• Stars
    star
    412
  • Rank 105,024 (Top 3 %)
  • Language
    C
  • License
    MIT License
  • Created over 3 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing.

SPAWN - Cobalt Strike BOF

Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing.

  • Due to ACG, this does not support shellcode which is dependent on these fuctionalities:
    • Toggling memory permissions between RW/RX.
    • RWX memory
  • To inject shellcode into a spawned process that is dependent on the above functionilities please see the Hollow BOF project
  • For an awesome explaination on ACG please see Adam Chestner's blog below.

New Features (08/01/2021)

Popin' Calc from ACG Protected Process

beacon> spawn notepad.exe 6248 /Users/bobby.cooke/git/boku7/SPAWN/popCalc.bin
[*] SPAWN (Bobby Cooke//SpiderLabs|@0xBoku|github.com/boku7)
[+] Opened handle 0x534 to process 6248(PID)
[+] Spawned process: notepad.exe | PID: 8404 | PPID: 6248
[+] Allocated RE memory in remote process 8404 (PID) at: 0x00000177A72C0000
[+] Wrote 280 bytes to memory in remote process 8404 (PID) at 0x00000177A72C0000
[+] APC queued for main thread of 8404 (PID) to shellcode address 0x00000177A72C0000

New Features (07/19/2021)

  • CNA Agressor Script interface
beacon> help
    spawn                     Spawn a process with a spoofed PPID and blockDll
beacon> help spawn
Synopsis: spawn /path/to/exe PPID
beacon> ps
8264  5536  OneDrive.exe                 x86   1           DESKTOP-KOSR2NO\boku 
beacon> spawn cmd.exe 8264
[*] SPAWN (@0xBoku|github.com/boku7)
Opened handle 0x634 to process 8264(PID)
Success! Spawned process: cmd.exe | PID: 5384 | PPID: 8264
  • PPID Spoofing
  • Cobalt Strike "like" blockdll functionality

Compile with x64 MinGW:

x86_64-w64-mingw32-gcc -c spawn.x64.c -o spawn.x64.o

Run from Cobalt Strike Beacon Console

  • After compile import the spawn.cna script into Cobalt Strikes Script Manager
beacon> spawn /path/to/exe PPID /local/path/to/shellcode.bin

To Do List

  • Agressor script for better end user experience
  • PPID spoofing for better parent-child process relation OPSEC
    • Here we can see our cmd.exe process being spawned with the PPID as OneDrive.exe
  • implement Cobalt Strike blockdll functionality to prevent non-MS signed DLLs from loading into the spawned processes memory
    • We see the parent-child process relationship, and that our spawned process has been created with the Signatures restricted (Microsoft only)
    • The Signatures restricted (Microsoft only) makes it so DLL's not signed by Microsoft cannot be loaded into our spawned process
  • Do not crash the beacon process when the PE file does not exist
    • No longer crashes on process creation failure!
  • Return the PID to the Cobalt Strike console when the new process is spawned
  • Build out different methods of remote process injection (08/01/21)
  • Build out different methods of remote process patching
    • NTDLL.DLL remote process Unhooking
    • ETW remote process Patching/Bypass
    • AMSI remote process Patching/Bypass
    • CLR Loading & .Net assembly injection

Why did I build this?

1. To learn more about Cobalt Strike BOFs
2. I want flexibility in choosing my sacraficial processes.
  • Spawning the same process for every fork-and-run seems like bad/predictable OPSEC to me.
  • There are probably methods for this out there or built into CS already. Either way, I wanted to build my own.
3. I have allot of cool BOF ideas that I want to build on this.

Credits / References

PPID Spoofing & blockDll functionality
Raphael Mudge - Beacon Object Files - Luser Demo
Cobalt Strike - Beacon Object Files
BOF Code References
anthemtotheego/InlineExecute-Assembly
ajpc500/BOFs
trustedsec/CS-Situational-Awareness-BOF
Sektor7 Malware Dev Essentials course - learned how to do the early bird injection technique

More Repositories

1

BokuLoader

A proof-of-concept Cobalt Strike Reflective Loader which aims to recreate, integrate, and enhance Cobalt Strike's evasion features!
C
1,119
star
2

azureOutlookC2

Azure Outlook Command & Control (C2) - Remotely control a compromised Windows Device from your Outlook mailbox. Threat Emulation Tool for North Korean APT InkySquid / ScarCruft / APT37. TTP: Use Microsoft Graph API for C2 Operations.
C
456
star
3

Ninja_UUID_Runner

Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!
C
425
star
4

injectAmsiBypass

Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.
C
366
star
5

injectEtwBypass

CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)
C
258
star
6

HOLLOW

EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode
C
240
star
7

AsmHalosGate

x64 Assembly HalosGate direct System Caller to evade EDR UserLand hooks
C
167
star
8

whereami

Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.
C
153
star
9

winx64-InjectAllProcessesMeterpreter-Shellcode

64bit Windows 10 shellcode that injects all processes with Meterpreter reverse shells.
Assembly
129
star
10

HellsGatePPID

Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe process
C
99
star
11

Nobelium-PdfDLRunAesShellcode

A recreation of the "Nobelium" malware based on Microsofts Malware analysis - Part 1: PDF2Pwn
C
99
star
12

halosgate-ps

Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes
C
93
star
13

XSS-Clientside-Attacks

A repository of JavaScript XSS attacks against client browsers
JavaScript
86
star
14

xPipe

Cobalt Strike BOF to list Windows Pipes & return their Owners & DACL Permissions
C
75
star
15

x64win-DynamicNoNull-WinExec-PopCalc-Shellcode

64bit WIndows 10 shellcode dat pops dat calc - Dynamic & Null Free
Assembly
34
star
16

x64win-AddRdpAdminShellcode

64bit Windows 10 shellcode that adds user BOKU:SP3C1ALM0V3 to the system and the localgroups Administrators & "Remote Desktop Users"
Assembly
33
star
17

tailorMS-rXSS-Keylogger

Reflected Cross-Site Scripting (XSS) vulnerability in 'index.php' login-portal webpage of SourceCodesters Tailor Management System v1.0 allows remote attackers to harvest keys pressed via unauthenticated victim clicking malicious URL and typing.
Python
25
star
18

StockManagement-XSS-Login-CredHarvester

Reflected Cross-Site Scripting (XSS) vulnerability in 'index.php' login-portal webpage of SourceCodesters Stock Management System v1.0 allows remote attackers to harvest login credentials & session cookie via unauthenticated victim clicking malicious URL and entering credentials.
Python
20
star
19

gsSMTP-Csrf2Xss2RCE

Python
17
star
20

gsCMS-CustomJS-Csrf2Xss2Rce

GetSimple CMS Custom JS Plugin Exploit RCE Chain
Python
13
star
21

LibreHealth-authRCE

LibreHealth v2.0.0 suffers from an authenticated file upload vulnerability allowing remote attackers to gain remote code execution (RCE) on the hosting webserver via uploading a maliciously crafted image.
Python
11
star
22

CVE-2020-23839

Public PoC Disclosure for CVE-2020-23839 - GetSimple CMS v3.3.16 suffers from a Reflected XSS on the Admin Login Portal
Python
10
star
23

onlineCourseReg-RCE

From 0 to Remote Code Execution - exploit development files for Online Course Registration Web Application RCE
Python
8
star
24

BikeRental-FU-RCE

Python
8
star
25

slae64

Repo for SLAE64 Exam
Assembly
7
star
26

GetSimple-SmtpPlugin-CSRF2RCE

GetSimple CMS My SMTP Contact Plugin <= v1.1.1 - CSRF to RCE
Python
7
star
27

boku7.github.io

Blog
HTML
6
star
28

homeRent-SQLi-RCE

House Rental v1.0 suffers from an unauthenticated SQL Injection vulnerability allowing remote attackers to execute arbitrary code on the hosting webserver via sending a malicious POST request.
Python
5
star
29

fuzzingFTP

Python scripts for fuzzing FTP servers, with percision, over TCP
Python
4
star
30

slae32

Repo for all SLAE32 Exam Assignments
Assembly
3
star
31

burp-jars

3
star
32

aCal-RCE

Exploit Development files for aCal web application - reflected XSS to RCE.
Python
3
star
33

BarracudaDrivev6.5-LocalPrivEsc

Insecure Service File Permissions in bd service in Real Time Logics BarracudaDrive v6.5 allows local attackers to escalate privileges to admin via replacing the bd.exe file and restarting the computer where it will be run as 'LocalSystem' on the next startup automatically.
2
star
34

AV_Bypass-Splitter

Splitter script to identify Anti-Virus signature of an executable
Shell
1
star
35

xdev-templates

Random helpful xdev templates
Python
1
star
36

domQuestPro-SEH-BOF

Python
1
star