Sat. Jul 2nd, 2022

FrostByte

Progolue:

In the past few days I’ve been experimenting with the

Steps to build Signed Shellcode Executable

  • Pick any x64 Signed C# binary of your choice, a binary within which you would like cobalt strike beacon to reside and execute: E.g.: CasPol.exe etc.
  • Generate your Cobalt Strike Stageless Shellcode – x64-stageless.bin
  • Place both of them into a folder where SigFlip is also present and run the below command:
    SigFlip.exe -i "Z:ZLoaderCasPol.exe" "Z:ZLoaderx64-stageless.bin" "Z:ZLoaderupdate.exe" "S3cretK3y"
  • Thanks to SigFlip now you have a (windows signed?) binary named update.exe which will be a digitally signed PE with encrypted shellcode embedded in it.

Steps to build the AppDomain Loader DLL

  • Take the C# Template Code from here
  • Replace your encryption secret key with the one you chose while running SigFlip at Line:163 (you might have to adjust a few bytes to confirm if your CS shellcode is properly decrypted)
  • Replace with the binary path at Line:146
  • Change the log file paths in lines: 158,165
  • Compile the code as DLL using the following command – csc /target:library /out:test.dll test.cs
  • Place the compiled DLL and the update.exe.config file in same folder where your signed shellcode exe was placed.
  • Execute update.exe.

Conslusion:

This POC is just an idea I had in mind to club two totally different defense evasive techniques together that would help me and other Red Teamers in building better initial execution payloads for their operations. This project uses AppDomain Manager Injection as an example, but this idea is applicable for other injection techniques as well like – DLL SideLoading, DLL Hijacking etc

Credits:

Full Credits to med0x2e, this POC is built based on his SigFlip Project

References:

  • https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/
  • https://www.blackhat.com/docs/us-16/materials/us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digitally-Signed-Executable-wp.pdf
  • https://pentestlaboratories.com/2020/05/26/appdomainmanager-injection-and-detection/
  • https://github.com/med0x2e/SigFlip
Download Frostbyte

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source