tl;dr Endpoint security continues to be a hot topic, with almost every organisation deploying various products such as antivirus (AV), endpoint protection (EPP) and endpoint detection and response (EDR) systems to prevent or monitor the execution of malware. In recent years, a real game of cat and mouse has developed between the red teamers (attackers) and the blue teamers (defenders). Malicious attackers and Red Teamer alike keep finding new ways to execute malware on the target computer unnoticed, but it usually does not take long for the defenders or product manufacturers to improve. Meanwhile, from an attacker's point of view, there are a number of different techniques that can be used under Windows OS to enhance their own malware or increase its legitimacy. Depending on the technique used, the implementation can sometimes be complex, e.g. direct syscalls, indirect syscalls, hardware breakpoints, etc.
However, in this blog post I would like to show that even today (March 2023) very simple modifications to a Meterpreter shellcode dropper can be sufficient to bypass modern EDRs. To do this, we will step through three modifications to a Meterpreter reference dropper and record the results in the context of EDR evasion. The three modifications include simply encrypting the Meterpreter shellcode with the XOR algorithm, adding legitimate metadata using a manifest file, and moving the Meterpreter shellcode from the .text section to the .data section.