This is a fork of Cobalt Strike's User-Defined Reflective Loader which in turn is a fork of Stephen Fewer's ReflectiveDLLInjection implementation, but with a slight plot twist - it adds a few lightweight evasions.
- utilizes changed API/module name dynamic resolution hashes to avoid simple signature detections
- reflective loader now properly restores section memory protections and avoids using one big
RWXallocation elusiveMicetries to wipe itself from the memory, leaving close to no remnants of UDRL code when memory scan sweep comes in
- Modify you
arsenal_kit.configaccordingly:
include_artifact_kit="true"
include_udrl_kit="false"
include_sleepmask_kit="true"
include_process_inject_kit="true"
include_resource_kit="true"
include_mimikatz_kit="true"
rdll_size=100
artifactkit_stack_spoof="true"
artifactkit_technique="mailslot"
artifactkit_stage_size=424948
artifactkit_syscalls_method="indirect_randomized"
sleepmask_sleep_method="WaitForSingleObject"
sleepmask_mask_text_section="true"
sleepmask_syscalls_method="indirect_randomized"
- Compile arsenal kit
./build_arsenal_kit.sh - Load
bin/elusiveMice.cnascript into your Cobalt Strike - Generate your beacon via
Attacks -> Packages -> Windows Stageless Payloador any other sort of Beacon's shellcode. - (Optionally) observe output in
View -> Script Console
The CNA script may have $debug mode enabled by flipping the variable:
# Enable Debug of PE content
# The generated PE content will be displayed in the script console if debug is true
#$debug = "true";
$debug = "true";
Which will dump PE headers of newly generated Reflective DLL containing Beacon's codebase.
So far there aren't many publicly available implementations of User-Defined Reflective Loaders, but the ones of a great quality that I'm aware of include:
Mariusz B. / mgeeky, 21-23
<mb [at] binary-offensive.com>
(https://github.com/mgeeky)