BURSTZig Strike is a sophisticated offensive toolkit designed to bypass advanced security solutions, including Anti-Virus (AV), Next-Generation Antivirus (NGAV), and Endpoint Detection and Response (XDR/EDR) systems.
This open-source toolkit represents a significant evolution in red team capabilities, leveraging the modern Zig programming language to create highly evasive payloads that can circumvent even Microsoft Defender for Endpoint (MDE).
Summary
1. The Zig-based toolkit creates evasive payloads that bypass AV, XDR, and EDR security systems.
2. Employs four injection techniques, including thread hijacking and memory mapping for stealth execution.
3. Uses compile-time obfuscation, Base64 encoding, and anti-sandbox checks to avoid detection.
4. Generates DLL and Excel Add-in payloads with a web interface, enhancing red team capabilities.Advanced Payload Injection and Evasion Techniques
Zig Strike implements four distinct injection methodologies engineered for specific attack scenarios.
The toolkit features local thread injection, which hijacks created threads and redirects payload execution through dummy function callbacks while performing function stomping on Windows API addresses.
Remote thread hijacking escalates this approach by targeting existing threads in remote processes, utilizing GetThreadContext and SetThreadContext APIs to manipulate the instruction pointer (RIP) directly to shellcode.
KPMG said that the toolkit also incorporates local mapping techniques that leverage Windows file mapping APIs including CreateFileMappingW and MapViewOfFile to allocate executable memory, significantly reducing suspicious memory patterns typically flagged by EDR solutions.
Remote mapping extends this concept through cross-process injection using MapViewOfFileNuma2 API to map shellcode into remote process address spaces.
The toolkit’s evasion capabilities are enhanced through Zig’s comptime functionality, which enables code execution at compile time for improved performance and stealth.
Zig Strike fragments shellcode into smaller segments stored as Base64-encoded UTF16 wide-string variables within the PE file’s .rdata section, making detection significantly more challenging for static analysis engines.
The system implements anti-sandbox mechanisms including Trusted Platform Module (TPM) checks and domain-joined verification to prevent dynamic analysis in virtualized environments.
These techniques ensure payloads execute only in legitimate corporate environments, bypassing automated security analysis systems.
Zig Strike generates payloads in multiple formats including Dynamic Link Libraries (DLL) supporting both 32-bit and 64-bit architectures, and Excel Add-ins (XLL) for Microsoft Office integration.
The XLL format proves particularly effective by leveraging Excel’s trusted add-in functionality to bypass Attack Surface Reduction (ASR) rules.
The toolkit’s Python-based web interface provides dynamic payload customization with visual compilation notifications and easy export capabilities.
Future releases will incorporate direct and indirect syscalls, additional injection techniques, and sleep obfuscation methods to further enhance evasion capabilities.
This development underscores the critical need for organizations to implement layered defense strategies and continuously update their security postures against evolving threats in the modern cybersecurity landscape.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
The post Zig Strike – An Offensive Toolkit to Create Payloads and Bypass AV, XDR/EDR Detections appeared first on Cyber Security News.