First I would like to mention that this is more about my own learning process other than a proper tutorial. I’ve been playing around with Sliver framework a lot lately, if you’ve done it too then you know you can generate beacons in different formats including shellcode, this is cool, right? Because you can just inject it into memory and the shellcode will reflectively load a DLL that conatins the actual beacon payload, but this process leaves some memory artifacts that can be detected by AVs, EDRs or memory scanners like PE-sieve.

While studying DLL injection techniques, specifically DLL sideloading, I found this article by Palo Alto Network’s Unit 42 When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. The article describes how the dropper was using using a technique known as DLL search order hijacking to sideload a malicious crafted DLL that will inject a Brute Ratel agent (badger) into a remote process’s memory space, in this case RuntimeBroker.