Shellcode Extraction in Cobalt Strike Stagers

[as0ni]

Hi,

First off, thank you for your fantastic contributions to the community! Your research, write-ups, and tools are incredibly inspiring.

I'm reaching out regarding an issue I encountered with mal_unpack while testing it against some Cobalt Strike stagers. Specifically, it appears that mal_unpack does not successfully extract shellcode in cases where the shellcode begins with the CLD (opcode FC) instruction.

For example, in this sample (VT link), the shellcode is deobfuscated following a VirtualAlloc call and starts with FC E8 89 00 00 00. In a similar loader, I found that the shellcode began with the opcodes FC 48 83 E4. I also attempted using the /shellc option, but it did not identify the shellcode in these cases.

The recent addition of the /pattern option is helpful, and I was able to extract the shellcode by providing a custom sig file. However, I wanted to bring this to your attention as these shellcode patterns, starting with FC, are common in Cobalt Strike samples and might be worth considering as built-in signatures for improved detection.

Please note that I haven't tested this with the companion driver yet. If you think it might help in this case, I can give it a try and report back.

Thank you again for all your hard work on this project!

[hasherezade]

Hi @as0ni ! Thank you for your kind words, and for the report! Sure this will be useful to include in the built-in signatures. I will take a look, and update you soon.

[as0ni]

Thank you, @hasherezade! Also, if possible, could you point me to the code that contains the current built-in signatures? Thanks again.

[hasherezade]

@as0ni - the default ones are here: https://github.com/hasherezade/pe-sieve/blob/3f696a8610512db20a3854c988f9823c98b7edaa/utils/code_patterns.h