A Proof-Of-Idea Cobalt Strike Reflective Loader Which Goals To Recreate, Combine, And Improve Cobalt Strike’s Evasion Options!

20 August 2024

10

A proof-of-concept Consumer-Outlined Reflective Loader (UDRL) which goals to recreate, combine, and improve Cobalt Strike’s evasion options!

Contributors:

UDRL Utilization Concerns

The built-in Cobalt Strike reflective loader is strong, dealing with all Malleable PE evasion options Cobalt Strike has to supply. The foremost drawback to utilizing a customized UDRL is Malleable PE evasion options could or is probably not supported out-of-the-box.

The target of the general public BokuLoader undertaking is to help crimson groups in creating their very own in-house Cobalt Strike UDRL. The undertaking goals to help all worthwhile CS Malleable PE evasion options. Some evasion options leverage CS integration, others have been recreated utterly, and a few are unsupported.

Earlier than utilizing this undertaking, in any kind, you must correctly check the evasion options are working as meant. Between the C code and the Aggressor script, compilation with totally different variations of working programs, compilers, and Java could return totally different outcomes.

Evasion Options

BokuLoader Particular Evasion Options

Reflective callstack spoofing through artificial frames.
Customized ASM/C reflective loader code
Oblique NT syscalls through HellsGate & HalosGate strategies
All reminiscence safety adjustments for all allocation choices are performed through oblique syscall to NtProtectVirtualMemory
obfuscate "true" with customized UDRL Aggressor script implementation.
NOHEADERCOPY
Loader is not going to copy headers uncooked beacon DLL to digital beacon DLL. First 0x1000 bytes might be nulls.
XGetProcAddress for resolving symbols
Doesn’t use Kernel32.GetProcAddress
xLoadLibrary for resolving DLL’s base handle & DLL Loading
For loaded DLLs, will get DLL base handle from TEB->PEB->PEB_LDR_DATA->InMemoryOrderModuleList
Doesn’t use Kernel32.LoadLibraryA
Caesar Cipher for string obfuscation
100k UDRL Measurement
Import DLL names and import entry identify strings are stomped in digital beacon DLL.

Supported Malleable PE Evasion Options

Command	Choice(s)	Supported
`allocator`	HeapAlloc, MapViewOfFile, VirtualAlloc	All supported through BokuLoader implementation
`module_x64`	string (DLL Title)	Supported through BokuLoader implementation. Similar DLL stomping necessities as CS implementation apply
`obfuscate`	true/false	HTTP/S beacons supported through BokuLoader implementation. SMB/TCP is at the moment not supported for obfuscate true. Particulars in difficulty. Accepting assist when you can repair 🙂
`entry_point`	RVA as decimal quantity	Supported through BokuLoader implementation
`cleanup`	true	Supported through CS integration
`userwx`	true/false	Supported through BokuLoader implementation
`sleep_mask`	(true/false) or (Sleepmask Package+true)	Supported. When utilizing default “sleepmask true” (with out sleepmask equipment) set “userwx true”. When utilizing sleepmask equipment which helps RX beacon.textual content reminiscence (`src47/Ekko`) set “sleepmask true” && “userwx false”.
`magic_mz_x64`	4 char string	Supported through CS integration
`magic_pe`	2 char string	Supported through CS integration
`transform-x64 prepend`	escaped hex string	`BokuLoader.cna` Aggressor script modification
`transform-x64 strrep`	string string	`BokuLoader.cna` Aggressor script modification
`stomppe`	true/false	Unsupported. BokuLoader doesn’t copy beacon DLL headers over. First `0x1000` bytes of digital beacon DLL are `0x00`
`checksum`	quantity	Experimental. `BokuLoader.cna` Aggressor script modification
`compile_time`	date-time string	Experimental. `BokuLoader.cna` Aggressor script modification
`image_size_x64`	decimal worth	Unsupported
`identify`	string	Experimental. `BokuLoader.cna` Aggressor script modification
`rich_header`	escaped hex string	Experimental. `BokuLoader.cna` Aggressor script modification
`stringw`	string	Unsupported
`string`	string	Unsupported

Check

Mission Origins

Utilization

Compile the BokuLoader Object file with make
Begin your Cobalt Strike Crew Server
Inside Cobalt Strike, import the BokuLoader.cna Aggressor script
Generate the x64 beacon (Assaults -> Packages -> Home windows Executable (S))
Use the Script Console to make sure BokuLoader was carried out within the beacon construct
Doesn’t help x86 possibility. The x86 bin is the unique Reflective Loader object file.
Producing RAW beacons works out of the field. When utilizing the Artifact Package for the beacon loader, the stagesize variable have to be bigger than the default.
See the Cobalt Strike Consumer-Outlined Reflective Loader documenation for added info

Detection Steerage

Hardcoded Strings

BokuLoader adjustments some generally detected strings to new hardcoded values. These strings can be utilized to signature BokuLoader:

Authentic Cobalt Strike String	BokuLoader Cobalt Strike String
ReflectiveLoader	BokuLoader
Microsoft Base Cryptographic Supplier v1.0	12367321236742382543232341241261363163151d
(admin)	(tomin)
beacon	bacons

Reminiscence Allocators

DLL Module Stomping

The Kernel32.LoadLibraryExA is named to map the DLL from disk
The third argument to Kernel32.LoadLibraryExA is DONT_RESOLVE_DLL_REFERENCES (0x00000001)
the system doesn’t name DllMain
Doesn’t resolve addresses in LDR PEB entry as detailed by MDSec right here
Detectable by scanning course of reminiscence with pe-sieve software

Heap Allocation

Executable RX or RWX reminiscence will exist within the heap if sleepmask equipment is just not used.

Mapped Allocator

The Kernel32.CreateFileMappingA & Kernel32.MapViewOfFile is named to allocate reminiscence for the digital beacon DLL.

Sleepmask Detection

Oblique Syscalls

BokuLoader calls the next NT systemcalls to setup the loaded executable beacon reminiscence: NtAllocateVirtualMemory, NtProtectVirtualMemory
These are known as not directly from the BokuLoader executable reminiscence.
Setting userland hooks in ntdll.dll is not going to detect these systemcalls.
It might be doable to register kernelcallbacks utilizing a kernel driver to observe for the above system calls and detect their utilization.
The BokuLoader itself will comprise the mov eax, r11d; mov r11, r10; mov r10, rcx; jmp r11 meeting directions inside its executable reminiscence.

Digital Beacon DLL Header

The primary 0x1000 bytes of the digital beacon DLL are zeros.

Supply Code Out there

The BokuLoader supply code is offered throughout the repository and can be utilized to create reminiscence signatures.
If in case you have further detection steering, please be at liberty to contribute by submitting a pull request.

Credit / References

Reflective Name Stack Spoofing

Reflective Loader

HalosGate SysCaller

Reenz0h from @SEKTOR7net
Checkout Reenz0h’s superior programs and blogs!
Greatest courses for malware improvement I’ve taken.
Creator of the halos gate approach. His work was initially the motivation for this work.
Sektor7 HalosGate Weblog

HellsGate Syscaller

Aggressor Scripting

Cobalt Strike Consumer Outlined Reflective Loader

https://www.cobaltstrike.com/help-user-defined-reflective-loader

Nice Useful resource for studying Intel ASM

ETW and AMSI Bypass

Implementing ASM in C Code with GCC

https://outflank.nl/weblog/2020/12/26/direct-syscalls-in-beacon-object-files/
https://www.cs.uaf.edu/2011/fall/cs301/lecture/10_12_asm_c.html
http://gcc.gnu.org/onlinedocs/gcc-4.0.2/gcc/Prolonged-Asm.html#Prolonged-Asm

Cobalt Strike C2 Profiles

Previous articleApple Pay donation marketing campaign launched to help America’s nationwide parks

Next articleFixing “Changing non-sendable perform worth might introduce information races” in Swift