Zig Strike: The ultimate toolkit for payload creation and evasion

Red Teaming is a crucial practice for organizations, as it provides essential insights into weaknesses in defense systems, processes and personnel by simulating the techniques, tactics, and methods of threat actors. This practice ensures that your company is better prepared for real-world attacks, strengthening your defenses, and enhancing your readiness for actual attack scenarios.

As cybersecurity threats continue to evolve, staying ahead of potential attackers requires constant innovation and adaptation. This involves not only understanding rising risks, but also developing new tools and techniques to counteract emerging threats.

In this article, we will discuss the latest tool kit that we have released for crafting payloads designed for evasion. We will explore the injection techniques that are used to bypass several Endpoint Detection and Response (EDR) solutions, with a specific focus on demonstrating how we are able to bypass Microsoft Defender for Endpoint (MDE), mimicking realistic attack scenarios from initial compromise to exfiltration.

For the development of our tool kit, we delved into the methods attackers typically use in their ‘trade’. In a recent blog post, we introduced the Mortar Loader project that was coded in Free Pascal and discussed how it may be customized for targeted attacks using various extensions. For more details, please refer to the following articles [1].

Classic programming languages such as Free Pascal are powerful choices for malware development. They allow for rapid coding with minimal detection by antivirus software due to the lack of known signature datasets for these languages.

Transitioning to the Zig language has been noteworthy. Zig represents a significant advancement in modern systems programming, offering improved memory management and a conscious design. It combines the simplicity and low-level control of C language with advanced features like Zig's comptime, which enables code execution at compile time – a truly remarkable capability because it allow us to do type conversion with zero runtime with improved performance, we also used comptime function to perform string type conversion and store the allocated wide string shellcode in PE .rdata section until they are needed.

Our team is releasing Zig Strike, an offensive tool kit designed to utilize several techniques for bypassing defensive mechanisms, including Anti-Virus (AV), next-generation antivirus (NGAV), and Endpoint Detection and Response (XDR/EDR) solutions.

The project has been under continuous development for the past six months. The initial version, built with C and Pascal, was internally tested. However, the new version has been designed to be more feature-rich, offering enhanced capabilities by leveraging the Zig ecosystem alongside C libraries.

With the Zig Strike web interface, you can add or upload your RAW or C-based shellcode, select the specific injection methods, and tune up the options. The backend Zig compiler will then process your inputs, apply the chosen settings and code and finalize the format and compilation process for you. At the end of the run, your payload will be ready to be tested.

The first release of Zig Strike comes with the following features:

1. Web portal: making complexity accessible

The Python-based web interface serves as the command center for Zig Strike, providing:

• Dynamic payload customization, (select and build).
• Visual compilation notification and updates. 
• Multiple anti-sandbox protection options.
• Easy export of generated payloads.

2. Injection techniques

Zig Strike offers four injection techniques in this release, each of which is designed for specific scenarios.

Local thread injection
This technique involves hijacking a created thread, redirecting the payload execution into a dummy function and executing the payload once the thread is resumed. This option also performs function stomping through the dummy function callback which stands for loading specific windows API and stomp it’s function address.

Remote thread hijacking
This technique elevates the approach by targeting existing threads in remote processes, manipulating their execution flow through direct thread context modification. This technique uses GetThreadContext and SetThreadContext APIs to redirect the instruction pointer (RIP) to a shellcode.

Local mapping
This technique introduces a more reliable procedure by leveraging Windows' file mapping APIs (CreateFileMappingW and MapViewOfFile) to allocate executable memory, significantly reducing suspicious memory patterns that EDR solutions typically flag. This method creates a file mapping object in memory and maps a view of this file into the process's address space, providing a cleaner and less detectable alternative to traditional VirtualAlloc calls.

Remote mapping
This technique extends the concept of mapping to cross-process injection, utilizing MapViewOfFileNuma2 API in Zig (MapViewOfFile2) to map shellcode into the address space of remote processes.

3. Entropy and detection reduction

Zig's tooling utilizes an innovative mechanism for embedding shellcode within a Portable Executable (PE) file by leveraging comptime functionality. This approach enables the shellcode to be divided into smaller segments, which are then declared as wide-string variables during the compilation process.

After analysis with tools like PE Bear, it becomes evident that the shellcode is stored within the .rdata section of the PE file. This section is typically reserved for read-only data, such as strings and constants.

By declaring the shellcode as wide-string variables, it blends into this section as ordinary static data. This reduces the likelihood of raising red flags during static analysis. Each segment of the shellcode is also encoded in the Base64 format and stored as a separate wide-string variable, rather than combined into a single long-length variable.

Why choose wide strings (UTF16)?

There are several reasons to choose UTF16 over keeping Zig’s default string type:

• While ANSI strings are more commonly used for ASCII data, wide strings are less prevalent for embedded shellcode. This unusual representation can help evade detection, as AV engines are less likely to treat Base64-encoded UTF16 data as suspicious compared to its ANSI counterpart.
• The use of Zig's comptime feature allows the shellcode to be dynamically reconstructed during compilation, ensuring that no single string or variable contains the entire payload. When paired with wide strings, this approach further fragments the data, making it harder for AV solutions to reconstruct the original shellcode.

By default, the tool performs comptime for 15 segments of the shellcode, but it is also possible to edit the built-in functions in the web application (App.py) or the tool kit source code (main.zig) and increase the number of times you want to split the shellcode, which would reduce the static detection.

4. Anti-sandbox implementation

Anti-sandbox is an effective mechanism to prevent dynamic malware analysis, as Anti-Virus (AV) solutions rely on dynamic sandbox analysis to understand the behavior of the executed binary to determine whether it is safe or malicious  .  

Zig Strike incorporates two primary anti-sandbox mechanisms to achieve this:

• TPM (Trusted Platform Module) Checks. This mechanism verifies the presence of a Trusted Platform Module (TPM), which is often absent in virtualized (or sandbox) environments used by Anti-Virus (AV) for analysis.
• Domain-Joined Verification. This option confirms that the machine is part of a corporate domain, as sandboxes typically operate in isolated environments without domain membership.

5. Output formats

Zig Strike offers two powerful output formats that are designed for different attack scenarios and deployment methods:

• DLL (Dynamic Link Library).  DLL supports both 32-bit and 64-bit architectures with full control over export functions and entry points. DLLs can be loaded through various methods, including DLL hijacking, side-loading, or direct injection, making them suitable for different attack chain
• Excel Add-ins (XLL).  This format provides a unique approach to payload delivery through Microsoft Office integration. XLLs are particularly effective because they leverage the trust associated with the Excel Add-in functionality.

Bypassing advanced security solution XDR/EDR is not just getting the beacon up and running but it is about the action afterwards. To verify the effectiveness of Zig Strike, we not only tested its payloads in a realistic environment (secured environment deployed with Microsoft Defender for End-point (MDE) and Attack Surface Reduction (ASR ) rules enabled).

Through Zig Strike web portal, we select the local thread injection option as it involves executing the shellcode within the context existing process. The XLL format allows the shellcode to be embedded within Excel add-in, which is then loaded into Excel’s Process space, and eventually bypass enabled Attack Surface Reduction (ASR) rules.

Additionally, the use of anti-sandbox techniques, such as checking if a machine is domain-joined, helps to bypass Anti-Virus (AV) sandbox dynamic analysis.

After the completion is finished, copy the payload into Excel add-ins folder(AppData\Roaming\Microsoft\Excel\xlstart).

When the Excel process is launched, the shellcode will be triggered, resulting in the receiving of a Cobalt Strike beacon, as shown in the figure below.

Finally, we can confirm that the generated Zig Strike payload successfully bypassed Microsoft Defender for End-point (MDE), as demonstrated in the image below.

In summarizing our evaluation of Zig Strike, we've discovered that its unique design and demonstrated ability to successfully conduct several injection methods illustrates its potential to circumvent security solutions such as Microsoft Defender for Endpoint (MDE). This provides key insights for both ethical hackers and organizations alike.

For ethical hackers, Zig Strike offers a useful tool to bypass existing defensive security measures. Its current ability underscores the importance of understanding the limitations of current security tools. By highlighting these threats, organizations are better positioned to strengthen their defenses. This element is essential for augmenting an organization's defensive capabilities against practical attack scenarios.

Moreover, Zig Strike is open-source, which by itself serves as an immediate call to action for organizations to persistently enhance their defensive technologies through simulate the attack in a testing environment and build defensive rules for better detection. It highlights the necessity of not depending solely on a singular cybersecurity solution as a comprehensive safeguard. This underscores the importance of a diverse approach to cybersecurity in today’s increasingly interconnected digital landscape.

Since the first release, there are several features have been planned for a future release, so please be sure to follow the tool’s GitHub repository and our future blog posts:
- Direct and indirect syscalls.
- Several injection techniques.
- Sleep obfuscation.

Disclaimer: The information provided in this article is for informational purposes only. The authors do not encourage or endorse any illegal activities. The authors of this article do not condone or encourage the use of the tool described herein for malicious purposes. Any unauthorized use of Zig Strike is strictly prohibited and may have serious legal consequences. Readers are responsible for their actions and may be held liable for any damages or legal consequences arising from the misuse of Mortar Loader described in this article.