The latest release of ZAIUX® Framework introduces two key enhancements, that will significantly expand the capabilities of your Red-Team: a new stealth injection technique and, as highly requested from our customers, the support for Linux operating systems.
Before diving into the technical details of the new injection technique, let’s first examine the drawbacks of the most common injection method.
To mimic this behavior, we can use the built-in command ‘shinject’, which follows this pattern:
- Indirect Syscall: NtOpenProcess
- Indirect Syscall: NtAllocateVirtualMemory (RW)
- Indirect Syscall: NtWriteVirtualMemory
- Indirect Syscall: NtProtectVirtualMemory (RX)
- Indirect Syscall: NtCreateThreadEx
Once the injection is confirmed, we can examine the IOCs using Get-InjectedThreadEx, by the Elastic Team.
In this case, the detection is straightforward: the Thread Start-Address points to an unbacked memory region.
Thread-Hijacking, GetContext/SetContext, ROP gadgets and similar methodologies are also detected by Get-InjectedThreadEx. So, how can we bypass such a tool?
ZAIUX Framework now provides the ability to create a new thread in a suspended state, while supplying a valid thread start address in the following format: dll_name!function_name+hex_offset.
For the purpose of this example, we’ll use the following thread start address: sppc.dll!SLpVLActivateProduct+0x1430
Let’s verify the creation of the suspended thread using System Informer:
Let’s execute the shellcode with the ‘apcinject’ module and verify that the new Implant, running in the context of the thread 14660, works as expected by running a whoami COFF file. In System Informer, we can also confirm that both the Thread Start-Address and Call-Stack are legitimate:
Now, let’s run Get-InjectedThreadEx again. As we can see, there are no detections for the Thread 14660.
Additionally, this new technique is not affected by Control-Flow-Guard.
Lastly, a new Implant specifically designed for Linux has been released, featuring a wide range of modules tailored for this Operating System. A comprehensive list of these modules is shown in the screenshot below:
This new implant will serve as the foundation for enabling Linux Support in ZAIUX Evo, our automated Breach & Attack Simulation solution.
Other features of this release include:
- Improved stability and performance of chained SMB Implants.
- Thread Stack Spoofing now leverages valid ‘call’ opcodes.
- A race-condition has been fixed, which could lead to a crash of the implant.
- The Unhooking module has been enhanced.
- The Situational Awareness modules has been completely revised to improve evasion.
- Various bugfixes in the operator client.
Are you interested in seeing a POC of ZAIUX Framework and learning how to elevate the capabilities of your Red Team to the next level?
Contact us by sending a request, and we will get back to you to schedule a POC with your team!