This is a fork of Cobalt Strike's User-Defined Reflective Loader which in turn is a fork of Stephen Fewer's ReflectiveDLLInjection implementation, but with a slight plot twist - it adds a few well-known AV/EDR evasion hooks/patches!
Whenever we issue execute-assembly
or perform any other Cobalt-Strike native action that injects capability into a sacrificial process, the Cobalt Strike will utilize its Reflective Loader to inject DLL into a remote process, instantiate it and execute our action. The thing is though, that sometimes we might come across EDR triggering alerts not during the mere process-injection but afterwards, as soon as the injected .NET assembly or our keylogger/screenshot capability invokes monitored API, or issues unsafe script.
We can attempt to combat these detections by pre-pending our injected capabilities with some preliminary hot-patches.
At the end of the day, we Red Teamers are getting paid for raising the bar, aren't we? :)
- AMSI Bypass through
amsi!AmsiScanBuffer
memory patch - ETW Bypass through
ntdll!EtwEventWrite
memory patch - WLDP Bypass through
wdlp!WldpQueryDynamicCodeTrust
memory patch - utilizes changed API/module name dynamic resolution hashes to avoid simple signature detections
- Load
rdll_loader.cna
script into Cobalt Strike - Generate your beacon via
Attacks -> Packages -> Windows Executable (S)
or any other sort of Beacon's shellcode. - (Optionally) observe output in
View -> Script Console
The CNA script may have $debug
mode enabled by flipping the variable:
# Enable Debug of PE content
# The generated PE content will be displayed in the script console if debug is true
#$debug = "true";
$debug = "true";
Which will dump PE headers of newly generated Reflective DLL containing Beacon's codebase.
- I'm focused on getting Raphael's
unhook-bof
implementation added to Reflective Loader - oh boy that would a killer, don't you think? - Refactoring dumb memory patches into more subtle hooked implementations of routine wrappers for
AmsiScanBuffer
orEtwEventWrite
- Implement ETW unregistration instead of brutal memory patching.
- Introduce typical anti-emulation/anti-sandboxing guardrails - delaying execution, validating safe environments (am I, the ReflectiveLoader, running inside of an emulator?)
- x86 Reflective Loader does not work at the moment!
So far there aren't many publicly available implementations of User-Defined Reflective Loaders, but the ones of a great quality that I'm aware of include:
- boku7's CobaltStrikeReflectiveLoader - reimplemting the idea in pure inline Assembly, thwarting naive static signatures (and oh, it too comes with AMSI and ETW patches!)
Mariusz B. / mgeeky, 21
<mb [at] binary-offensive.com>
(https://github.com/mgeeky)