boku7
commented
3 years ago Hey fendi1989, I haven't been able to figure out how all the different malleable C2 options work with user defined reflective loader. There is not much documentation on it. I suggest placing a breakpoint in the reflectiveloader.c, compiling, and running the beacon with a debugger. If it hits the break point you know it didn't revert to the default loader. With evading Defender you're going to have to do modifications to make things bypass. Typically shortly after releasing things publically, they become signatured by Defender. The public source code makes it allot easier, since signature analysts don't even need to do any reversing to make signatures. If you find out any new things about getting the malleable C2 flags working with user defined reflective loader, or any ways to help with evasion let me know. Also if you want to make it better this project is open to PR :)
ghost
1) hello boku, why all of those options are not used in the rdlloader.cna : pe_insert_rich_header, pe_mask, pe_mask_section and all of the rest here https://www.cobaltstrike.com/help-user-defined-reflective-loader.
2) its seems that rdlloader is ignoring what is the malleable c2 , its using the default beacon of the default profile. its completely bypassing the profile I have chosen.
3) gets detected by defender even when trying with different versions you add on the versions directory.
as a mesure i unloaded the artifact.cna to test without it , but same problem gets detected.
if you can please provide help about how to use all the options and params https://www.cobaltstrike.com/help-user-defined-reflective-loader. thx for advance