State of the Hack

State of the Hack is hosted by FireEye's Christopher Glyer (@cglyer) and Nick Carr (@itsreallynick), that discusses the latest in information security, digital forensics, incident response, cyber espionage, APT attack trends, and tales from the front lines of significant targeted intrusions.

RSS 0 0
0:00
Loading

S2E12: Shellcode. DLLy DLLy!

Updated about 25 days ago.

Christopher Glyer and Nick Carr are back with an extremely offensive episode with red teamers Evan Pena (@evan_pena2003) and Casey Erikson (@EriksocSecurity). They get right into why they use shellcode (any piece of self-contained executable code) and some of the latest shellcode execution & injection techniques that are working in-the-wild.

In previous episodes, the gang has discussed attackers - both authorized and unauthorized - shift away from PowerShell and scripting-based tooling to C# and shellcode due to improved visibility, detection, and prevention provided by more logging, AMSI, and endpoint security tooling. In this episode, they explore how FireEye's Mandiant Red Team has responded to this pressure and the techniques they've used to continue to operate.

Casey and Evan share their research around the benefits & drawbacks of the three primary techniques for running shellcode and a project they just released - DueDLLigence - to enable conversion of any shellcode into flexible DLLs for sideloading or LOLbin'ing: https://github.com/fireeye/DueDLLigence

If you want to learn more, check out their blog and #DailyToolDrop at: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html

Shellabrate good times come on!

Download

Comments