在纯文本中隐藏有效载荷.pdf

1、#SECTORCA SecTorCACODASMMoritz ThomasLowering Payload Entropy#SECTORCA SecTorCAHiding Payloads in Plain.text Moritz ThomasAgendawhoamiPrologue:Payloads&Shannon EntropyAct I:Hide&Seek in PECOFFAct II:Evading EDR detection&ImprovementsAct III:Demo Time!Epilogue:Conclusion#SECTORCA SecTorCAHiding Paylo

2、ads in Plain.text Moritz ThomaswhoamiMoritz Thomas moritzlthomas moritzlthomas molathoSenior Red Team OperatorR&D,Payload CraftingHiding Payloads in Plain.text Moritz Thomas#SECTORCA SecTorCAPrologue:Payloads&Shannon Entropy“red team operators discussing plans”#SECTORCA SecTorCAHiding Payloads in Pl

3、ain.text Moritz ThomasPrologue:PayloadsShellcode(.bin)Archive(.zip/.iso/)Loader(.exe/.dll)BinariesMetadata(.exe/.dll)Encrypt(.bin)ProtectionOPSECExecutionDisguiseDisguiseExecutionDeliveryCore C2Functionality#SECTORCA SecTorCAHiding Payloads in Plain.text Moritz ThomasH(.png)=7.99Prologue:Shannon Ent

4、ropyMeasure of uncertainty of events“Randomness”of data“Information density”of dataUnit:Bits Used by malware analysts,AVs&EDRs=0 log2 0.08.0Certainty“Random”H(0,0,0,0,0)=0.0H(AES-EBC(0,0,0)=7.99H(42,42,42,42,42)=0.0H(notepad.exe)=6.5#SECTORCA SecTorCAHiding Payloads in Plain.text Moritz ThomasProlog

5、ue:Payloads&Shannon EntropyShellcode(.bin)H=6.5-7.9Archive(.zip/.iso/)H=6.2Loader(.exe/.dll)H=5.3-7.2BinariesMetadata(.exe/.dll)Encrypt(.bin)H=7.9Hiding Payloads in Plain.text Moritz Thomas#SECTORCA SecTorCAAct I:Hide&Seek in PECOFF“hackers wearing futuristic masks playing hide and seek in a cyber p

6、unk setting,zoomed out”#SECTORCA SecTorCAHiding Payloads in Plain.text Moritz ThomasAct I:PECOFF 1/2Ange Albertini little spaceModifications stand outActual content.text:Code.data:R/W data.rsrc:Icons,Simple to modify!*append*Portable Executable Common Object File Format#SECTORCA SecTorCAHiding Paylo