A position-independent reflective loader for Cobalt Strike. Zero results from Hunt-Sleeping-Beacons, BeaconHunter, BeaconEye, Patriot, Moneta, PE-sieve, or MalMemDetect.
Import a single CNA script before generating shellcode.
Creates a new heap for any allocations from Beacon and encrypts entries before sleep.
Changes the memory containing CS executable code to non-executable and encrypts it (FOLIAGE).
Certain WinAPI calls are executed with a spoofed return address (InternetConnectA, NtWaitForSingleObject, RtlAllocateHeap).
Delayed execution using WaitForSingleObjectEx.
All encryption performed with SystemFunction032.
- Not compatible with loaders that rely on the shellcode thread staying alive.
This project would not have been possible without the following:
Other features and inspiration were taken from the following:
- https://www.arashparsa.com/bypassing-pesieve-and-moneta-the-easiest-way-i-could-find/
- https://github.com/secidiot/TitanLdr
- https://github.com/JLospinoso/gargoyle
- https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-ii-insights-from-moneta
- https://www.arashparsa.com/hook-heaps-and-live-free/
- https://blog.f-secure.com/hunting-for-gargoyle-memory-scanning-evasion/
- https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures