Today’s cyber defenders must not only identify and understand the threats their organizations are facing; security teams must also understand the techniques adversaries use at the most tactical levels. Matching and mastering the tradecraft adversaries demonstrate is required for organizations to stay one step ahead of advanced threats.
Our Shellcode Signatures Series is a deep dive into the functionality of a handful of shellcode encoders and obfuscators, along with detection signatures and tips to help network defenders detect the tools in action. By disassembling and stepping through different encoders, we hope to increase the understanding of how the encoders and obfuscators work so that our readers can develop their own signatures to detect the tools. Conversely, a deeper understanding of the tools’ functionality should help our more offensively-minded, red team-focused readers write encoders that stand a better chance of slipping past their blue team counterparts.
Here's a list of the topics we covered in our series:
- The Shikata Ga Nai Encoder
- The x86 Countdown Encoder
- The x64 XOR Encoder
- The Zutto Dekiru Encoder
- The x86 Jumpcall Additive Encoder
- The OWASP ZSC Project
- Finding the Instruction pointer
Our series highlighted that not all encoders are created equally—some can be easily detected with signatures from tools like Yara, but others can be a bit more elusive and difficult to pin down. The encoders that were the easiest to detect were the ones that contained a static decode loop, a section of code that remains constant every time the encoder is used and that is easy to write a signature around. Encoders that proved to be a bit more challenging were those that randomized their encoding processes so that static, predictable code segments were kept to a minimum. Zutto Dekiru, an encoder that uses a “coin flip” technique to randomize how it stores and accesses the stack pointer, is one example of the encoders that complicate signature-based detections. Even more advanced encoders take steps to randomize control flow and re-write constants—a feature that may force a signature developer to wildcard so many bytes that the signature's quality and performance is significantly degraded.
There is a myriad of methods used by cyber threat actors to alter malware code and impede network defenders’ detection and analysis of the programs. Though we just scratched the surface, these tactical threat intelligence techniques from our seasoned team of analysts provide concrete steps that security defenders can implement to further protect their organizations.
Booz Allen provides cyber tradecraft and experience to continually combine the right talent and technology—giving our clients immediate 24x7 capability uplift in their cyber program. Learn more about Booz Allen’s approach to cyber threat intelligence.
