The article explores the "Crystal Palace" philosophy of separating evasion tradecraft from offensive capabilities. While Cobalt Strike's Beacon uses sleepmask BOFs that are tightly coupled with the agent, the author experiments with weaving evasion at link-time using the Crystal Palace hooking primitive. This approach allows for greater flexibility, enabling evasion for APIs not natively supported by BeaconGate, such as CreateProcess, by redirecting calls to memory-loaded PICOs.
The author details the implementation of a custom sleepmask BOF that adheres to existing software contracts between Beacon and its reflective loader. By leveraging structures like BEACON_INFO and FUNCTION_CALL, the custom mask can efficiently handle memory obfuscation and API redirection. Furthermore, the post demonstrates how to integrate advanced evasion techniques, such as the Draugr call stack spoofing, into the COFF (Common Object File Format) during the build process using specification files.
Ultimately, the post compares the "no-knowledge" versus "has-knowledge" approaches to evasion. While the former offers flexibility, the latter provides ease of use and component compatibility. By merging custom tradecraft into the sleepmask BOF, operators can maintain the benefits of Cobalt Strike's built-in hooks while applying sophisticated, decoupled evasion techniques that allow for mixing and matching different tradecraft components.
Top comments (0)