kyleavery / aceldr Goto Github PK

View Code? Open in Web Editor NEW

825.0 825.0 157.0 2.7 MB

Cobalt Strike UDRL for memory scanner evasion.

License: MIT License

Makefile 0.24% Python 0.28% C 99.28% Assembly 0.20%

aceldr's People

Contributors

Stargazers

Watchers

Forkers

codextf2 solomonsklash solodefend rmusser01 mizaro 0xrobert robinfassinamoschiniforks h0n3yb kara-4search yeah9782 gavz 3lp4tr0n askyeye boku7 getcode2git hotelzululima pr0tean ddostest123 gmh5225 scriptidiot zha0 inspiringz q-a-z freeide kungia09 v4nyl test1213145 mooneee topotam tmcmil 5m7x beerandgin olivertechman msf-ntdll hxlxmjxbbxs jamesit caeaguilar 7a6570 0xajstrike lunarobliq ceramicskate0 sec-fork bravery9 shonker kagantua fuzzyun1c0rn muse117 asaurusrex shantanu561993 slyd0g dmchell b1gbroth3r n0n5m1l3 wangyanan131 killvxk rvrsh3ll k3v1n1990s a10ncoder w1nds zhuhuibeishadiao ellen2015 red-infosec superuser5 ridter y11en milad-mantashi sandersstephane secfb edermi og-sadpanda kunpen yas11r seeeyouu jxpsx cmndcntrlcyber k0njac caustickirbyz agelovito th30c0der mrx325 emptysec1 redpr0jects ccob fadinglr asdlei99 an0x03e8 kyle41111 epichoxha cynicxer pentest01 m-nigma voraka gg-big-org markterlep hasherezade c0axial sec-js h4xl0r 5l1v3r1 ayoubnajim

aceldr's Issues

‘SetProcessValidCallTargets’ redeclared without dllimport attribute error in Kali

Getting multiple errors below when compiling in stock up-to-date Kali Linux:

src/hooks/../native.h:21723:1: error: ‘SetProcessValidCallTargets’ redeclared without dllimport attribute: previous dllimport ignored [-Werror=attributes]

Resolved with copying over extra declaration found in Mingw's include files:

diff --git a/src/native.h b/src/native.h
index d74ce7f..1846046 100644
--- a/src/native.h
+++ b/src/native.h
@@ -21718,6 +21718,7 @@ typedef struct _CFG_CALL_TARGET_INFO {
 } CFG_CALL_TARGET_INFO, *PCFG_CALL_TARGET_INFO;
 #endif
 
+WINBASEAPI
 WINBOOL
 WINAPI
 SetProcessValidCallTargets(

No idea if it is a bug or something with my setup, so sharing just in case.

Compilation Errors - Conflicting types for SetProcessValidCallTargets

Hey,

this may be some stupid bug/question from my side, but I did try to compile on multiple systems and always got the following error:

└─# make
In file included from src/include.h:12,
                 from src/ace.c:5:
src/native.h:22184:1: error: conflicting types for ‘SetProcessValid
CallTargets’
22184 | SetProcessValidCallTargets(
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from /usr/share/mingw-w64/include/winbase.h:25,
                 from /usr/share/mingw-w64/include/windows.h:70,
                 from src/include.h:8,
                 from src/ace.c:5:
/usr/share/mingw-w64/include/memoryapi.h:54:29: note: previous decl
aration of ‘SetProcessValidCallTargets’ was here
   54 |   WINBASEAPI WINBOOL WINAPI SetProcessValidCallTargets(HAND
LE hProcess, PVOID VirtualAddress, SIZE_T RegionSize, ULONG NumberO
fOffsets, PCFG_CALL_TARGET_INFO OffsetInformation);
      |                             ^~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from src/include.h:12,
                 from src/retaddr.c:6:
src/native.h:22184:1: error: conflicting types for ‘SetProcessValid
CallTargets’
22184 | SetProcessValidCallTargets(
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from /usr/share/mingw-w64/include/winbase.h:25,
                 from /usr/share/mingw-w64/include/windows.h:70,
                 from src/include.h:8,
                 from src/retaddr.c:6:
/usr/share/mingw-w64/include/memoryapi.h:54:29: note: previous declaration of ‘SetProcessValidCallTargets’ was here
   54 |   WINBASEAPI WINBOOL WINAPI SetProcessValidCallTargets(HANDLE hProcess, PVOID VirtualAddress, SIZE_T RegionSize, ULONG NumberOfOffsets, PCFG_CALL_TARGET_INFO OffsetInformation);
      |                             ^~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from src/include.h:12,
                 from src/util.c:6:
src/native.h:22184:1: error: conflicting types for ‘SetProcessValidCallTargets’

Some idea on how to get rid of this?

Greetings

Incompatible with Cobalt Strike 4.7

Hi,
Do you anticipate this is compatible with the new version of Cobalt Strike (4.7) ? I cannot get it to work with that version.
I have the following output using make (not sure if relevant)

 ± make
/usr/local/Cellar/mingw-w64/10.0.0_1/toolchain-x86_64/bin/x86_64-w64-mingw32-ld: bin/AceLdr.x64.exe:.text: section below image base

I updated my malleable profile, to match your example.
I can see "[13:50:58] [!] Loading custom user defined reflective loader from: ..../AceLdr/bin/AceLdr.x64.bin at AceLdr.cna:10" when I generate a stageless beacon artefact. I have AV disabled for test purposes so it's not that. When I generate an .exe, I get the following error upon execution (see screenshot below). It just fails silently when I use raw shellcode coupled with something else, or just a DLL executed with rundll32

Any ideas ?

Detect by some yara rules

i had collect some yara rules which can detect beacon gen from AceLdr:

rule HKTL_CobaltStrike_Beacon_4_2_Decrypt {
   meta:
      author = "Elastic"
      description = "Identifies deobfuscation routine used in Cobalt Strike Beacon DLL version 4.2"
      reference = "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures"
      date = "2021-03-16"
   strings:
      $a_x64 = {4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03}
      $a_x86 = {8B 46 04 8B 08 8B 50 04 83 C0 08 89 55 08 89 45 0C 85 C9 75 04 85 D2 74 23 3B CA 73 E6 8B 06 8D 3C 08 33 D2}
   condition:
      any of them
}


rule CobaltStrikeBeacon
{
    meta:
        author = "ditekshen, enzo & Elastic"
        description = "Cobalt Strike Beacon Payload"
        cape_type = "CobaltStrikeBeacon Payload"
    strings:
        $s1 = "%%IMPORT%%" fullword ascii
        $s2 = "www6.%x%x.%s" fullword ascii
        $s3 = "cdn.%x%x.%s" fullword ascii
        $s4 = "api.%x%x.%s" fullword ascii
        $s5 = "%s (admin)" fullword ascii
        $s6 = "could not spawn %s: %d" fullword ascii
        $s7 = "Could not kill %d: %d" fullword ascii
        $s8 = "Could not connect to pipe (%s): %d" fullword ascii
        $s9 = /%s\.\d[(%08x).]+\.%x%x\.%s/ ascii
        $pwsh1 = "IEX (New-Object Net.Webclient).DownloadString('http" ascii
        $pwsh2 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" fullword ascii
        $ver3a = {69 68 69 68 69 6b ?? ?? 69}
        $ver3b = {69 69 69 69}
        $ver4a = {2e 2f 2e 2f 2e 2c ?? ?? 2e}
        $ver4b = {2e 2e 2e 2e}
        $a1 = "%02d/%02d/%02d %02d:%02d:%02d" xor(0x00-0xff)
        $a2 = "Started service %s on %s" xor(0x00-0xff)
        $a3 = "%s as %s\\%s: %d" xor(0x00-0xff)
        $b_x64 = {4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03}
        $b_x86 = {8B 46 04 8B 08 8B 50 04 83 C0 08 89 55 08 89 45 0C 85 C9 75 04 85 D2 74 23 3B CA 73 E6 8B 06 8D 3C 08 33 D2}
    condition:
        all of ($ver3*) or all of ($ver4*) or 2 of ($a*) or any of ($b*) or 5 of ($s*) or (all of ($pwsh*) and 2 of ($s*)) or (#s9 > 6 and 4 of them)
}

rule cobalt_strike
{
	meta:
		author = "Elastic Security"
		creation_date = "2021-03-23"
		last_modified = "2021-08-23"
		description = "Attempts to detect Cobalt Strike based on number of signatures related to BEACON"
		os = "Windows"
		arch = "x86"
		category_type = "Trojan"
		family = "CobaltStrike"
		threat_name = "Windows.Trojan.CobaltStrike"

	strings:
		$a1 = "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
		$a2 = "%s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
		$a3 = "ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset." ascii fullword
		$a4 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" ascii fullword
		$a5 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')" ascii fullword
		$a6 = "%s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
		$a7 = "could not run command (w/ token) because of its length of %d bytes!" ascii fullword
		$a8 = "%s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
		$a9 = "%s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
		$a10 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" ascii fullword
		$a11 = "Could not open service control manager on %s: %d" ascii fullword
		$a12 = "%d is an x64 process (can't inject x86 content)" ascii fullword
		$a13 = "%d is an x86 process (can't inject x64 content)" ascii fullword
		$a14 = "Failed to impersonate logged on user %d (%u)" ascii fullword
		$a15 = "could not create remote thread in %d: %d" ascii fullword
		$a16 = "%s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
		$a17 = "could not write to process memory: %d" ascii fullword
		$a18 = "Could not create service %s on %s: %d" ascii fullword
		$a19 = "Could not delete service %s on %s: %d" ascii fullword
		$a20 = "Could not open process token: %d (%u)" ascii fullword
		$a21 = "%s.1%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
		$a22 = "Could not start service %s on %s: %d" ascii fullword
		$a23 = "Could not query service %s on %s: %d" ascii fullword
		$a24 = "Could not connect to pipe (%s): %d" ascii fullword
		$a25 = "%s.1%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
		$a26 = "could not spawn %s (token): %d" ascii fullword
		$a27 = "could not open process %d: %d" ascii fullword
		$a28 = "could not run %s as %s\\%s: %d" ascii fullword
		$a29 = "%s.1%08x%08x%08x%08x.%x%x.%s" ascii fullword
		$a30 = "kerberos ticket use failed:" ascii fullword
		$a31 = "Started service %s on %s" ascii fullword
		$a32 = "%s.1%08x%08x%08x.%x%x.%s" ascii fullword
		$a33 = "I'm already in SMB mode" ascii fullword
		$a34 = "could not spawn %s: %d" ascii fullword
		$a35 = "could not open %s: %d" ascii fullword
		$a36 = "%s.1%08x%08x.%x%x.%s" ascii fullword
		$a37 = "Could not open '%s'" ascii fullword
		$a38 = "%s.1%08x.%x%x.%s" ascii fullword
		$a39 = "%s as %s\\%s: %d" ascii fullword
		$a40 = "%s.1%x.%x%x.%s" ascii fullword
		$a41 = "beacon.x64.dll" ascii fullword
		$a42 = "%s on %s: %d" ascii fullword
		$a43 = "www6.%x%x.%s" ascii fullword
		$a44 = "cdn.%x%x.%s" ascii fullword
		$a45 = "api.%x%x.%s" ascii fullword
		$a46 = "%s (admin)" ascii fullword
		$a47 = "beacon.dll" ascii fullword
		$a48 = "%s%s: %s" ascii fullword
		$a49 = "@%d.%s" ascii fullword
		$a50 = "%02d/%02d/%02d %02d:%02d:%02d" ascii fullword
		$a51 = "Content-Length: %d" ascii fullword

		$b1 = { 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 }

		$c1 = { 25 FF FF FF 00 3D 41 41 41 00 75 [5-10] 25 FF FF FF 00 3D 42 42 42 00 75 }
		$c2 = { 25 FF FF FF 00 3D 41 41 41 00 75 [4-8] 81 E1 FF FF FF 00 81 F9 42 42 42 00 75 }
		$c3 = { 81 E1 FF FF FF 00 81 F9 41 41 41 00 75 [4-8] 81 E2 FF FF FF 00 81 FA 42 42 42 00 75 }
		$c4 = { 89 44 24 20 48 8B 44 24 40 0F BE 00 8B 4C 24 20 03 C8 8B C1 89 44 24 20 48 8B 44 24 40 48 FF C0 }
		$c5 = { 83 C4 04 89 45 FC 8B 4D 08 0F BE 11 03 55 FC 89 55 FC 8B 45 08 83 C0 01 89 45 08 8B 4D 08 0F BE }

		$d1 = { 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03 }
		$d2 = { 4C 8B 07 B8 4F EC C4 4E 41 F7 E1 41 8B C1 C1 EA 02 41 FF C1 6B D2 0D 2B C2 8A 4C 38 10 42 30 0C 06 48 }
		$d3 = { 8B 46 04 8B 08 8B 50 04 83 C0 08 89 55 08 89 45 0C 85 C9 75 04 85 D2 74 23 3B CA 73 E6 8B 06 8D 3C 08 33 D2 }
		$d4 = { 8B 06 8D 3C 08 33 D2 6A 0D 8B C1 5B F7 F3 8A 44 32 08 30 07 41 3B 4D 08 72 E6 8B 45 FC EB C7 }
		$d5 = { 8B 07 8D 34 08 33 D2 6A 0D 8B C1 5B F7 F3 8A 44 3A 08 30 06 41 3B 4D 08 72 E6 8B 45 FC EB }

		$e1 = { 4D 5A 41 52 55 48 89 E5 48 81 EC 20 00 00 00 48 8D 1D ?? FF FF FF 48 81 C3 ?? ?? 00 00 FF D3 }
		$e2 = { 4D 5A E8 00 00 00 00 5B 89 DF 52 45 55 89 E5 }

		$f1 = "User-Agent:"
		$f2 = "wini"
		$f3 = "5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" ascii fullword
		$f4 = /[^0-9";.\/]([0-9]{1,3}\.){3}[0-9]{1,3}[^0-9";.\/]/

	condition:
		6 of ($a*) or
		1 of ($b*) or
		1 of ($c*) or
		1 of ($d*) or
		1 of ($e*) or
		all of ($f*)
}

rule Windows_Trojan_CobaltStrike_b54b94ac {
    meta:
        id = "b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca"
        fingerprint = "2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8"
        creation_date = "2021-10-21"
        last_modified = "2022-01-13"
        description = "Rule for beacon sleep obfuscation routine"
        threat_name = "Windows.Trojan.CobaltStrike"
        reference_sample = "36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a"
        severity = 100
        arch_context = "x86"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "windows"
    strings:
        $a_x64 = { 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03 }
        $a_x64_smbtcp = { 4C 8B 07 B8 4F EC C4 4E 41 F7 E1 41 8B C1 C1 EA 02 41 FF C1 6B D2 0D 2B C2 8A 4C 38 10 42 30 0C 06 48 }
        $a_x86 = { 8B 46 04 8B 08 8B 50 04 83 C0 08 89 55 08 89 45 0C 85 C9 75 04 85 D2 74 23 3B CA 73 E6 8B 06 8D 3C 08 33 D2 }
        $a_x86_2 = { 8B 06 8D 3C 08 33 D2 6A 0D 8B C1 5B F7 F3 8A 44 32 08 30 07 41 3B 4D 08 72 E6 8B 45 FC EB C7 }
        $a_x86_smbtcp = { 8B 07 8D 34 08 33 D2 6A 0D 8B C1 5B F7 F3 8A 44 3A 08 30 06 41 3B 4D 08 72 E6 8B 45 FC EB }
    condition:
        any of them
}

UDRL issue 4.7.2 (Note on how i fixed it)

Loader appears to compile using the MakeFile on WSL2 ubuntu and updated as of today Kali OS. MakeFile appears to output the O files for the UDRL in bin folder that the CNA uses. Cobalt Strike version is 4.7.2. Exe used to start test payload is x64. I am using the example profile (minus the http comms part).

When the stageless and staged beacon is created without artifact kit i get the same errors as #6

stageless shellcode exit

execute the stageless shellcode and just exit

Process dies when exit

Is the process death expected when you exit?

.text section below image base

Hi, there seems to be a problem while compiling AceLdr.

The error message is the following :

bin/AceLdr.x64.exe:.text: section below image base

I tried with different version of mingw-gcc with both branches (main & gcc-10).

Add Example Malleable C2 Profile

Certain Malleable C2 options, like Sleep Mask, break AceLdr. Add an example to the repository for guidance.

some problems need help

hi, thanks for your project. i want to know how to start this project, do i just need to execute the "Makefile", and then load the cna script into cobaltstirke, finally, i can enjoy it? it's very hope to get your answer,thanks.

AceLdr shellcode causes error 0xc0000005 (access violation) on Win server 2016

Hi, I encountered an issue with the by AceLdr generated shellcode on Win server 2016.

Summary test/debug results:

after executing the shellcode, the process in which the shellcode is executed crashes with an error code 0xc0000005 (access violation) (event ID 1000);
the shellcode is tested on multiple build versions of server 2016/2019/2022 and Windows 10/11;
the issue only occurs on Win server 2016;
the initial beacon callback comes through before the process crashes;
the shellcode is only executed in a x64 process;
the shellcode is executed with both non- and elevated (SYSTEM) privileges (same result);
during the test, no AV/EDR solution was running.

Why do you think this is happening and what could be a possible solution?

Why do I get Abnormal private executable memory by Moneta?

Hi, nice work by the way,
I just tried this and want to test with Moneta, it appears I got flagged.

Moneta64.exe -p 2516 -m ioc
   _____                        __
  /     \   ____   ____   _____/  |______
 /  \ /  \ /  _ \ /    \_/ __ \   __\__  \
/    Y    (  <_> )   |  \  ___/|  |  / __ \_
\____|__  /\____/|___|  /\___  >__| (____  /
        \/            \/     \/          \/

Moneta v1.0 | Forrest Orr | 2020


cmd.exe : 2516 : x64 : C:\Windows\System32\cmd.exe
  0x000001FFDEDD0000:0x00002000   | Private
    0x000001FFDEDD0000:0x00001000 | RX       | 0x00000000 | Abnormal private executable memory

... scan completed (0.657000 second duration)

the command I use is
inject 2516 x64

before inject, nothing shows in Moneta

Moneta64.exe -p 2516 -m ioc
   _____                        __
  /     \   ____   ____   _____/  |______
 /  \ /  \ /  _ \ /    \_/ __ \   __\__  \
/    Y    (  <_> )   |  \  ___/|  |  / __ \_
\____|__  /\____/|___|  /\___  >__| (____  /
        \/            \/     \/          \/

Moneta v1.0 | Forrest Orr | 2020


... scan completed (0.219000 second duration)

I thought the reason might be the cna scripts I loaded in cs, so I unloaded them all but the AceLdr, but still got same results.
The cs version I use is 4.7, I'll try if 4.3 works while waiting for some suggestions.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.