Maelstrom 7: Static OpSec Review

Breaking down the Maelstrom DLL and Loader to identify and discuss remediations for indicators-of-compromise.
Breaking down the Maelstrom DLL and Loader to identify and discuss remediations for indicators-of-compromise.
Implementing AMSI and ETW to catch the implant, and then looking at how to bypass it.
Endpoint Protection and Response is complicated for both offence and defence. In this blog we take a look at Kernel Callbacks, Hooks, and Thread Call Stacks from both an attacker and defenders perspective.
In this blog, we will discuss how to write a C2 implant for the modern era. We will look at the history of offensive techniques and the progress of defence. We then move into discussing some key concepts before finally writing stage 0, and the implant as a Reflective DLL.
In this post we are discussing building a C2 Teamserver, common pitfalls, and the difficulty of identifying singular malicious requests.
A look into the design choices behind the C2, along side some design concepts to keep it stable, and the workflow smooth.
Throughout this series, we will be slowly building out a Command & Control Framework and discussing common implementation, IOCs, and TTPs. Whilst providing Offensive Teams with the information to get a rudimentary POC up and running, we also aim to provide as many detection mechanisms as possible.
As an experiment, we converted default Cobalt Strike shellcode into various forms to see how it would do against static detection. Turns out, quite well. This post introduces a small tool we wrote to automatically mask shellcode in several different ways.