BokuLoader - A Proof-Of-Concept Cobalt Strike Reflective Loader Which Aims To Recreate, Integrate, And Enhance Cobalt Strike's Evasion Features!

A proof-of-concept User-Defined Reflective Loader (UDRL) which aims to recreate, integrate, and enhance Cobalt Strike's evasion features!

Contributors:

UDRL Usage Considerations

The built-in Cobalt Strike reflective loader is robust, handling all Malleable PE evasion features Cobalt Strike has to offer. The major disadvantage to using a custom UDRL is Malleable PE evasion features may or may not be supported out-of-the-box.

The objective of the public BokuLoader project is to assist red teams in creating their own in-house Cobalt Strike UDRL. The project aims to support all worthwhile CS Malleable PE evasion features. Some evasion features leverage CS integration, others have been recreated completely, and some are unsupported.

Before using this project, in any form, you should properly test the evasion features are working as intended. Between the C code and the Aggressor script, compilation with different versions of operating systems, compilers, and Java may return different results.

Evasion Features

BokuLoader Specific Evasion Features

• Reflective callstack spoofing via synthetic frames.
• Custom ASM/C reflective loader code
• Indirect NT syscalls via HellsGate & HalosGate techniques
• All memory protection changes for all allocation options are done via indirect syscall to NtProtectVirtualMemory
• obfuscate "true" with custom UDRL Aggressor script implementation.
• NOHEADERCOPY
• Loader will not copy headers raw beacon DLL to virtual beacon DLL. First 0x1000 bytes will be nulls.
• XGetProcAddress for resolving symbols
• Does not use Kernel32.GetProcAddress
• xLoadLibrary for resolving DLL's base address & DLL Loading
• For loaded DLLs, gets DLL base address from TEB->PEB->PEB_LDR_DATA->InMemoryOrderModuleList
• Does not use Kernel32.LoadLibraryA
• Caesar Cipher for string obfuscation
• 100k UDRL Size
• Import DLL names and import entry name strings are stomped in virtual beacon DLL.

Supported Malleable PE Evasion Features

Test

• (2/22/23) All 4 allocator methods tested with threatexpress/malleable-c2/master/jquery-c2.4.7.profile

Project Origins

• Based on Stephen Fewer's incredible Reflective Loader project:
• https://github.com/stephenfewer/ReflectiveDLLInjection
• Initially created while working through Renz0h's Reflective DLL videos from the Sektor7 Malware Developer Intermediate (MDI) Course

Usage

1. Compile the BokuLoader Object file with make
2. Start your Cobalt Strike Team Server
3. Within Cobalt Strike, import the BokuLoader.cna Aggressor script
4. Generate the x64 beacon (Attacks -> Packages -> Windows Executable (S))

5. Use the Script Console to ensure BokuLoader was implemented in the beacon build

6. Does not support x86 option. The x86 bin is the original Reflective Loader object file.

7. Generating RAW beacons works out of the box. When using the Artifact Kit for the beacon loader, the stagesize variable must be larger than the default.
8. See the Cobalt Strike User-Defined Reflective Loader documenation for additional information

Detection Guidance

Hardcoded Strings

• BokuLoader changes some commonly detected strings to new hardcoded values. These strings can be used to signature BokuLoader:

Memory Allocators

DLL Module Stomping

• The Kernel32.LoadLibraryExA is called to map the DLL from disk
• The 3rd argument to Kernel32.LoadLibraryExA is DONT_RESOLVE_DLL_REFERENCES (0x00000001)
• the system does not call DllMain
• Does not resolve addresses in LDR PEB entry as detailed by MDSec here
• Detectable by scanning process memory with pe-sieve tool

Heap Allocation

• Executable RX or RWX memory will exist in the heap if sleepmask kit is not used.

Mapped Allocator

• The Kernel32.CreateFileMappingA & Kernel32.MapViewOfFile is called to allocate memory for the virtual beacon DLL.

Sleepmask Detection

• If sleepmask kit is used, there exists detection methods for this independent memory allocation as detailed by MDSec here

Indirect Syscalls

• BokuLoader calls the following NT systemcalls to setup the loaded executable beacon memory: NtAllocateVirtualMemory, NtProtectVirtualMemory
• These are called indirectly from the BokuLoader executable memory.
• Setting userland hooks in ntdll.dll will not detect these systemcalls.
• It may be possible to register kernelcallbacks using a kernel driver to monitor for the above system calls and detect their usage.
• The BokuLoader itself will contain the mov eax, r11d; mov r11, r10; mov r10, rcx; jmp r11 assembly instructions within its executable memory.

Virtual Beacon DLL Header

• The first 0x1000 bytes of the virtual beacon DLL are zeros.

Source Code Available

• The BokuLoader source code is provided within the repository and can be used to create memory signatures.
• If you have additional detection guidance, please feel free to contribute by submitting a pull request.

Credits / References

Reflective Call Stack Spoofing

• LoudSunRun: Call stack synthetic frame spoofer with indirect syscalls
• SilentMoonwalk: PoC Implementation of a fully dynamic call stack spoofer
• Vulcan Raven: PoC implementation for spoofing arbitrary call stacks when making syscalls
• CallStackMasker: A PoC implementation for dynamically masking call stacks with timers
• ThreadStackSpoofer: Thread Stack Spoofing PoC
• Behind the Mask: Spoofing Call Stacks Dynamically with Timers

Reflective Loader

• https://github.com/stephenfewer/ReflectiveDLLInjection
• Checkout these videos if you're interested in Reflective DLL:
• Dancing with Import Address Table (IAT) - Sektor 7 MDI Course
• Walking through Export Address Table - Sektor 7 MDI Course
• Reflective Injection Explained - Sektor 7 MDI Course
• ReflectiveLoader source review - Sektor 7 MDI Course
• TitanLdr
• AceLdr
• KaynLdr

HalosGate SysCaller

• Reenz0h from @SEKTOR7net
• Checkout Reenz0h's awesome courses and blogs!
• Best classes for malware development I have taken.
• Creator of the halos gate technique. His work was initially the motivation for this work.
• Sektor7 HalosGate Blog

HellsGate Syscaller

• @smelly__vx & @am0nsec ( Creators/Publishers of the Hells Gate technique )
• Could not have made my implementation of HellsGate without them :)
• Awesome work on this method, really enjoyed working through it myself. Thank you!
• https://github.com/am0nsec/HellsGate
• Link to the Hell's Gate paper: https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf

Aggressor Scripting

• sinusoid @the_bit_diddler : returnIntegerFromArray

Cobalt Strike User Defined Reflective Loader

• https://www.cobaltstrike.com/help-user-defined-reflective-loader

Great Resource for learning Intel ASM

• Pentester Academy - SLAE64

ETW and AMSI Bypass

• @anthemtotheego inline-ExecuteAssembly
• @mariuszbit - for awesome idea to implement bypasses in reflective loader!
• @XPN Hiding Your .NET – ETW
• ajpc500/BOFs
• Offensive Security OSEP

Implementing ASM in C Code with GCC

• https://outflank.nl/blog/2020/12/26/direct-syscalls-in-beacon-object-files/
• https://www.cs.uaf.edu/2011/fall/cs301/lecture/10_12_asm_c.html
• http://gcc.gnu.org/onlinedocs/gcc-4.0.2/gcc/Extended-Asm.html#Extended-Asm

Cobalt Strike C2 Profiles

• Tylous's epic SourcePoint project
• threatexpress/malleable-c2/jquery-c2.4.7.profile

LOLSpoof - An Interactive Shell To Spoof Some LOLBins Command Line

LOLSpoof is a an interactive shell program that automatically spoof the command line arguments of the spawned process. Just call your incriminate-looking command line LOLBin (e.g. powershell -w hidden -enc ZwBlAHQALQBwAHIAbwBjAGUA....) and LOLSpoof will ensure that the process creation telemetry appears legitimate and clear.

Why

Process command line is a very monitored telemetry, being thoroughly inspected by AV/EDRs, SOC analysts or threat hunters.

How

1. Prepares the spoofed command line out of the real one: lolbin.exe " " * sizeof(real arguments)
2. Spawns that suspended LOLBin with the spoofed command line
3. Gets the remote PEB address
4. Gets the address of RTL_USER_PROCESS_PARAMETERS struct
5. Gets the address of the command line unicode buffer
6. Overrides the fake command line with the real one
7. Resumes the main thread

Opsec considerations

Although this simple technique helps to bypass command line detection, it may introduce other suspicious telemetry: 1. Creation of suspended process 2. The new process has trailing spaces (but it's really easy to make it a repeated character or even random data instead) 3. Write to the spawned process with WriteProcessMemory

Build

Built with Nim 1.6.12 (compiling with Nim 2.X yields errors!)

nimble install winim

Known issue

Programs that clear or change the previous printed console messages (such as timeout.exe 10) breaks the program. when such commands are employed, you'll need to restart the console. Don't know how to fix that, open to suggestions.

Espionage - A Linux Packet Sniffing Suite For Automated MiTM Attacks

Espionage is a network packet sniffer that intercepts large amounts of data being passed through an interface. The tool allows users to to run normal and verbose traffic analysis that shows a live feed of traffic, revealing packet direction, protocols, flags, etc. Espionage can also spoof ARP so, all data sent by the target gets redirected through the attacker (MiTM). Espionage supports IPv4, TCP/UDP, ICMP, and HTTP. Espionag e was written in Python 3.8 but it also supports version 3.6. This is the first version of the tool so please contact the developer if you want to help contribute and add more to Espionage. Note: This is not a Scapy wrapper, scapylib only assists with HTTP requests and ARP.

Installation

1: git clone https://www.github.com/josh0xA/Espionage.git
2: cd Espionage
3: sudo python3 -m pip install -r requirments.txt
4: sudo python3 espionage.py --help

Usage

1. sudo python3 espionage.py --normal --iface wlan0 -f capture_output.pcap
   Command 1 will execute a clean packet sniff and save the output to the pcap file provided. Replace wlan0 with whatever your network interface is.
   
2. sudo python3 espionage.py --verbose --iface wlan0 -f capture_output.pcap
   Command 2 will execute a more detailed (verbose) packet sniff and save the output to the pcap file provided.
   
3. sudo python3 espionage.py --normal --iface wlan0
   Command 3 will still execute a clean packet sniff however, it will not save the data to a pcap file. Saving the sniff is recommended.
   
4. sudo python3 espionage.py --verbose --httpraw --iface wlan0
   Command 4 will execute a verbose packet sniff and will also show raw http/tcp packet data in bytes.
   
5. sudo python3 espionage.py --target <target-ip-address> --iface wlan0
   Command 5 will ARP spoof the target ip address and all data being sent will be routed back to the attackers machine (you/localhost).
   
6. sudo python3 espionage.py --iface wlan0 --onlyhttp
   Command 6 will only display sniffed packets on port 80 utilizing the HTTP protocol.
   
7. sudo python3 espionage.py --iface wlan0 --onlyhttpsecure
   Command 7 will only display sniffed packets on port 443 utilizing the HTTPS (secured) protocol.
   
8. sudo python3 espionage.py --iface wlan0 --urlonly
   Command 8 will only sniff and return sniffed urls visited by the victum. (works best with sslstrip).
   
   
9. Press Ctrl+C in-order to stop the packet interception and write the output to file.
   

Menu

usage: espionage.py [-h] [--version] [-n] [-v] [-url] [-o] [-ohs] [-hr] [-f FILENAME] -i IFACE
                    [-t TARGET]

optional arguments:
  -h, --help            show this help message and exit
  --version             returns the packet sniffers version.
  -n, --normal          executes a cleaner interception, less sophisticated.
  -v, --verbose         (recommended) executes a more in-depth packet interception/sniff.
  -url, --urlonly       only sniffs visited urls using http/https.
  -o, --onlyhttp        sniffs only tcp/http data, returns urls visited.
  -ohs, --onlyhttpsecure
                        sniffs only https data, (port 443).
  -hr, --httpraw        displays raw packet data (byte order) recieved or sent on port 80.

(Recommended) arguments for data output (.pcap):
  -f FILENAME, --filename FILENAME
                        name of file to store the output (make extension '.pcap').

(Required) arguments required for execution:
  -i IFACE, --iface IFACE
                        specify network interface (ie. wlan0, eth0, wlan1, etc.)

(ARP Spoofing) required arguments in-order to use the ARP Spoofing utility:
  -t TARGET, --target TARGET

Writeup

A simple medium writeup can be found here:
Click Here For The Official Medium Article

Ethical Notice

The developer of this program, Josh Schiavone, written the following code for educational and ethical purposes only. The data sniffed/intercepted is not to be used for malicous intent. Josh Schiavone is not responsible or liable for misuse of this penetration testing tool. May God bless you all.

License

MIT License
Copyright (c) 2024 Josh Schiavone

NetProbe - Network Probe

NetProbe is a tool you can use to scan for devices on your network. The program sends ARP requests to any IP address on your network and lists the IP addresses, MAC addresses, manufacturers, and device models of the responding devices.

Features

• Scan for devices on a specified IP address or subnet
• Display the IP address, MAC address, manufacturer, and device model of discovered devices
• Live tracking of devices (optional)
• Save scan results to a file (optional)
• Filter by manufacturer (e.g., 'Apple') (optional)
• Filter by IP range (e.g., '192.168.1.0/24') (optional)
• Scan rate in seconds (default: 5) (optional)

Download

You can download the program from the GitHub page.

$ git clone https://github.com/HalilDeniz/NetProbe.git

Installation

To install the required libraries, run the following command:

$ pip install -r requirements.txt

Usage

To run the program, use the following command:

$ python3 netprobe.py [-h] -t  [...] -i  [...] [-l] [-o] [-m] [-r] [-s]

• -h,--help: show this help message and exit
• -t,--target: Target IP address or subnet (default: 192.168.1.0/24)
• -i,--interface: Interface to use (default: None)
• -l,--live: Enable live tracking of devices
• -o,--output: Output file to save the results
• -m,--manufacturer: Filter by manufacturer (e.g., 'Apple')
• -r,--ip-range: Filter by IP range (e.g., '192.168.1.0/24')
• -s,--scan-rate: Scan rate in seconds (default: 5)

Example:

$ python3 netprobe.py -t 192.168.1.0/24 -i eth0 -o results.txt -l

Help Menu

$ python3 netprobe.py --help                      
usage: netprobe.py [-h] -t  [...] -i  [...] [-l] [-o] [-m] [-r] [-s]

NetProbe: Network Scanner Tool

options:
  -h, --help            show this help message and exit
  -t  [ ...], --target  [ ...]
                        Target IP address or subnet (default: 192.168.1.0/24)
  -i  [ ...], --interface  [ ...]
                        Interface to use (default: None)
  -l, --live            Enable live tracking of devices
  -o , --output         Output file to save the results
  -m , --manufacturer   Filter by manufacturer (e.g., 'Apple')
  -r , --ip-range       Filter by IP range (e.g., '192.168.1.0/24')
  -s , --scan-rate      Scan rate in seconds (default: 5)

Default Scan

$ python3 netprobe.py 

Live Tracking

You can enable live tracking of devices on your network by using the -l or --live flag. This will continuously update the device list every 5 seconds.

$ python3 netprobe.py -t 192.168.1.0/24 -i eth0 -l

Save Results

You can save the scan results to a file by using the -o or --output flag followed by the desired output file name.

$ python3 netprobe.py -t 192.168.1.0/24 -i eth0 -l -o results.txt

┏━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ IP Address   ┃ MAC Address       ┃ Packet Size ┃ Manufacturer                 ┃
┡━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ 192.168.1.1  │ **:6e:**:97:**:28 │ 102         │ ASUSTek COMPUTER INC.        │
│ 192.168.1.3  │ 00:**:22:**:12:** │ 102         │ InPro Comm                   │
│ 192.168.1.2  │ **:32:**:bf:**:00 │ 102         │ Xiaomi Communications Co Ltd │
│ 192.168.1.98 │ d4:**:64:**:5c:** │ 102         │ ASUSTek COMPUTER INC.        │
│ 192.168.1.25 │ **:49:**:00:**:38 │ 102         │ Unknown                      │
└──────────────┴───────────────────┴─────────────┴──────────────────────────────┘

Contact

If you have any questions, suggestions, or feedback about the program, please feel free to reach out to me through any of the following platforms:

• Mywebsite: Denizhalil
• LinkedIn: LinkedIn
• TryHackMe: TryHackMe
• Instagram: Instagram
• YouTube: YouTube
• Email: halildeniz313@gmail.com

License

This program is released under the MIT LICENSE. See LICENSE for more information.