Werkbank: How I Built an AI-Powered Shellcode Loader That Slipped Past Microsoft Defender for Endpoint + Video

Listen to this Post

Featured Image

Introduction:

Red team operations have long relied on manual, painstaking refinement of payload loaders to evade endpoint protection. Werkbank, a new shellcode loader builder developed by Daniel Feichter, shifts this paradigm by leveraging generative AI to automate the creation of AV/EPP‑evasive loaders. In a live demonstration, Werkbank successfully bypassed the antimalware and endpoint protection layers of Microsoft Defender for Endpoint—a stark reminder that offensive AI is no longer theoretical. This article dissects the techniques such tools employ, provides hands‑on commands to understand the underlying mechanisms, and offers blue team countermeasures to detect similar in‑memory attacks.

Learning Objectives

  • Understand how AI‑assisted tooling can dynamically generate unique shellcode loaders to evade signature‑based detection.
  • Analyse the common evasion primitives (API unhooking, direct syscalls, sleep obfuscation) that Werkbank‑style tools automate.
  • Learn to detect and mitigate reflective loader execution using Windows Event Logs, ETW, and Sysmon.
  • Implement defensive PowerShell and C snippets to simulate attacker behaviour and validate EDR coverage.

You Should Know

  1. Automated Evasion Primer – Why Werkbank Bypasses MDE’s AV/EPP

Modern endpoint protection platforms (EPP) such as Microsoft Defender for Endpoint rely heavily on user‑mode API hooking. Functions like NtAllocateVirtualMemory, NtProtectVirtualMemory, and `WriteProcessMemory` are intercepted by the antimalware driver to inspect buffers before execution. Werkbank automates the creation of loaders that strip these hooks or bypass them entirely using direct syscalls.

Step‑by‑step: Manual syscall implementation (x64)

  1. Retrieve the syscall number from `ntdll.dll` without calling the hooked function.
  2. Use a small assembly stub to invoke the system call directly.
  3. Allocate memory with `NtAllocateVirtualMemory` (syscall) and copy shellcode.

4. Change memory protection to `PAGE_EXECUTE_READ` and execute.

Windows C++ snippet (Minimal direct syscall):

include <windows.h>
include <winternl.h>

pragma comment(lib, "ntdll.lib")

EXTERN_C NTSTATUS NtAllocateVirtualMemory(
HANDLE ProcessHandle, PVOID BaseAddress, ULONG_PTR ZeroBits,
PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect
);

int main() {
PVOID buffer = nullptr;
SIZE_T size = 4096;
NTSTATUS status = NtAllocateVirtualMemory(
GetCurrentProcess(), &buffer, 0, &size,
MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE
);
// Copy shellcode to buffer, change to PAGE_EXECUTE_READ, jump
return 0;
}

Defender evasion rationale:

Because the loader never invokes the hooked version of `NtAllocateVirtualMemory` (it goes directly to the kernel), the EPP user‑mode callback is never triggered, and the memory allocation remains invisible to the AV sensor.

2. Werkbank’s Core Engine – AI‑Driven Loader Polymorphism

Werkbank uses generative AI (Claude) to rewrite loader logic on‑the‑fly. Instead of relying on a static template, each generated loader mutates:
– Variable/function naming schemes.
– Control flow obfuscation (inserting dead code, opaque predicates).
– API resolution methods (dynamic vs. import table).
– String encryption algorithms.

Linux command to emulate entropy analysis:

 Compare entropy of a known loader vs. AI‑generated loader
ent original_loader.exe
ent werkbank_generated.exe
 Higher entropy often indicates packing/encryption

Windows PowerShell to check loaded modules (potential hook evasion):

Get-Process -Id $PID | Select-Object -ExpandProperty Modules | Where-Object {$_.ModuleName -like "ntdll.dll"}

If a process has an unusually small number of loaded modules or ntdll is missing, it may indicate a custom loader that mapped its own copy.

3. Sleep Obfuscation and Memory Scanning Evasion

One technique frequently incorporated by Werkbank is sleep obfuscation: before a dormant period, the shellcode is encrypted or its memory protection is set to PAGE_NOACCESS. This prevents memory scanners from carving the payload during idle time.

Step‑by‑step: Implementing sleep obfuscation in C

using System;
using System.Runtime.InteropServices;

class SleepObfuscator {
[DllImport("kernel32.dll")]
static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);

const uint PAGE_NOACCESS = 0x01;
const uint PAGE_EXECUTE_READ = 0x20;

public static void Obfuscate(IntPtr address, int size) {
VirtualProtect(address, (UIntPtr)size, PAGE_NOACCESS, out _);
System.Threading.Thread.Sleep(5000); // EDR memory scan fails
VirtualProtect(address, (UIntPtr)size, PAGE_EXECUTE_READ, out _);
}
}

Detection:

EDRs that hook `NtDelayExecution` or `SleepEx` can monitor for calls that are immediately preceded/followed by memory permission changes. Sysmon Event ID 10 (ProcessAccess) can also flag cross‑process memory permission changes.

4. Reflective DLL Injection Without Win32 API Calls

Advanced loaders move entirely away from high‑level Windows APIs. Werkbank can generate reflective loaders that parse and map a DLL from memory, resolving its imports manually. This bypasses `LoadLibrary` hooks completely.

Linux command to analyse reflective stub:

 Extract .text section and search for relocation processing
objdump -d reflective_stub.bin | grep -E "add|mov.[rip" 

Reflective loaders often contain Position Independent Code (PIC) that fixes base relocations at runtime.

Windows debugger (WinDbg) command to detect manually mapped modules:

!dh -f <module_base>

If the module’s entry point is outside the expected range or the PE headers are corrupted, it is likely manually mapped.

5. API Hammering and Heuristic Bypass

Werkbank also experiments with “API hammering”—calling benign APIs hundreds of times before the malicious call to confuse heuristic engines that measure time‑of‑check to time‑of‑use. For example, calling `GetTickCount` in a loop to skew behavioural analysis.

PowerShell simulation:

for ($i=0; $i -lt 1000; $i++) {
[System.Runtime.InteropServices.Marshal]::GetLastWin32Error() | Out-Null
}
 Then execute NtQueueApcThread to inject shellcode

Detection:

Look for abnormally high counts of certain low‑cost API calls in a short window preceding process injection.

6. Cloud and AI Supply Chain Risks

Werkbank’s development highlights a growing vector: adversarial use of public LLMs to generate bespoke malware components. Defenders must consider that generic prompt filtering may not catch code generation requests framed as “educational red team tooling”.

Mitigation:

  • Implement strict outbound filtering for code generation requests on corporate AI gateways.
  • Monitor for downloads of LLM‑generated source files with specific import combinations (e.g., `ntdll.lib` + `memcpy` + no LoadLibrary).
  1. Blue Team Validation: Testing Your EDR Against Werkbank‑Style Loaders

Step‑by‑step: Simulate indirect syscall execution

  1. Compile a small executable that resolves `syscall` instructions from ntdll and uses them to allocate memory.
  2. Execute in a lab environment with MDE enabled.
  3. Use `MDE Advanced Hunting` to query for `DeviceProcessEvents` and `DeviceImageLoadEvents` where `InitiatingProcessFileName` is your test binary.

Sample Advanced Hunting query:

DeviceProcessEvents
| where Timestamp > ago(1h)
| where FileName contains "test_loader.exe"
| project Timestamp, DeviceName, ProcessId, FileName
| join (DeviceImageLoadEvents) on ProcessId
| where FolderPath endswith "ntdll.dll"

If the loader uses its own copy of ntdll, the `ImageLoad` event will show a non‑standard path or the module may be absent entirely.

What Undercode Say

  • Key Takeaway 1: AI‑driven loaders like Werkbank democratise advanced evasion techniques. What previously required expert‑level assembly knowledge can now be generated by a red team operator with minimal coding effort. Defenders must shift from relying solely on static signatures to detecting behavioural anomalies—especially anomalous memory permission changes and the absence of expected API calls.

  • Key Takeaway 2: Microsoft Defender for Endpoint’s AV/EPP layer is vulnerable to loaders that never invoke its user‑mode hooks. The EDR telemetry, however, remains largely intact (e.g., process creation, module loads, network connections). This reaffirms that layered defence is essential; AV bypass is not EDR bypass. Blue teams should prioritise endpoint detection and response instrumentation over the antimalware engine for post‑exploitation visibility.

Analysis: Werkbank is not revolutionary in the techniques it employs—direct syscalls and reflective loading have been documented for years. The revolution lies in the accessibility. By offloading the polymorphic rewriting to Claude, Feichter demonstrates that the barrier to entry for bespoke, evasive malware is collapsing. Organisations must now assume that commodity attackers can afford AI‑generated first‑stage loaders that are unique per campaign, making hash‑ and signature‑based blocking obsolete. The defensive focus must pivot to behaviour‑based detection, memory integrity monitoring (e.g., Microsoft Defender for Endpoint’s `EnableFileHashComputation` and `Attack Surface Reduction` rules), and rigorous application control. Additionally, LLM providers must consider tighter controls on code generation that clearly aids malicious persistence, though this is a cat‑and‑mouse game that will likely persist.

Prediction

Within the next twelve months, we will see the first widely‑available, open‑source “red team as a service” platform that integrates LLM‑driven loader generation directly into C2 frameworks such as Cobalt Strike or Sliver. This will drastically shrink the dwell time of hands‑on‑keyboard attacks, as operators will be able to generate a brand‑new, undetected loader for every target organisation in seconds. Consequently, EDR vendors will be forced to invest more heavily in kernel‑mode sensors and behaviour‑stacking algorithms, moving even further away from user‑mode hooking. The result will be an arms race fought not in signatures, but in the speed of AI‑driven code mutation versus behavioural pattern recognition.

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Daniel Feichter – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky