kyleavery / aceldr Goto Github PK
View Code? Open in Web Editor NEWCobalt Strike UDRL for memory scanner evasion.
License: MIT License
Cobalt Strike UDRL for memory scanner evasion.
License: MIT License
Hi, nice work by the way,
I just tried this and want to test with Moneta, it appears I got flagged.
Moneta64.exe -p 2516 -m ioc
_____ __
/ \ ____ ____ _____/ |______
/ \ / \ / _ \ / \_/ __ \ __\__ \
/ Y ( <_> ) | \ ___/| | / __ \_
\____|__ /\____/|___| /\___ >__| (____ /
\/ \/ \/ \/
Moneta v1.0 | Forrest Orr | 2020
cmd.exe : 2516 : x64 : C:\Windows\System32\cmd.exe
0x000001FFDEDD0000:0x00002000 | Private
0x000001FFDEDD0000:0x00001000 | RX | 0x00000000 | Abnormal private executable memory
... scan completed (0.657000 second duration)
the command I use is
inject 2516 x64
before inject, nothing shows in Moneta
Moneta64.exe -p 2516 -m ioc
_____ __
/ \ ____ ____ _____/ |______
/ \ / \ / _ \ / \_/ __ \ __\__ \
/ Y ( <_> ) | \ ___/| | / __ \_
\____|__ /\____/|___| /\___ >__| (____ /
\/ \/ \/ \/
Moneta v1.0 | Forrest Orr | 2020
... scan completed (0.219000 second duration)
I thought the reason might be the cna scripts I loaded in cs, so I unloaded them all but the AceLdr, but still got same results.
The cs version I use is 4.7, I'll try if 4.3 works while waiting for some suggestions.
hi, thanks for your project. i want to know how to start this project, do i just need to execute the "Makefile", and then load the cna script into cobaltstirke, finally, i can enjoy it? it's very hope to get your answer,thanks.
Getting multiple errors below when compiling in stock up-to-date Kali Linux:
src/hooks/../native.h:21723:1: error: ‘SetProcessValidCallTargets’ redeclared without dllimport attribute: previous dllimport ignored [-Werror=attributes]
Resolved with copying over extra declaration found in Mingw's include files:
diff --git a/src/native.h b/src/native.h
index d74ce7f..1846046 100644
--- a/src/native.h
+++ b/src/native.h
@@ -21718,6 +21718,7 @@ typedef struct _CFG_CALL_TARGET_INFO {
} CFG_CALL_TARGET_INFO, *PCFG_CALL_TARGET_INFO;
#endif
+WINBASEAPI
WINBOOL
WINAPI
SetProcessValidCallTargets(
No idea if it is a bug or something with my setup, so sharing just in case.
execute the stageless shellcode and just exit
Hey,
this may be some stupid bug/question from my side, but I did try to compile on multiple systems and always got the following error:
└─# make
In file included from src/include.h:12,
from src/ace.c:5:
src/native.h:22184:1: error: conflicting types for ‘SetProcessValid
CallTargets’
22184 | SetProcessValidCallTargets(
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from /usr/share/mingw-w64/include/winbase.h:25,
from /usr/share/mingw-w64/include/windows.h:70,
from src/include.h:8,
from src/ace.c:5:
/usr/share/mingw-w64/include/memoryapi.h:54:29: note: previous decl
aration of ‘SetProcessValidCallTargets’ was here
54 | WINBASEAPI WINBOOL WINAPI SetProcessValidCallTargets(HAND
LE hProcess, PVOID VirtualAddress, SIZE_T RegionSize, ULONG NumberO
fOffsets, PCFG_CALL_TARGET_INFO OffsetInformation);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from src/include.h:12,
from src/retaddr.c:6:
src/native.h:22184:1: error: conflicting types for ‘SetProcessValid
CallTargets’
22184 | SetProcessValidCallTargets(
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from /usr/share/mingw-w64/include/winbase.h:25,
from /usr/share/mingw-w64/include/windows.h:70,
from src/include.h:8,
from src/retaddr.c:6:
/usr/share/mingw-w64/include/memoryapi.h:54:29: note: previous declaration of ‘SetProcessValidCallTargets’ was here
54 | WINBASEAPI WINBOOL WINAPI SetProcessValidCallTargets(HANDLE hProcess, PVOID VirtualAddress, SIZE_T RegionSize, ULONG NumberOfOffsets, PCFG_CALL_TARGET_INFO OffsetInformation);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from src/include.h:12,
from src/util.c:6:
src/native.h:22184:1: error: conflicting types for ‘SetProcessValidCallTargets’
Some idea on how to get rid of this?
Greetings
Hi,
Do you anticipate this is compatible with the new version of Cobalt Strike (4.7) ? I cannot get it to work with that version.
I have the following output using make (not sure if relevant)
± make
/usr/local/Cellar/mingw-w64/10.0.0_1/toolchain-x86_64/bin/x86_64-w64-mingw32-ld: bin/AceLdr.x64.exe:.text: section below image base
I updated my malleable profile, to match your example.
I can see "[13:50:58] [!] Loading custom user defined reflective loader from: ..../AceLdr/bin/AceLdr.x64.bin at AceLdr.cna:10" when I generate a stageless beacon artefact. I have AV disabled for test purposes so it's not that. When I generate an .exe, I get the following error upon execution (see screenshot below). It just fails silently when I use raw shellcode coupled with something else, or just a DLL executed with rundll32
Any ideas ?
Loader appears to compile using the MakeFile on WSL2 ubuntu and updated as of today Kali OS. MakeFile appears to output the O files for the UDRL in bin folder that the CNA uses. Cobalt Strike version is 4.7.2. Exe used to start test payload is x64. I am using the example profile (minus the http comms part).
When the stageless and staged beacon is created without artifact kit i get the same errors as #6
Hi, I encountered an issue with the by AceLdr generated shellcode on Win server 2016.
Summary test/debug results:
Why do you think this is happening and what could be a possible solution?
Is the process death expected when you exit?
the SegCs
is not initialized in allocated Contexts
by initContexts
.
at line 153: *contexts[i] = *contexts[11];
have no any sense - all records anyway not initialized at this point and all zero.
only after line 265: Status = pApi->ntdll.NtGetContextThread( WaitThd, Contexts[11] );
record 11 is init ( in particular SegCs).
after this, but not before, exist sense in *Contexts[i] = *Contexts[11]
in loop.
in current code in other (i !=11) records, SegCs == 0
, despite it must be set to correct value if we set CONTEXT_CONTROL
( part of CONTEXT_FULL
). which effect this have ? on windows 10, begin from some version, this work ok, but before - first 10 versions, win 8.1 etc, after NtContinue
code is crashing - the SegCs
value is 0x23
instead 0x33
, and Rip/Rsp
is trancated to 32bit values
also instead N
time allocate sizeof(CONTEXT)
(and then free it N
time) why not allocate 1 time N*sizeof(CONTEXT)
and free it also only once
i had collect some yara rules which can detect beacon gen from AceLdr:
rule HKTL_CobaltStrike_Beacon_4_2_Decrypt {
meta:
author = "Elastic"
description = "Identifies deobfuscation routine used in Cobalt Strike Beacon DLL version 4.2"
reference = "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures"
date = "2021-03-16"
strings:
$a_x64 = {4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03}
$a_x86 = {8B 46 04 8B 08 8B 50 04 83 C0 08 89 55 08 89 45 0C 85 C9 75 04 85 D2 74 23 3B CA 73 E6 8B 06 8D 3C 08 33 D2}
condition:
any of them
}
rule CobaltStrikeBeacon
{
meta:
author = "ditekshen, enzo & Elastic"
description = "Cobalt Strike Beacon Payload"
cape_type = "CobaltStrikeBeacon Payload"
strings:
$s1 = "%%IMPORT%%" fullword ascii
$s2 = "www6.%x%x.%s" fullword ascii
$s3 = "cdn.%x%x.%s" fullword ascii
$s4 = "api.%x%x.%s" fullword ascii
$s5 = "%s (admin)" fullword ascii
$s6 = "could not spawn %s: %d" fullword ascii
$s7 = "Could not kill %d: %d" fullword ascii
$s8 = "Could not connect to pipe (%s): %d" fullword ascii
$s9 = /%s\.\d[(%08x).]+\.%x%x\.%s/ ascii
$pwsh1 = "IEX (New-Object Net.Webclient).DownloadString('http" ascii
$pwsh2 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" fullword ascii
$ver3a = {69 68 69 68 69 6b ?? ?? 69}
$ver3b = {69 69 69 69}
$ver4a = {2e 2f 2e 2f 2e 2c ?? ?? 2e}
$ver4b = {2e 2e 2e 2e}
$a1 = "%02d/%02d/%02d %02d:%02d:%02d" xor(0x00-0xff)
$a2 = "Started service %s on %s" xor(0x00-0xff)
$a3 = "%s as %s\\%s: %d" xor(0x00-0xff)
$b_x64 = {4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03}
$b_x86 = {8B 46 04 8B 08 8B 50 04 83 C0 08 89 55 08 89 45 0C 85 C9 75 04 85 D2 74 23 3B CA 73 E6 8B 06 8D 3C 08 33 D2}
condition:
all of ($ver3*) or all of ($ver4*) or 2 of ($a*) or any of ($b*) or 5 of ($s*) or (all of ($pwsh*) and 2 of ($s*)) or (#s9 > 6 and 4 of them)
}
rule cobalt_strike
{
meta:
author = "Elastic Security"
creation_date = "2021-03-23"
last_modified = "2021-08-23"
description = "Attempts to detect Cobalt Strike based on number of signatures related to BEACON"
os = "Windows"
arch = "x86"
category_type = "Trojan"
family = "CobaltStrike"
threat_name = "Windows.Trojan.CobaltStrike"
strings:
$a1 = "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
$a2 = "%s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
$a3 = "ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset." ascii fullword
$a4 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" ascii fullword
$a5 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')" ascii fullword
$a6 = "%s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
$a7 = "could not run command (w/ token) because of its length of %d bytes!" ascii fullword
$a8 = "%s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
$a9 = "%s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
$a10 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" ascii fullword
$a11 = "Could not open service control manager on %s: %d" ascii fullword
$a12 = "%d is an x64 process (can't inject x86 content)" ascii fullword
$a13 = "%d is an x86 process (can't inject x64 content)" ascii fullword
$a14 = "Failed to impersonate logged on user %d (%u)" ascii fullword
$a15 = "could not create remote thread in %d: %d" ascii fullword
$a16 = "%s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
$a17 = "could not write to process memory: %d" ascii fullword
$a18 = "Could not create service %s on %s: %d" ascii fullword
$a19 = "Could not delete service %s on %s: %d" ascii fullword
$a20 = "Could not open process token: %d (%u)" ascii fullword
$a21 = "%s.1%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
$a22 = "Could not start service %s on %s: %d" ascii fullword
$a23 = "Could not query service %s on %s: %d" ascii fullword
$a24 = "Could not connect to pipe (%s): %d" ascii fullword
$a25 = "%s.1%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
$a26 = "could not spawn %s (token): %d" ascii fullword
$a27 = "could not open process %d: %d" ascii fullword
$a28 = "could not run %s as %s\\%s: %d" ascii fullword
$a29 = "%s.1%08x%08x%08x%08x.%x%x.%s" ascii fullword
$a30 = "kerberos ticket use failed:" ascii fullword
$a31 = "Started service %s on %s" ascii fullword
$a32 = "%s.1%08x%08x%08x.%x%x.%s" ascii fullword
$a33 = "I'm already in SMB mode" ascii fullword
$a34 = "could not spawn %s: %d" ascii fullword
$a35 = "could not open %s: %d" ascii fullword
$a36 = "%s.1%08x%08x.%x%x.%s" ascii fullword
$a37 = "Could not open '%s'" ascii fullword
$a38 = "%s.1%08x.%x%x.%s" ascii fullword
$a39 = "%s as %s\\%s: %d" ascii fullword
$a40 = "%s.1%x.%x%x.%s" ascii fullword
$a41 = "beacon.x64.dll" ascii fullword
$a42 = "%s on %s: %d" ascii fullword
$a43 = "www6.%x%x.%s" ascii fullword
$a44 = "cdn.%x%x.%s" ascii fullword
$a45 = "api.%x%x.%s" ascii fullword
$a46 = "%s (admin)" ascii fullword
$a47 = "beacon.dll" ascii fullword
$a48 = "%s%s: %s" ascii fullword
$a49 = "@%d.%s" ascii fullword
$a50 = "%02d/%02d/%02d %02d:%02d:%02d" ascii fullword
$a51 = "Content-Length: %d" ascii fullword
$b1 = { 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 }
$c1 = { 25 FF FF FF 00 3D 41 41 41 00 75 [5-10] 25 FF FF FF 00 3D 42 42 42 00 75 }
$c2 = { 25 FF FF FF 00 3D 41 41 41 00 75 [4-8] 81 E1 FF FF FF 00 81 F9 42 42 42 00 75 }
$c3 = { 81 E1 FF FF FF 00 81 F9 41 41 41 00 75 [4-8] 81 E2 FF FF FF 00 81 FA 42 42 42 00 75 }
$c4 = { 89 44 24 20 48 8B 44 24 40 0F BE 00 8B 4C 24 20 03 C8 8B C1 89 44 24 20 48 8B 44 24 40 48 FF C0 }
$c5 = { 83 C4 04 89 45 FC 8B 4D 08 0F BE 11 03 55 FC 89 55 FC 8B 45 08 83 C0 01 89 45 08 8B 4D 08 0F BE }
$d1 = { 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03 }
$d2 = { 4C 8B 07 B8 4F EC C4 4E 41 F7 E1 41 8B C1 C1 EA 02 41 FF C1 6B D2 0D 2B C2 8A 4C 38 10 42 30 0C 06 48 }
$d3 = { 8B 46 04 8B 08 8B 50 04 83 C0 08 89 55 08 89 45 0C 85 C9 75 04 85 D2 74 23 3B CA 73 E6 8B 06 8D 3C 08 33 D2 }
$d4 = { 8B 06 8D 3C 08 33 D2 6A 0D 8B C1 5B F7 F3 8A 44 32 08 30 07 41 3B 4D 08 72 E6 8B 45 FC EB C7 }
$d5 = { 8B 07 8D 34 08 33 D2 6A 0D 8B C1 5B F7 F3 8A 44 3A 08 30 06 41 3B 4D 08 72 E6 8B 45 FC EB }
$e1 = { 4D 5A 41 52 55 48 89 E5 48 81 EC 20 00 00 00 48 8D 1D ?? FF FF FF 48 81 C3 ?? ?? 00 00 FF D3 }
$e2 = { 4D 5A E8 00 00 00 00 5B 89 DF 52 45 55 89 E5 }
$f1 = "User-Agent:"
$f2 = "wini"
$f3 = "5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" ascii fullword
$f4 = /[^0-9";.\/]([0-9]{1,3}\.){3}[0-9]{1,3}[^0-9";.\/]/
condition:
6 of ($a*) or
1 of ($b*) or
1 of ($c*) or
1 of ($d*) or
1 of ($e*) or
all of ($f*)
}
rule Windows_Trojan_CobaltStrike_b54b94ac {
meta:
id = "b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca"
fingerprint = "2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8"
creation_date = "2021-10-21"
last_modified = "2022-01-13"
description = "Rule for beacon sleep obfuscation routine"
threat_name = "Windows.Trojan.CobaltStrike"
reference_sample = "36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "windows"
strings:
$a_x64 = { 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03 }
$a_x64_smbtcp = { 4C 8B 07 B8 4F EC C4 4E 41 F7 E1 41 8B C1 C1 EA 02 41 FF C1 6B D2 0D 2B C2 8A 4C 38 10 42 30 0C 06 48 }
$a_x86 = { 8B 46 04 8B 08 8B 50 04 83 C0 08 89 55 08 89 45 0C 85 C9 75 04 85 D2 74 23 3B CA 73 E6 8B 06 8D 3C 08 33 D2 }
$a_x86_2 = { 8B 06 8D 3C 08 33 D2 6A 0D 8B C1 5B F7 F3 8A 44 32 08 30 07 41 3B 4D 08 72 E6 8B 45 FC EB C7 }
$a_x86_smbtcp = { 8B 07 8D 34 08 33 D2 6A 0D 8B C1 5B F7 F3 8A 44 3A 08 30 06 41 3B 4D 08 72 E6 8B 45 FC EB }
condition:
any of them
}
Certain Malleable C2 options, like Sleep Mask, break AceLdr. Add an example to the repository for guidance.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.