{ "id": "9b65575d-8287-45ba-a201-31628266f4a2", "created_at": "2026-04-06T00:08:29.057231Z", "updated_at": "2026-04-10T03:30:33.753203Z", "deleted_at": null, "sha1_hash": "ccef79df9cc8ce25087f25796249fcd5a173da5a", "title": "Borrowing Microsoft MetaData and Signatures to Hide Binary Payloads", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 224730, "plain_text": "Borrowing Microsoft MetaData and Signatures to Hide Binary\r\nPayloads\r\nArchived: 2026-04-05 19:11:14 UTC\r\nJoe Vest | October 9, 2017 | Tweet This Post:\r\nhttps://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/\r\nPage 1 of 6\n\nOverview¶\r\nA twitter post by Casey Smith (@subtee) inspired me to update a tool written by Andrew Chiles (@andrewchiles)\r\nand I a few years ago.\r\nDuring a Red Team engagement, it can be helpful to blend in with the environment as best as possible when\r\nforced to operate from disk. Operating in memory is great, but in many situations or scenarios, you must resort to\r\nbinaries on disk. A technique I've used with great success is to modify a binary's resource information (metadata).\r\nThis includes fields such as file icons, version, description, product name, copyright, etc. When defeating security\r\ndefenses or managing IOCs (See my SANS Breaking Red webcast series for more on IOC management), a threat\r\nwill often attempt to trick or deceive an analyst. Making files blend into the environment can cause an analyst to\r\ntreat malicious behavior as trusted. If a binary says is it from Microsoft, it must be…\r\nThis is where MetaTwin comes into play. This is rewritten to not only modify a binary's metadata, but also add a\r\ndigital signature as recently described by @subtee and @mattifestation.\r\n1. MetaTwin starts with a legitimate signed source binary, such as explorer.exe\r\n2. Extracts the resources (via ResourceHacker) and digital signature information (via SigThief)\r\n3. Writes the captured data to a target binary\r\nDemo¶\r\nIn this example, I'm simply using a default meterpreter reverse_tcp binary. Nothing special here, use any binary\r\n(.exe or .dll). Personally, we're huge fans of Cobalt Strike during real engagements.\r\nhttps://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/\r\nPage 2 of 6\n\nAs you can see, the file looks and feels like it could belong there. Storing this in a location such as\r\nc:ProgramData... with a modified time stamp, could buy a Red Team operator a bit of time and support long(er)\r\nterm persistence.\r\nInteresting Observations¶\r\nAntiVirus¶\r\nOften simple modifications can cause defensive tools to react in different ways. Of course AV is often not a show\r\nstopping defensive tool, but we were curious as to how AV handled a default Metasploit meterpreter binary when\r\nmodified with MetaTwin. No obfuscation other than the addition of metadata and digital signatures. The results\r\nwere interesting…\r\nDefault Reverse TCP Meterpreter Binary¶\r\nhttps://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/\r\nPage 3 of 6\n\nAs expected, VirusTotal reported several hits\r\nMetadata added to Reverse TCP Meterpreter Binary¶\r\nInterestingly, adding metadata alone reduced the AV detection rate.\r\nMetadata and Digital Signature added to Reverse TCP Meterpreter Binary¶\r\nAfter adding a digital signature and the metadata, exposure dropped from 76% to 58%. This is important because\r\nwe're not even trying to evade AV!\r\nSysInternals AutoRuns¶\r\nIn additions to Antivirus, you can see how default tool behavior responds to these modifications using\r\nSysInternals AutoRuns.\r\nUsing the modified binary, we created simple persistence mechanism using a scheduled task. AutoRuns can be\r\nused to display this type of Windows persistence. But… the modified binary is hidden by default. Take a look…\r\nAutoRuns Default Settings Hide the \"Microsoft\" scheduled task¶\r\nhttps://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/\r\nPage 4 of 6\n\n¶\r\nAutoRuns Default Options\r\n¶\r\nChanging the Default Reveals the \"Microsoft\" scheduled task\r\nhttps://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/\r\nPage 5 of 6\n\n¶\r\nTakeaway¶\r\nBased on these observations, it's clear that some AV and EDR tools make poor assumptions based on file metadata\r\nand digital signatures that can make them less effective or confuse an inexperienced Blue Team member. Red\r\nTeam operators can use this to their advantage if forced to operate from disk in future engagements.\r\nSource: https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/\r\nhttps://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/" ], "report_names": [ "metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434109, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ccef79df9cc8ce25087f25796249fcd5a173da5a.pdf", "text": "https://archive.orkl.eu/ccef79df9cc8ce25087f25796249fcd5a173da5a.txt", "img": "https://archive.orkl.eu/ccef79df9cc8ce25087f25796249fcd5a173da5a.jpg" } }