During advanced red team engagements, a goal may be to compromise an executive's machine within a network. Typically, the proof-of-concept for this type of goal depicts a screenshot of the executive's desktop, email application, or other similar point-in-time proof. In some cases, an organization may be interested in long-term access to an executive's machine, to highlight the potential impact of long-term compromise and access.

Presently, host persistence options are well-signatured by capable Endpoint Detection and Response (EDR) solutions. Options such as auto-startup programs, registry key combinations, and scheduled tasks are under high scrutiny by EDR solutions.

Backdooring a single DLL as a form of host persistence may be feasible with current solutions, such as DLL proxying or using the backdoor factory. However, singularly backdoored DLLs are susceptible to program updates which can remove the backdoored DLL.

DUALITY can solve this problem by presenting tooling and a sequence of techniques to backdoor two or more DLLs, resulting in a 2-in-1 mechanism for initial access and long-term persistence. This solution can outlive multiple simultaneous program updates for longer-term persistence using backdoored DLLs only. Each infected DLL checks and reinfects other DLLs (the DUALS) as needed.

The tooling to be released includes pipelines that perform PIC compilation and a Cobalt Strike aggressor script to interact with backend infrastructure, making this capability operation-ready.

After DUALITY logic in a backdoored DLL executes, shellcode-based process injection is performed from the backdoored DLL to keep one C2 implant alive. An encrypted, clean version of NTDLL is included in backdoored DLLs to aid with stealthy DUALITY logic such as process injection.

Ultimately, by automating and weaponizing DUALITY-backdoored DLLs, this project hopes to bring more attention to applications loading userland DLLs without signature checking.