AceLdr - Cobalt Strike UDRL For Memory Scanner Evasion

1 year ago 103

BOOK THIS SPACE FOR AD

ARTICLE AD

A position-independent reflective loader for Cobalt Strike. Zero results from Hunt-Sleeping-Beacons, BeaconHunter, BeaconEye, Patriot, Moneta, PE-sieve, or MalMemDetect.

Features

Easy to Use

Import a single CNA script before generating shellcode.

Dynamic Memory Encryption

Creates a new heap for any allocations from Beacon and encrypts entries before sleep.

Code Obfuscation and Encryption

Changes the memory containing CS executable code to non-executable and encrypts it (FOLIAGE).

Return Address Spoofing at Execution

Certain WinAPI calls are executed with a spoofed return address (InternetConnectA, NtWaitForSingleObject, RtlAllocateHeap).

Sleep Without Sleep

Delayed execution using WaitForSingleObjectEx.

RC4 Encryption

All encryption performed with SystemFunction032.

Known Issues

Not compatible with loaders that rely on the shellcode thread staying alive.

References

This project would not have been possible without the following:

FOLIAGE x64 return address spoofing (source + explanation)

Other features and inspiration were taken from the following:

https://www.arashparsa.com/bypassing-pesieve-and-moneta-the-easiest-way-i-could-find/ https://github.com/secidiot/TitanLdr https://github.com/JLospinoso/gargoyle https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-ii-insights-from-moneta https://www.arashparsa.com/hook-heaps-and-live-free/ https://blog.f-secure.com/hunting-for-gargoyle-memory-scanning-evasion/ https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures

AceLdr - Cobalt Strike UDRL For Memory Scanner Evasion Reviewed by Zion3R on 8:30 AM Rating: 5

Read Entire Article