Memory-resident shellcode remains a primary detection point for endpoint security tools, even when encryption techniques such as sleep masks reduce exposure during idle periods. A new execution approach challenges that model by ensuring shellcode is never fully visible in memory, even while active. This technique relies on instruction-level decryption, where each assembly instruction is decrypted just before execution and immediately re-encrypted, eliminating persistent signatures.

The approach introduces significant advantages for offensive operations while creating new analytical and detection challenges for defenders. It also forces a rethink of how memory scanning, behavioral analysis and reverse engineering workflows operate under extreme execution obfuscation.

In this insightful session, Tijme Gommers, offensive cyber security expert at ABN AMRO Bank, will discuss:

• Limits of traditional memory encryption and sleep masking;
• Instruction-level decryption as an execution strategy;
• Operational trade-offs for offensive tooling.