasploit is used for both legitimate and malicious purposes, it's important that cybersecurity professionals—both those that defend networks and those that test their security—understand how it works. Network defenders need to understand how to detect the tools on the wire and on a host and penetration testers need to understand how to use the tools to maximum effect, and how to modify them so that they slip past their network defending counterparts.

Using Shellcode to Find Payloads and Exploits

Writing rules to detect the generic presence of shellcode is often a great way to find new, undiscovered payloads and exploits, but getting a payload to execute on a victim’s machine is not as trivial as calling exec().  When using shellcode, there are several steps authors must accomplish to successfully execute their payload:

  1. Obtaining the location of where the code is running
  2. Decoding payload (if using an encoder)
  3. Function/Library lookup or hashing (optional)
  4. Executing the payload

In this series, we’ll explain these different stages in detail, provide samples and signatures for blue teams, and give advice for red teams on how to make the payload more resistant to signatures.

Many of the methods that we’ll discuss have been around for a long time and continue to prove reliable in the detection of new weaponized payloads. We hope that this series can help consolidate knowledge around shellcode and encoders to broaden understanding in the industry amongst defenders.

A Quick Note on Encoders

Metasploit and antivirus (AV) vendors have a cat and mouse relationship, but the framework’s encoders—and encoders in general—are typically not designed to allow payloads to bypass AV. Although encoders may be useful for bypassing trivial detection signatures, their primary use is to modify payloads so that they can be paired with an exploit.

In most cases, encoders are used to remove bad characters that would break if an exploit is left in a payload (e.g., spaces and tabs). When encoding a payload, attackers force scanners to be reactive by either writing signatures for an encoder block or by forcing a game of emulation [3]. Multiple malware families often use the same encoder on shellcode or payloads, so writing signatures on these common encoders will help network defenders quickly detect and analyze multiple malware families.

Next in the Series: An Introduction to Shikata Ga Nai

Now that we covered the basics, our next post will walk through components of Shikata Ga Nai, a Metasploit shellcode encoding tool. We’ll demonstrate how the encoder obfuscates payloads and how to write signatures to detect payloads encoded with Shikata Ga Nai. We’ll also provide suggestions on how the tool may be modified to help penetration testers slip encoded payloads past blue teams.

Learn more about Booz Allen’s approach to Managed Threat Services

We offer these recommendations for informational use only and do not make any warranties or other promises they will be effective in managing cyber threats. If you would like assistance in addressing a type of threat, please feel free to contact us.

External References and Examples:

[1] https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/

[2] https://threatvector.cylance.com/en_us/home/operation-cleaver-the-notepad-files.html 

[3] https://blog.rapid7.com/2012/12/14/the-odd-couple-metasploit-and-antivirus-solutions/

Learn about  Managed Threat Services 

Explore
Tags
Technical & Execution Cybersecurity Managed Threat Services

Related Insights

Perspectives
The Shikata Ga Nai Encoder
The Shikata Ga Nai Encoder
The Shikata Ga Nai Encoder

Our top analysts review the components of the popular Metasploit shellcode encoder, Shikata Ga Nai. Read More

Perspectives
Perspectives
The x86 Countdown Encoder, Explained
The x86 Countdown Encoder, Explained
The x86 Countdown Encoder, Explained

A technical overview of the x86 Countdown Encoder, plus shellcode techniques for security practitioners Read More

Perspectives
Perspectives
The x64 XOR Encoder, Explained
The x64 XOR Encoder, Explained
The x64 XOR Encoder, Explained

Get a technical overview of the x64 XOR Encoder and learn how it decodes its payloads. Read More

Perspectives
Perspectives
The Zutto Dekiru Encoder, Explained
The Zutto Dekiru Encoder, Explained
The Zutto Dekiru Encoder, Explained

Get a technical overview of the Zutto Dekiru encoder and build a Yara signature. Read More

Perspectives
1 - 4 of 8