S2E12: Shellcode. DLLy DLLy!
State of the Hack - A podcast by Mandiant
Categorie:
Christopher Glyer and Nick Carr are back with an extremely offensive episode with red teamers Evan Pena (@evan_pena2003) and Casey Erikson (@EriksocSecurity). They get right into why they use shellcode (any piece of self-contained executable code) and some of the latest shellcode execution & injection techniques that are working in-the-wild. In previous episodes, the gang has discussed attackers - both authorized and unauthorized - shift away from PowerShell and scripting-based tooling to C# and shellcode due to improved visibility, detection, and prevention provided by more logging, AMSI, and endpoint security tooling. In this episode, they explore how FireEye's Mandiant Red Team has responded to this pressure and the techniques they've used to continue to operate. Casey and Evan share their research around the benefits & drawbacks of the three primary techniques for running shellcode and a project they just released - DueDLLigence - to enable conversion of any shellcode into flexible DLLs for sideloading or LOLbin'ing: https://github.com/fireeye/DueDLLigence If you want to learn more, check out their blog and #DailyToolDrop at: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html Shellabrate good times come on!