AceLdr – Cobalt Strike UDRL For Memory Scanner Evasion
A position-independent reflective loader for Cobalt Strike. Zero results from Hunt-Sleeping-Beacons, BeaconHunter, BeaconEye, Patriot, Moneta, PE-sieve, or MalMemDetect.
Features
Easy to Use
Import a single CNA script before generating shellcode.
Dynamic Memory Encryption
Creates a new heap for any allocations from Beacon and encrypts entries before sleep.
Code Obfuscation and Encryption
Changes the memory containing CS executable code to non-executable and encrypts it (FOLIAGE).
Return Address Spoofing at Execution
Certain WinAPI calls are executed with a spoofed return address (InternetConnectA, NtWaitForSingleObject, RtlAllocateHeap).
Sleep Without Sleep
Delayed execution using WaitForSingleObjectEx.
RC4 Encryption
All encryption performed with SystemFunction032.
Known Issues
- Not compatible with loaders that rely on the shellcode thread staying alive.
References
This project would not have been possible without the following:
Other features and inspiration were taken from the following:
- https://www.arashparsa.com/bypassing-pesieve-and-moneta-the-easiest-way-i-could-find/
- https://github.com/secidiot/TitanLdr
- https://github.com/JLospinoso/gargoyle
- https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-ii-insights-from-moneta
- https://www.arashparsa.com/hook-heaps-and-live-free/
- https://blog.f-secure.com/hunting-for-gargoyle-memory-scanning-evasion/
- https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon using the button below
To keep up to date follow us on the below channels.
