Keylogger comes in the form of a reflective DLL which can be injected to a remote process. This is basically a fork&run command. The keylogger command will inject the reflective DLL into a child process and start capturing the user’s keystrokes using anonymous pipes. To view the output and stop the keylogger, just kill the injected process. Unlike Cobaltstrike, this reflective DLL does not use a named pipe to capture the output which is what usually gets blocked.