We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Red Team Village - DropEngine

19
 Cite
 Share
 Download
 Purchase
No logo availableDEF CON
 Ryan, Gabriel

Formal Metadata

Title
Red Team Village - DropEngine
Subtitle
A Malleable Payload Creation Framework
Title of Series
Number of Parts
374
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
In this talk, we'll introduce DropEngine -- a modular framework for creating malleable initial access payloads (also known as "droppers" or "shellcode runners"). Initial access payloads serve a deceptively simple purpose: loading implants from disk into memory. However, a number of obstacles stand in the way of this seemingly mundane task. To start with, the payload must safely be delivered to its intended target (usually via spearphishing). During delivery, the payload is exposed to signature-based detections and analyzed from within an automated sandbox. The payload must then be saved to disk without triggering antivirus, and must load the implant into memory without alerting Endpoint Detection and Response (EDR). Due to the widespread use of application whitelisting, payload authors are restricted to languages that are compatible with "Live Off the Land Binaries and Scripts" (LOLBAS), most of which are executed through the Windows Common Language Runtime (CLR). This means that most payloads must also contend with Microsoft's Anti-Malware Scan Interface (AMSI). Finally, the payload must be able to withstand analysis by threat hunters and reverse engineers. These obstacles are not insurmountable. However, defense evasion techniques tend to have a short shelf-life, and become particularly stale after repeated use. Because of this, payloads are often prepared on a per-engagement basis, which is hardly an easy feat when done by hand. DropEngine addresses this problem by providing a malleable framework for creating shellcode runners. Operators can choose from a selection of components and combine them to create highly sophisticated payloads within seconds. Available payload components include crypters, execution mechanisms, and environmental and remote keying functions. Also included are pre-execution modules such as sandbox checks and AMSI bypasses, as well cleanup modules that execute after the implant is loaded into memory. DropEngine comes pre-packaged with example modules that are more than sufficient to bypass signature and heuristic-based detections at the time of writing. However, DropEngine's true strength is that it improves operational efficiency by providing a high degree standardization, while allowing operators to control just about every aspect of the payload's signature and behavior.