{"id":13840423,"url":"https://github.com/mgeeky/ElusiveMice","last_synced_at":"2025-07-11T07:33:53.290Z","repository":{"id":37077518,"uuid":"400614497","full_name":"mgeeky/ElusiveMice","owner":"mgeeky","description":"Cobalt Strike User-Defined Reflective Loader with AV/EDR Evasion in mind","archived":false,"fork":false,"pushed_at":"2023-07-12T17:54:07.000Z","size":85,"stargazers_count":422,"open_issues_count":2,"forks_count":71,"subscribers_count":11,"default_branch":"master","last_synced_at":"2024-11-19T19:04:27.235Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mgeeky.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2021-08-27T19:22:20.000Z","updated_at":"2024-11-19T11:03:09.000Z","dependencies_parsed_at":"2022-07-20T11:32:15.266Z","dependency_job_id":"1183c052-f7fd-45b2-b205-8b1027626d9c","html_url":"https://github.com/mgeeky/ElusiveMice","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgeeky%2FElusiveMice","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgeeky%2FElusiveMice/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgeeky%2FElusiveMice/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgeeky%2FElusiveMice/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mgeeky","download_url":"https://codeload.github.com/mgeeky/ElusiveMice/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225705442,"owners_count":17511298,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:00:48.075Z","updated_at":"2024-11-21T09:31:32.968Z","avatar_url":"https://github.com/mgeeky.png","language":"C","funding_links":[],"categories":["C"],"sub_categories":[],"readme":"# ElusiveMice - custom Cobalt Strike User-Defined Reflective Loader \n\nThis is a fork of [Cobalt Strike's User-Defined Reflective Loader](https://www.cobaltstrike.com/help-user-defined-reflective-loader) which in turn is a fork of [Stephen Fewer's ReflectiveDLLInjection](https://github.com/stephenfewer/ReflectiveDLLInjection) implementation, but with a _slight_ plot twist - it adds a few lightweight evasions.\n\n## Features\n\n- utilizes changed API/module name dynamic resolution hashes to avoid simple signature detections\n- reflective loader now properly restores section memory protections and avoids using one big `RWX` allocation\n- `elusiveMice` tries to wipe itself from the memory, leaving close to no remnants of UDRL code when memory scan sweep comes in\n\n\n## Usage\n\n1. Modify you `arsenal_kit.config` accordingly:\n\n```\ninclude_artifact_kit=\"true\"\ninclude_udrl_kit=\"false\"\ninclude_sleepmask_kit=\"true\"\ninclude_process_inject_kit=\"true\"\ninclude_resource_kit=\"true\"\ninclude_mimikatz_kit=\"true\"\n\nrdll_size=100\n\nartifactkit_stack_spoof=\"true\"\nartifactkit_technique=\"mailslot\"\nartifactkit_stage_size=424948\nartifactkit_syscalls_method=\"indirect_randomized\"\n\nsleepmask_sleep_method=\"WaitForSingleObject\"\nsleepmask_mask_text_section=\"true\"\nsleepmask_syscalls_method=\"indirect_randomized\"\n```\n\n2. Compile arsenal kit `./build_arsenal_kit.sh`\n3. Load `bin/elusiveMice.cna` script into your Cobalt Strike\n4. Generate your beacon via `Attacks -\u003e Packages -\u003e Windows Stageless Payload` or any other sort of Beacon's shellcode.\n5. (Optionally) observe output in `View -\u003e Script Console`\n\nThe CNA script may have `$debug` mode enabled by flipping the variable:\n\n```\n# Enable Debug of PE content\n# The generated PE content will be displayed in the script console if debug is true\n\n#$debug = \"true\";\n$debug = \"true\";\n```\n\nWhich will dump PE headers of newly generated Reflective DLL containing Beacon's codebase.\n\n## Other work\n\nSo far there aren't many publicly available implementations of _User-Defined Reflective Loaders_, but the ones of a great quality that I'm aware of include:\n\n- [boku7's BokuLoader](https://github.com/boku7/BokuLoader)\n\n\n## Author\n\n```   \n   Mariusz B. / mgeeky, 21-23\n   \u003cmb [at] binary-offensive.com\u003e\n   (https://github.com/mgeeky)\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmgeeky%2FElusiveMice","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmgeeky%2FElusiveMice","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmgeeky%2FElusiveMice/lists"}