A deep dive series on detecting evasive shellcode techniques
In this increasingly interconnected world, keeping up with a constantly evolving threat landscape is critical and complex. Cyberthreat actors continuously refine their tools and tactics to gain access to and exploit their victims’ environments, forcing network defenders into a perpetual state of reactivity. Today, defenders must not only match the dynamic, innovative level of tradecraft exerted by their attackers—but stay one step ahead.
In this series, we’ll share threat intelligence techniques for uncovering malicious cyber activity in a network environment and detecting cyberthreat actors in the early stages of operations. As we walk through several techniques, insights from our seasoned team provide concrete steps that network defenders, red teams, and other cybersecurity professionals can take to further protect their organizations.
Why Metasploit is a Tool Worth Learning
Metasploit is an open-source penetration testing framework that provides a one-stop shop for the development, delivery, and execution of software exploits and other malicious payloads. The framework is a favorite among penetration testers and cyberthreatactors, and is employed by some of the most sophisticated cybercriminal and state-sponsored actors. [1] [2]
Since Metasploit is used for both legitimate and malicious purposes, it's important that cybersecurity professionals—both those that defend networks and those that test their security—understand how it works. Network defenders need to understand how to detect the tools on the wire and on a host and penetration testers need to understand how to use the tools to maximum effect, and how to modify them so that they slip past their network defending counterparts.
Using Shellcode to Find Payloads and Exploits
Writing rules to detect the generic presence of shellcode is often a great way to find new, undiscovered payloads and exploits, but getting a payload to execute on a victim’s machine is not as trivial as calling exec(). When using shellcode, there are several steps authors must accomplish to successfully execute their payload:
Obtaining the location of where the code is running
Decoding payload (if using an encoder)
Function/Library lookup or hashing (optional)
Executing the payload
In this series, we’ll explain these different stages in detail, provide samples and signatures for blue teams, and give advice for red teams on how to make the payload more resistant to signatures.
Many of the methods that we’ll discuss have been around for a long time and continue to prove reliable in the detection of new weaponized payloads. We hope that this series can help consolidate knowledge around shellcode and encoders to broaden understanding in the industry amongst defenders.
A Quick Note on Encoders
Metasploit and antivirus (AV) vendors have a cat and mouse relationship, but the framework’s encoders—and encoders in general—are typically not designed to allow payloads to bypass AV. Although encoders may be useful for bypassing trivial detection signatures, their primary use is to modify payloads so that they can be paired with an exploit.
In most cases, encoders are used to remove bad characters that would break if an exploit is left in a payload (e.g., spaces and tabs). When encoding a payload, attackers force scanners to be reactive by either writing signatures for an encoder block or by forcing a game of emulation [3]. Multiple malware families often use the same encoder on shellcode or payloads, so writing signatures on these common encoders will help network defenders quickly detect and analyze multiple malware families.
Next in the Series: An Introduction to Shikata Ga Nai
Now that we covered the basics, our next post will walk through components of Shikata Ga Nai, a Metasploit shellcode encoding tool. We’ll demonstrate how the encoder obfuscates payloads and how to write signatures to detect payloads encoded with Shikata Ga Nai. We’ll also provide suggestions on how the tool may be modified to help penetration testers slip encoded payloads past blue teams.
We offer these recommendations for informational use only and do not make any warranties or other promises they will be effective in managing cyber threats. If you would like assistance in addressing a type of threat, please feel free to contact us.
