MetaTwin – Borrowing Microsoft Metadata and Digital Signatures to “Hide” Binaries


A twitter post by Casey Smith (@subtee) inspired me to update a tool written by Andrew Chiles (@andrewchiles) and I a few years ago.

During a Red Team engagement, it can be helpful to blend in with the environment as best as possible when forced to operate from disk. Operating in memory is great, but in many situations or scenarios, you must resort to binaries on disk.  A technique I’ve used with great success is to modify a binary’s resource information (metadata). This includes fields such as file icons, version, description, product name, copyright, etc.  When defeating security defenses or managing IOCs (See my SANS Breaking Red webcast series for more on IOC management), a threat will often attempt to trick or deceive an analyst. Making files blend into the environment can cause an analyst to treat malicious behavior as trusted.  If a binary says is it from Microsoft, it must be…

This is where MetaTwin comes into play.  This is rewritten to not only modify a binary’s metadata, but also add a digital signature as recently described by @subtee and @mattifestation.

How MetaTwin Works

  1. MetaTwin starts with a legitimate signed source binary, such as explorer.exe
  2. Extracts the resources (via ResourceHacker) and digital signature information (via SigThief)
  3. Writes the captured data to a target binary


In this example, I’m simply using a default meterpreter reverse_tcp binary.  Nothing special here, use any binary (.exe or .dll). Personally, we’re huge fans of Cobalt Strike during real engagements.

Before MetaTwin After MetaTwin

As you can see, the file looks and feels like it could belong there.  Storing this in a location such as c:\ProgramData... with a modified time stamp, could buy a Red Team operator a bit of time and support long(er) term persistence.

Interesting Observations


Often simple modifications can cause defensive tools to react in different ways.  Of course AV is often not a show stopping defensive tool, but we were curious as to how AV handled a default Metasploit meterpreter binary when modified with MetaTwin.  No obfuscation other than the addition of metadata and digital signatures.  The results were interesting…

Default Reverse TCP Meterpreter Binary

As expected, VirusTotal reported several hits

Metadata added to Reverse TCP Meterpreter Binary

Interestingly, adding metadata alone reduced the AV detection rate.

Metadata and Digital Signature added to Reverse TCP Meterpreter Binary

After adding a digital signature and the metadata, exposure dropped from 76% to 58%. This is important because we’re not even trying to evade AV!

SysInternals AutoRuns

In additions to Antivirus, you can see how default tool behavior responds to these modifications using SysInternals AutoRuns.

Using the modified binary, we created simple persistence mechanism using a scheduled task.  AutoRuns can be used to display this type of Windows persistence.  But… the modified binary is hidden by default.  Take a look…

AutoRuns Default Settings Hide the “Microsoft” scheduled task

AutoRuns Default Options

Changing the Default Reveals the “Microsoft” scheduled task


Based on these observations, it’s clear that some AV and EDR tools make poor assumptions based on file metadata and digital signatures that can make them less effective or confuse an inexperienced Blue Team member. Red Team operators can use this to their advantage  if forced to operate from disk in future engagements.

Try MetaTwin Yourself

Get a copy here

Want to learn more about Red Teaming?

Red Team Operation and Threat Emulation

Check out the new SANS Red Team course written by MINIS’ own Joe Vest and James Tubberville

SEC 564 Red Team Operation and Threat Emulation

About Joe Vest

Joe Vest has worked in the information technology industry for over 17 years with a focus on red teaming, penetration testing and application security. Joe is an author of the SANS Red Team Operations and Threat Emulation course (SEC-564). As a former technical lead for a DoD red team, he has extensive knowledge of cyber threats and their tools, tactics and techniques, including threat emulation and threat detection. Joe is the co-founder of the security consulting company MINIS LLC (Merged with SpecterOps in 2017). As a leading security professional, he has achieved numerous security certifications: OSCP, CISSP-ISSMP, CISA, GPEN, GCIH, GWAPT, CEH, Security+