Crypto techniques
The crypto/ package supplies confidentiality and signature-breaking
primitives for payload protection. Two surfaces sit side-by-side: strong
AEAD ciphers for the outer envelope, and lightweight transforms for layered
unpackers and signature defeat.
[!NOTE] Encoding (Base64, UTF-16LE, PowerShell
-EncodedCommand) lives indocs/techniques/encode. Hashing (cryptographic + fuzzy + ROR13) lives indocs/techniques/hash.
TL;DR
flowchart LR
SC[shellcode] -->|EncryptAESGCM| ENV[encrypted envelope]
ENV -->|optional layers| OBF[XTEA / S-Box / Matrix]
OBF --> EMBED[ship in implant]
EMBED -.runtime.-> DEC[DecryptAESGCM]
DEC --> WIPE[memory.SecureZero key]
WIPE --> RUN[inject.Inject]
Build-time: encrypt with AES-256-GCM (or XChaCha20-Poly1305), optionally wrap in 1–2 lightweight obfuscation layers, embed in the implant. Runtime: decrypt → wipe key → inject → wipe plaintext.
Packages
| Package | Tech page | Detection | One-liner |
|---|---|---|---|
crypto | payload-encryption.md | very-quiet | AEAD (AES-GCM, ChaCha20), stream/block (RC4, TEA, XTEA), signature-breaking transforms (S-Box, Matrix, XOR, ArithShift) |
The package mixes three layers; the technique page documents each layer separately.
Quick decision tree
| You want to… | Use |
|---|---|
| …encrypt the outer payload envelope | crypto.EncryptAESGCM (preferred) or crypto.EncryptChaCha20 |
| …generate a sane key | crypto.NewAESKey / crypto.NewChaCha20Key |
| …break a YARA byte signature without changing semantics | crypto.NewSBox + SubstituteBytes |
| …add a tiny in-process unpacker stage | crypto.EncryptXTEA |
| …diffuse byte patterns across a block (Hill cipher) | crypto.MatrixTransform |
| …match a legacy Metasploit handler | crypto.EncryptRC4 (cryptographically broken — compatibility only) |
| …compute SHA-256 / MD5 / ROR13 | hash package |
| …Base64 / UTF-16LE / PowerShell-encode | encode package |
MITRE ATT&CK
| T-ID | Name | Packages | D3FEND counter |
|---|---|---|---|
| T1027 | Obfuscated Files or Information | crypto (XOR, TEA, S-Box, Matrix, ArithShift) | D3-SEA (Static Executable Analysis) |
| T1027.013 | Encrypted/Encoded File | crypto (AES-GCM, ChaCha20, RC4) | D3-FCR (File Content Rules) |
See also
- Operator path: payload protection
- Researcher path: cipher choice
- Detection eng path: high-entropy artefacts
encode— transport-safe representations.hash— integrity + fuzzy similarity + ROR13.cleanup/memory.SecureZero— pair to wipe keys after use.