Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing.
- Due to ACG, this does not support shellcode which is dependent on these fuctionalities:
- Toggling memory permissions between RW/RX.
- RWX memory
- To inject shellcode into a spawned process that is dependent on the above functionilities please see the Hollow BOF project
- For an awesome explaination on ACG please see Adam Chestner's blog below.
- Spawn sacrificial process with Arbitrary Code Guard (ACG) to prevent EDR solutions from hooking into sacrificial process DLL's.
- See Adam Chester's "Protecting Your Malware" blog for full details. This part of the BOF is derived from his work.
- Inject & Execute shellcode.
beacon> spawn notepad.exe 6248 /Users/bobby.cooke/git/boku7/SPAWN/popCalc.bin
[*] SPAWN (Bobby Cooke//SpiderLabs|@0xBoku|github.com/boku7)
[+] Opened handle 0x534 to process 6248(PID)
[+] Spawned process: notepad.exe | PID: 8404 | PPID: 6248
[+] Allocated RE memory in remote process 8404 (PID) at: 0x00000177A72C0000
[+] Wrote 280 bytes to memory in remote process 8404 (PID) at 0x00000177A72C0000
[+] APC queued for main thread of 8404 (PID) to shellcode address 0x00000177A72C0000
- CNA Agressor Script interface
beacon> help
spawn Spawn a process with a spoofed PPID and blockDll
beacon> help spawn
Synopsis: spawn /path/to/exe PPID
beacon> ps
8264 5536 OneDrive.exe x86 1 DESKTOP-KOSR2NO\boku
beacon> spawn cmd.exe 8264
[*] SPAWN (@0xBoku|github.com/boku7)
Opened handle 0x634 to process 8264(PID)
Success! Spawned process: cmd.exe | PID: 5384 | PPID: 8264
- PPID Spoofing
- Cobalt Strike "like"
blockdll
functionality
x86_64-w64-mingw32-gcc -c spawn.x64.c -o spawn.x64.o
- After compile import the spawn.cna script into Cobalt Strikes Script Manager
beacon> spawn /path/to/exe PPID /local/path/to/shellcode.bin
Agressor script for better end user experience
PPID spoofing for better parent-child process relation OPSEC
- Here we can see our
cmd.exe
process being spawned with the PPID asOneDrive.exe
- Here we can see our
implement Cobalt Strikeblockdll
functionality to prevent non-MS signed DLLs from loading into the spawned processes memory
- We see the parent-child process relationship, and that our spawned process has been created with the
Signatures restricted (Microsoft only)
- The
Signatures restricted (Microsoft only)
makes it so DLL's not signed by Microsoft cannot be loaded into our spawned process
- We see the parent-child process relationship, and that our spawned process has been created with the
Do not crash the beacon process when the PE file does not exist
- No longer crashes on process creation failure!
Return the PID to the Cobalt Strike console when the new process is spawned
Build out different methods of remote process injection(08/01/21)- Build out different methods of remote process patching
- NTDLL.DLL remote process Unhooking
- ETW remote process Patching/Bypass
- AMSI remote process Patching/Bypass
- CLR Loading & .Net assembly injection
- Spawning the same process for every fork-and-run seems like bad/predictable OPSEC to me.
- There are probably methods for this out there or built into CS already. Either way, I wanted to build my own.
- Credit/shoutout to: Adam Chester @_xpn_ + @SEKTOR7net + Raphael Mudge
- Thank you for the amazing work that you've contributed. I would not be able to publish this without your blogs, videos, and awesome content!
- Main References for PPID Spoofing & blockdll