Exploit Development Flashcards
Loader
Short-lived bootstrapper that decrypts and executes shellcode in memory. Avoids persistence and focuses on stealth.
Implant
Long-lived payload handling C2 communication, privilege escalation, and data exfiltration. Operates post-loader execution.
Why use C with /MT, /O2, /Os for loaders?
C minimizes binary size; /MT (static linking), /O2 (speed optimization), /Os (size optimization) reduce footprint (~16 KB).
RC4 in loaders
Lightweight symmetric encryption (~30 LOC) using syscalls instead of WinCrypt imports to evade detection.
Partial encryption
Encrypts only shellcode, keys, and API hashes to avoid high entropy. Plaintext PE sections blend with benign files.
API hashing
Replaces API names with hashes to evade static string analysis (e.g., avoids “VirtualAlloc” in IAT).
Indirect syscalls
Directly invokes ntdll syscalls (e.g., NtAllocateVirtualMemory) to bypass EDR user-mode hooks.
Zero-touch to disk
Executes payload entirely in memory or fetches encrypted payloads over HTTPS to avoid disk writes.
C2 resilience features
Sleep-jitter, domain fronting, and DGA fallback to evade network detection and ensure beacon persistence.
Staged payload advantage
Minimal initial footprint (e.g., VBA macro) downloads larger stages; allows post-deployment capability updates.
Staged payload disadvantage
Additional network activity increases exposure; reliant on outbound connectivity for staging.
Stageless payload advantage
Single binary with all capabilities; fewer C2 handshakes, suitable for restricted networks.
Stageless payload disadvantage
Larger size increases entropy and detection risk; harder to embed in macros.
IAT minimization
Manual implementation of crypto/syscalls to avoid suspicious imports (e.g., WinCrypt) in the Import Address Table.
PE timestamp spoofing
Sets compile timestamp to match system DLLs (e.g., ntdll.dll) to avoid anomalous timestamp detection.
C2 (Command and Control)
Infrastructure used by attackers to remotely control compromised systems.
EDR (Endpoint Detection and Response)
Security tools monitoring endpoints for malicious activity (e.g., behavioral analysis, API hooks).
AMSI (Antimalware Scan Interface)
Windows API allowing real-time script scanning (e.g., PowerShell) by antivirus software.
DGA (Domain Generation Algorithm)
Generates random domain names for C2 fallback, complicating blocklisting.
Sleep-jitter
Randomizes beacon intervals to avoid predictable timing patterns.
Thread Hijacking
Process injection technique: hijacks a thread in a benign process to execute shellcode.
PPID Spoofing
Spoofs the parent process ID to evade detection of suspicious process lineage.
Process Hollowing
Replaces legitimate process memory with malicious code while retaining its appearance.
Entropy
Measure of randomness; high entropy (e.g., encrypted data) triggers AV heuristics.
