Ravin Academy// Ahmed Nahovi/ March 03, 2024 at 04:12PM
One of the challenges that all red teams face when implementing their assessment operations is to run their code and tools on operating systems without creating vulnerabilities in endpoint security solutions such as antivirus and EDR. In other words, sometimes they need to bypass these security solutions. Many techniques and methods are continuously introduced and presented in the world with this goal, security solutions try to identify and neutralize these techniques, but on the other hand, intruders offer new methods to bypass them. This cycle and conflict has been going on for years between hackers and security companies.
In this article, we examine one of the effective methods used to bypass antivirus and EDR in Windows operating systems using PowerShell. Shellcode injection and execution is one of the favorite methods of hacking teams and red teams to install and execute their payloads on victims’ systems. But what does shellcode basically mean? “Michael Sikroski”, in his definition, introduces shellcode as follows: “a term generally used to describe any independently executable code”. Most companies producing penetration testing software such as Empire, Cobalt Strike or Metasploit use their own shellcode generators inside their tools. Shellcode generators, regardless of the company’s product, usually use Binary or Hex format.
ravinacademy
Ravin Academy// Ahmed Nahovi/ March 03, 2024 at 04:12PM
One of the challenges that all red teams face when implementing their assessment operations is to run their code and tools on operating systems without creating vulnerabilities in endpoint security solutions such as antivirus and EDR. In other words, sometimes they need to bypass these security solutions. Many techniques and methods are continuously introduced and presented in the world with this goal, security solutions try to identify and neutralize these techniques, but on the other hand, intruders offer new methods to bypass them. This cycle and conflict has been going on for years between hackers and security companies.
In this article, we examine one of the effective methods used to bypass antivirus and EDR in Windows operating systems using PowerShell. Shellcode injection and execution is one of the favorite methods of hacking teams and red teams to install and execute their payloads on victims’ systems. But what does shellcode basically mean? “Michael Sikroski”, in his definition, introduces shellcode as follows: “a term generally used to describe any independently executable code”. Most companies producing penetration testing software such as Empire, Cobalt Strike or Metasploit use their own shellcode generators inside their tools. Shellcode generators, regardless of the company’s product, usually use Binary or Hex format.
Why do we use shellcodes to execute payload?
The use of shellcodes in the evaluation of the red team allows us to be very flexible in choosing and using the payload type. In fact, by using shellcode, we can run our various programs and scripts without worrying about being detected by EDR or antiviruses. For example, there are various methods and techniques such as encryption and coding to shorten shellcodes, which make it very difficult for EDR products to find these shellcodes. Therefore, in the process of the red team, the capabilities of the evaluated organization can also be analyzed in the field of identifying malware.
Comparison of Shellcode Injection and Shellcode Execution
One of the most important parts of any red team evaluation is developing tools that can run successfully, reliably, and quietly on the target system. Payloads can execute shellcode from within their own process or inject them to an address from another process to execute the shellcode in its entirety. In this article, we will examine the second method, i.e. injecting shellcode in the memory of the operating system using PowerShell.
Shellcode injection is actually a technique used by red teams as well as malicious attackers to avoid detection by EDR or other similar security solutions of organizations. It should be noted that many EDR products have implemented their detection processes based on the expected behavior of legitimate Windows processes. For example, an attacker using Mimikatz with an arbitrary Windows process such as DefinitelyNotEvil.exe may be detected and blocked because an EDR does not expect that this process (DefinitelyNotEvil.exe) needs access to process memory for its normal operation. have lsass.exe.
However, if Mimikatz is running with another Windows process such as svchost.exe that is constantly communicating with lsass.exe to perform its activities, it is possible that it is prevented from being detected by EDR because EDR considers this process as He sees an expected and normal behavior. It is necessary to explain that the svchost.exe process needs to communicate with the lsas.exe process to perform its daily tasks, and if it also runs Mimikatz, it seems to be a normal behavior from the EDR point of view. Therefore, we see that by injecting your own malware in order to be executed with a properly chosen legal process, you can avoid being detected by advanced security solutions of organizations.
In the following, we briefly introduce 3 different and widely used methods of shellcode execution:
CreateThread
CreateRemoteThread
QueueUserAPC
Each of these techniques is related to one of the Windows API functions, which is responsible for assigning a Thread to the shellcode and ultimately leads to the execution of the shellcode. Be careful that Create Thread is related to shellcode execution, while CreateRemoteThread and QueueUserAPC are functions that are used in shellcode injection. In the following sections, the steps related to each of these techniques are given case by case and summarized.
CreateThread method
Allocation of memory related to a running process
Copy the shellcode into the given dedicated memory
Changed new dedicated memory protection settings to allow code execution from within memory space
Create a thread with a base address from the allocated memory segment
Wait on the thread handle until Return occurs
CreateRemoteThread method
Identifying and receiving an ID related to a desired process to perform an injection in it
Open the target process
Allocate an executable memory in the target process
Write shellcode inside the allocated memory
Creating a thread in the remote process with the starting address of the allocated memory section
Identifying and receiving an ID related to a desired process to perform an injection in it
Open the target process
Allocate an executable memory in the target process
Write shellcode inside the allocated memory
Changed new dedicated memory protection settings to allow code execution from within memory space
Creating a thread in the remote process with the starting address of the allocated memory section
Registering a thread in the queue, in order to run when in the “alertable” state
Restore the Thread so that it is in “alertable” state
In the following video, you can watch an example of shellcode execution using the CreateThread method. The script used in this video can be downloaded from here (zip code is ravinacademy).
If you are interested in learning and understanding the mentioned techniques in a deeper way, these techniques are taught practically along with many other advanced techniques in the “Powershell for Hackers” course. Also, if you are interested, you can read the full text of this article here.
