Although sleep_mask can encode Beacon’s data and code (if the agent is in RWX memory), the static stub is still a target for in-memory hunting based on content. The goal of this feature is to push memory detections away from content-based signatures. The sleep_mask is Cobalt Strike’s ability to mask and unmask itself in memory. The 4.4 release modifies how this metadata is resolved so that this no longer happens. Previously, Beacon stuck out like a sore thumb in mature environments since the method used to resolve this metadata triggered Sysmon event 22 (DNS Query) and had become a way to reliably fingerprint Beacon every time it runs. When Beacon starts, it resolves metadata to send back to Cobalt Strike. Avoid localhost Sysmon Event 22 for Beacon Metadata Resolution For now, you can find more information here. The User Defined Reflective Loader kit can be downloaded from the Cobalt Strike arsenal. This is a huge change and we plan to follow up with a separate blog post to go into more detail on this feature. An Aggressor Script API has been provided to facilitate this process. We’ve extended the changes that were initially made to the Reflective Loader in the 4.2 release to give you an Aggressor Script hook that allows you to specify your own Reflective Loader and completely redefine how Beacon is loaded into memory. The default Reflective Loader will still be available to use at any time. We’ve seen a lot of community interest in this area, so we’ve made changes to allow you to completely bypass that and define your own Reflective Loading process instead. This release puts more control into your hands, improves Cobalt Strike’s evasive qualities and addresses a number of smaller changes requested by our users… and yes! We’ve added a reconnect button! User Defined Reflective DLL LoaderĬobalt Strike has a lot of flexibility in its Reflective Loading foundation but it does have limitations.
0 Comments
Leave a Reply. |