Raising Beacons without UDRLs and Teaching them How to Sleep

UDRLs and prepended loaders aren’t the only way to execute a raw payload and get a direct hooking in place. In the case of Cobalt Strike, a generic PE loader can be tweaked to execute an UDRL-less Beacon and get direct hooking for an easier prototyping of Sleep obfuscation techniques. Using this approach, two techniques that bypasses the Elastic’s RX -> RW Sleep detection, along with few other scanners, are then demonstrated.

11 min read

Mockingjay revisisted - Process stomping and loading beacon with sRDI

Executables with RWX sections can be abused using a variation of a Process Overwriting technique dubbed Process Stomping. Using (a modified) sRDI and leveraging the new features of Cobalt Strike 4.9 has been possible to load beacon in the RWX section itself without the need for a custom UDRL.

9 min read