RedTeamers often leverage shellcode loaders for initial access to deploy their C2 beacons. In this presentation, I will introduce my SuperMega shellcode loader laboratory, featuring a novel file injection technique called Cordyceps. Cordyceps reuses the Import Address Table (IAT) and data sections to deeply integrate into target executables, enabling it to operate under the radar. This technique allows for the deployment of unmodified Metasploit payloads on EDR-enabled endpoints without triggering alarms.
To provide a comprehensive understanding, I will begin with a brief overview of typical EDR architectures and their detection methodologies, particularly focusing on how they identify shellcode loaders. Key topics will include the AV, AV emulation, user-mode- and kernel-mode telemetry, and memory scanning. Instead of highlighting the latest anti-EDR implementations, the session will emphasize making practical design decisions to bypass detection mechanisms. We will critically analyze the current anti-EDR approaches, concluding that many of these efforts, while innovative, are often more “cool” than practically useful.
Key Takeaways:
The inner workings of EDR and common detection methods
Practical techniques for integrating shellcode loaders stealthily
Evaluating the effectiveness of anti-EDR measures in real-world scenarios
===
Dobin was a penetration tester for many years, and then switched to be a SOC analyst. Currently he is leading the RedTeam at Raiffeisen Schweiz. 2 Years Developer 8 Years of Penetration Testing 1 Year Developer 2 Year SOC Analyst 2 Years RedTeaming Talks at conferences: OWASP Switzerland: SSL/TLS Recommendations Bsides Vienna: Burp Sentinel - Web Scanner OWASP Switzerland Barcamp: Automated WAF Testing & XSS detection Area 41: Fuzzing For Worms - AFL for Network Servers Area 41: Develop your own RAT - AV & EDR Defense Teaching: OST: Initial Access BFH: Memory Corruption