Presented at NorthSec 2017
The purpose of this presentation is to introduce a tool and the idea behind it. This tool evades antivirus, sandboxes, IDS/IPS using one simple technique. In a nutshell it abuses of polyglot files and compact low level obfuscation using assembly. The target system can then execute the payload using various vectors: powershell or Windows' executable.
The obfuscated payload can be pretty much everything from classic meterpreter, empire payload and cobalt strike beacon to DLLs and executables. There is no limit, since the tool offers a loader that can deobfuscate an executable in memory and execute it or simply execute shellcode. Then end goal of that tool was to provide a simple way to evade as many security layers as possible in a single payload instead of using multiple techniques to target each layer of security. This is a must have for pentesting when your target relies on multiple security products!
Charles F. Hamilton
Charles F. is a consultant working for Mandiant a FireEye company. He founded the RingZer0 Team online CTF website in 2014 where he hosts various hacking challenges. He's been a bypass and evasion techniques enthusiast for years now: antivirus, sandboxes and endpoint security software are his favorite targets. Pure assembly and low language, such a C are his best friends too.