In the most recent SiegeCast, Corey Overstreet, Senior Security Consultant at Red Siege, took cybersecurity professionals on a deep dive into modern malware techniques. With the landscape of malware evolving at breakneck speed, Corey shared how attackers are leveraging shellcode loaders, sandbox evasion, and bypasses to stay ahead of security teams. Below is a summary of key insights from the discussion, focusing on practical advice for red and blue teams alike.

---

Key Takeaways for Security Professionals

1. The Cat-and-Mouse Game of Security

Attackers constantly adapt to bypass protections, leaving security teams in a reactive mode. Corey emphasized the importance of contingency planning for both red and blue teams. He highlighted real-world scenarios where pen testers gained access only to be thwarted when defenses were updated between testing days.

Pro Tip: Keep it simple—sometimes the easiest exploit, like a PowerShell loader, is the most effective.

---

2. Sandbox Evasion Strategies

Malware often gets executed in a sandbox environment to detect suspicious behavior. Attackers rely on sandbox evasion tactics such as:

• Delaying payload execution (e.g., using sleep loops or complex calculations).
• Expanding file size beyond the sandbox’s capacity.
• Environment checks (e.g., verifying domain membership or system configurations).

---

3. Obfuscation and Static Detection Bypass

Modern malware frequently evades detection by obfuscating signatures or leveraging file formats like XML or MSI installers. Corey shared how security products can miss obfuscated strings or modified default settings.

• Bypass Tips: Change GUIDs, encryption keys, or variable names within code sourced from GitHub.
• Proxy DLL hijacking: Shimming malicious code into legitimate applications enhances stealth.

---

4. Navigating the AMSI and ETW Security Layers

The Anti-Malware Scanning Interface (AMSI) and Event Tracing for Windows (ETW) are common defensive tools. AMSI, often targeted by attackers, can be disabled or bypassed by modifying scan buffers or using older PowerShell versions.

Corey recommended tampering with ETW & AMSI APIs cautiously, as they monitor behavior patterns. Tools like SysWhispers can help attackers bypass API hooks, making detection more difficult.

---

5. Behavioral Detection: Parent-Child Process Analysis

Many security solutions monitor parent-child process trees for suspicious activity, such as Word launching PowerShell. Corey advised injecting malware into legitimate processes (like browsers) to blend in and reduce visibility.

---

Tools & Resources for Malware Development

• SysWhispers: For generating syscall numbers.
• Mangle & DigDug: Pads files to bypass sandbox limitations.
• Cobalt Strike & Covenant: Popular C2 frameworks for advanced payload management.
• MSBuild and InstallUtil Abuse: Bypass application whitelisting by leveraging trusted Microsoft tools.

---

Defensive Measures for Blue Teams

Red teams often identify weaknesses that blue teams must address proactively. Corey encouraged defenders to focus on behavioral monitoring, even when detections aren’t perfect. Having visibility into suspicious activities can give teams the opportunity to intervene before damage occurs. Its important to make sure you are testing your own defenses prior to an actual attack.

---

Final Thoughts

Malware development is both an art and a science, requiring continuous learning. As Corey noted, self-study and experimentation are essential for staying ahead of attackers. For professionals looking to enhance their skills, Corey recommended resources like Sector7’s courses and Zero Point Security’s Red Team Ops. You can also keep an eye out for our own training at redsiege.com/training

---

Join the Conversation

Want to dive deeper into these topics? Join the Red Siege Discord at redsiege.com/discord for ongoing discussions and resources.

---