It's a modern and stealthy process injection technique was discovered by Outflank that involves injecting and executing code in the early stages of process creation before loading EDRs for their user mode detection measures. EarlyCascade technique forces enabling the Shim engine, allowing to hijack a Shim engine callback.
- Creating a process in suspended mode.
- Dynamically locating the addresses of enabling flag and callback.
- Remotely allocating memory for our stub and shellcode.
- Injecting the stub and shellcode into the target process.
- Force the shim engine to be enabled.
- Hijacking a shim engine callback.
- Triggering the callback by resuming the process thread.
At this point, the stub gets executed, and does the following:
- Disrupting the initialization of detection measures.
- Disabling the Shim engine to avoid crash.
- Queuing an Asynchronous Procedure Call (APC) that executes the shellcode later.