1. PREFACE

So last week I tried to bypass windows defender and inject my obfuscated stager to drop my Sliver C2 beacon but failed miserably. My executable was undetectable, but the process where I was injecting my shellcode kept crashing so I had to take an other path.

So, I decided to combine a couple of techniques (I got it from maldev academy and also some malware that I’ve reversed engineers) such as :

  • IAT Hiding and Obfuscation
  • API hashing
  • using Nt* API calls

And i got to say getting that notification of my beacon while having my executable undetected on the target machine was a good feeling.

poc1

2. SETUP

For the setup of Sliver C2 you can check out my earlier blog post here

3. Walkthrough

So first, I tried implementing my custom function of GetProcAddress and GetModuleHandle, there’s some resource on how to do this in maldev academy.

Then i tried to identified which API calls I wanted to call NT*, since it’s undocumented I’ve used this website to generate my own signatures of it : https://ntdoc.m417z.com/

  • NtOpenProcess
  • NtAllocateVirtualMemory
  • NtWriteVirtualMemory
  • NtCreateThreadEx

But then, I said to myself even if I’ve implemented, if i just paste the string of the functions i want to use, it will easily gets detected, so i decided to implement some API hashing, which I’ve seen being used in one of the malware I’ve tried (the key word, here, is tried😂) to reverse engineered Qakbot web injector.

So by combining these different approach into one, I was able to get my executable undetected by windows. I also want to mention that you can get creative with these methods, you could call other function and mix it other techniques to improve the stealthiness

You can checkout the source code on my Github

poc3 poc4

You might be wondering why do we see 2 connetion one from port 8443 and one from port 8888, it’s because the first is the connection from the stager and then the last one is the connection that will be used by the beacon, which checks in every 5 seconds

Why it’s not detected

20250715032601
  • The entropy isn’t that high and a lot of it is do to my encrypted stager and the hashing the API calls
20250715032649 20250715033243
  • None of my API calls are reflected in the import address table, it would be also a plus to add dummy function implementation to camouflage my behavior a little bit more

Possible IOCs

I want to mention that even though my executable gets undetected by windows, there’s other possible indicators of compromise (IOCs)

  • I’ve injected my payload in explorer.exe, as soon as someone sees that is connecting to an outside connection, it will raise some eyebrows
  • since I’ve set a connection back to my C2 from beacon every 5 seconds, this could potentially raise an alarm
  • Also, i didn’t even talk about ETW, might try to patch it next, i’ve watched a video from Mr.Un1k0d3r about it
  • Obviously I’ve left some debugging outputs, which can rat me out
20250715032748 20250715035835

Being a dummy

Of course i can't leave this section out

  • so i wanted to get additional proof, so i ran windows defender check while having my payload running and it immediately identified the meterpreter signature in notepad memory and i successfully burned my malware as it not able to perform that injection

  • but i was able to remediate this problem by slightly modifying the execution workflow and injecting into a different process

4. Conclusion

Honestly, i’ve had a lot of fun with this one and I was able to also better understand a malware that I was reverse engineered a couple months ago, which i’ve yet to release a post about it, they were using some API hashing to evade detection. Guys, that’s why I say if you want to become a better offensive operator you need to learn REVERSE ENGINEERING i think it’s mendatory and it think it comes in many different forms, but that’s just my personal opinion, I still suck btw (just putting it out there😂). My next steps would probably be to try and remove as much iocs as i can, by patching ETW and trying the SysWhisperer to make syscall directly. But first, I want to try the armory