I am releasing code to help attackers patch their binaries on the fly to avoid checksum-based detections.
As I mentioned in a previous article, https://penconsultants.com/traditional-iocs-suck/, checksum-based detections are close to worthless. But, they are still used by AV vendors, intel feeds, proxy and endpoint-based detections, etc. Defenders need to stop relying on checksum-based detections.
I’m releasing the following two proofs of concept that can help an attacker (red team, pentester, etc.) avoid those detections.
The first is a PowerShell script that will patch every file in a given folder:
The second will patch a file hosted on a web server on demand and serve it up: