Deep Sea Phishing Pt. 1

PHISHING SCHOOL

How to Bypass EDR With Custom Payloads

If endpoint detection and response (EDR) protections keep blocking your phishing payloads, you really should learn how to write custom payloads. If you’ve never written a custom payload, this is a great place to start. If you have some experience with custom payloads, I hope I can at least simplify the way you think about payload design to make it easy and fun.

Yes, we are going to dive into some code. So get your favorite techno jams on, and follow my lead.

https://www.youtube.com/watch?v=4ImBUTSJmRY

We made ours with a special rabbit ear on top so we could pipe in some music

Why Custom Payloads are (Usually) Better Than Stock Shellcode

Say it with me: “Known Bad”. That’s the reason your payloads are getting caught. Your payload is doing something bad and the EDR knows it because it’s seen your tricks before. More importantly, it probably saw the exact same payload before, just with a different name and maybe a few other small changes.

In order to block malware, you have to know what malware looks like. To do that, the best information EDR engineers can go off of is a large collection of malware samples. These samples come from malware that’s been “caught in the wild”. Most of these known bad samples come straight out of popular command and control (C2) frameworks like Metasploit, Cobalt Strike, Empire, Mythic, etc. so if you are using payloads that any of those frameworks generate, then chances are that EDR products have already seen payloads that look like yours.

One major problem for red teams is the way in which C2 frameworks generate payloads. Almost always, there is a payload template that is then filled out with some common parameters like LHOST and LPORT, and then (hopefully) obfuscated and compiled. Some variable names and values may have changed, but the overall structure of the final payload will be extremely similar across builds. That’s what leads to signatures of these “known bads.”

You might be surprised by how simple some of these signatures tend to be. There are some great examples in MDSec’s blog series “How I Met Your Beacon”. For instance, the string “bruteloader” sitting around in memory,

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from Security Boulevard

Read the original article: