15
GitHub - boku7/SPAWN: Cobalt Strike Beacon Object File (BOF) that takes the name...
source link: https://github.com/boku7/SPAWN
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
SPAWN - Cobalt Strike BOF
Beacon Object File (BOF) that spawns an arbitrary process from beacons memory. Supports Parent Process ID (PPID) spoofing & blocking non-MS signed DLLs from loading into the processes memory (some EDR DLLs).
New Features (07/19/2021)
- CNA Agressor Script interface
beacon> help spawn Spawn a process with a spoofed PPID and blockDll beacon> help spawn Synopsis: spawn /path/to/exe PPID beacon> ps 8264 5536 OneDrive.exe x86 1 DESKTOP-KOSR2NO\boku beacon> spawn cmd.exe 8264 [*] SPAWN (@0xBoku|github.com/boku7) Opened handle 0x634 to process 8264(PID) Success! Spawned process: cmd.exe | PID: 5384 | PPID: 8264
- PPID Spoofing
- Cobalt Strike "like"
blockdll
functionality
Compile with x64 MinGW:
x86_64-w64-mingw32-gcc -c spawnSuspendedProcess.c -o spawnSuspendedProcess.o
Run from Cobalt Strike Beacon Console
- After compile import the spawn.cna script into Cobalt Strikes Script Manager
beacon> spawn /path/to/exe PPID
To Do List
- Agressor script for better end user experience
- PPID spoofing for better parent-child process relation OPSEC
- Here we can see our
cmd.exe
process being spawned with the PPID asOneDrive.exe
- Here we can see our
- implement Cobalt Strike
blockdll
functionality to prevent non-MS signed DLLs from loading into the spawned processes memory- We see the parent-child process relationship, and that our spawned process has been created with the
Signatures restricted (Microsoft only)
- The
Signatures restricted (Microsoft only)
makes it so DLL's not signed by Microsoft cannot be loaded into our spawned process
- We see the parent-child process relationship, and that our spawned process has been created with the
- Do not crash the beacon process when the PE file does not exist
- No longer crashes on process creation failure!
- Return the PID to the Cobalt Strike console when the new process is spawned
- Build out different methods of remote process injection
- Build out different methods of remote process patching
- NTDLL.DLL remote process Unhooking
- ETW remote process Patching/Bypass
- AMSI remote process Patching/Bypass
- CLR Loading & .Net assembly injection
Why did I build this?
1. To learn more about Cobalt Strike BOFs
2. I want flexibility in choosing my sacraficial processes.
- Spawning the same process for every fork-and-run seems like bad/predictable OPSEC to me.
- There are probably methods for this out there or built into CS already. Either way, I wanted to build my own.
3. I have allot of cool BOF ideas that I want to build on this.
Credits / References
PPID Spoofing & blockDll functionality
- Credit/shoutout to: Adam Chester @xpn + @SEKTOR7net + Raphael Mudge
- Thank you for the amazing work that you've contributed. I would not be able to publish this without your blogs, videos, and awesome content!
Main References for PPID Spoofing & blockdll
Raphael Mudge - Beacon Object Files - Luser Demo
Cobalt Strike - Beacon Object Files
BOF Code References
anthemtotheego/InlineExecute-Assembly ajpc500/BOFs trustedsec/CS-Situational-Awareness-BOFSektor7 Malware Dev Essentials course - learned how to do the early bird injection technique
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK