A core tenet of Cobalt Strike development is to continue to add flexibility to allow operators to tailor the product to suit their various needs. It is in this spirit that the User Defined Reflective Loader (UDRL) was added in the 4.4 release, providing users with more control over Beacon’s reflective loading process.
What is the User-Defined Reflective Loader (UDRL)?
UDRLs are a way for operators to write their own reflective loader, bringing their own tradecraft to bear. UDRLs are particularly helpful for increasing the evasiveness of Beacon by allowing you to use a loader that works for you, rather than being constrained by the default loader. For example, Outflank’s Kyle Avery developed a AceLDR, a UDRL designed to evade memory scanners.
The UDRL is a primary feature of Cobalt Strike and updates were made in 4.5 to expand its capabilities. This included increasing the size capacity of the loader and ensuring the artifact kit permitted customized sizing so that larger UDRLs had enough space.
The UDRL was further expanded in version 4.9. A new Aggressor Script hook was added to replace the default reflective loader in order to add support for prepend-style UDRLs using post-exploitation DLLs. To further support prepend-style UDRLs, Beacon was updated so it can be used without the exported reflective loader function.
A blog series has been created to provide comprehensive guidance on UDRL development.
The Community Kit and UDRLs
Given the popularity of UDRLs and the collaborative nature of the Cobalt Strike community, some UDRLs have been made publicly available – notably AceLdr, TitanLdr and BokuLoader. These are available to download in the Community Kit, a curated central repository of UDRLs and other extensions written by the user community to extend the capabilities of Cobalt Strike.
If you’ve developed a UDRL for Cobalt Strike yourself and you’d like to share, you can submit it for review.
Integrating Outflank Security Tooling (OST) and Cobalt Strike with UDRLs
OST is an advanced red teaming toolset that offers numerous offensive tools and tradecraft, many of which can be used with Cobalt Strike. With the acquisition of Outflank in 2022, the development teams of OST and Cobalt Strike have begun to work together to more closely align the two products.
UDRLs are a prime example of this collaboration. Using the Cobalt Strike Integrations tool, users can patch a custom OST UDRL onto a Beacon payload.