A BOF port of the research of @thefLinkk and @codewhitesec

Related tags

Miscellaneous HandleKatz_BOF
Overview

HandleKatz_BOF

What is this?

This is a (mostly complete) port of the functionality presented by @thefLink and Code White GmbH. You guys deserve a large amount of thanks for taking the time to present your research!

Why?

This was a personal question to answer if this would work within Cobalt Strike, and if so, how?

What are the options this currently supports

  • There are two required parameters, a PID and a filepath to write the dumpfile to. (e.g. handlekatz 780 C:\Users\User\Desktop\obfuscated.dmp)

How do I run this?

  1. In this case, you have two options:
    1. Use the existing, compiled object file, located in the dist directory (AKA proceed to major step two)
    2. Compile from source via the Makefile
      1. cd src
      2. make clean
      3. make
  2. Load the Aggressor file, in the Script Manager, located in the dist directory

Any known downsides?

  • We're still using the Win32 API and Dynamic Function Resolution. This is for you to determine as far as "risk"
  • You may attempt to incur a privileged action without sufficient requisite permissions. I can't keep you from burning your hand.

Where can we go from here?

  • Implement the one remaining overt Win32 API call invoked with the Dynamic Function Resolution syntax (VirtualAlloc) to be a call to NtAllocateVirtualMemory. I've included the necessary header(s) with implementation in syscalls.h. Enjoy! :)
You might also like...
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

Cobalt Strike "Where Am I?" Beacon Object File Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environmen

Bobby Cooke 92 Nov 30, 2022
CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)
CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

Cobalt Strike BOF - Inject ETW Bypass Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) Running InjectEtwBypass BOF from Cobalt

Bobby Cooke 238 Dec 9, 2022
A faithful transposition of the key features/functionality of @itm4n's PPLDump project as a BOF.

PPLDump BOF Who worked on this? Justin Lucas (@the_bit_diddler) Brad Campbell (@hackersoup) What is this? Jokingly, an exercise of my own personal san

null 124 Dec 28, 2022
DLL Hijack Search Order Enumeration BOF
DLL Hijack Search Order Enumeration BOF

DLL Hijack Search Order BOF What is this? This is a Cobalt Strike BOF file, meant to use two arguments (path to begin, and a DLL filename of interest)

null 121 Dec 13, 2022
DLL Exports Extraction BOF with optional NTFS transactions.
DLL Exports Extraction BOF with optional NTFS transactions.

DLL Exports Extraction BOF What is this? This is a Cobalt Strike BOF file, meant to use two or three arguments (path to DLL, and/or a third argument [

null 56 Nov 9, 2022
POC tool to convert CobaltStrike BOF files to raw shellcode

BOF2Shellcode POC tool to convert a Cobalt Strike BOF into raw shellcode. Introduction This code was written as part of a blog tutorial on how to conv

FalconForce 132 Dec 30, 2022
A BOF to parse the imports of a provided PE-file, optionally extracting symbols on a per-dll basis.

PE Import Enumerator BOF What is this? This is a BOF to enumerate DLL files to-be-loaded by a given PE file. Depending on the number of arguments, thi

null 78 Dec 1, 2022
A BOF for enumerating version information for DLLs associated for a Beacon process.
A BOF for enumerating version information for DLLs associated for a Beacon process.

DLL Image Resource Version Enumeration BOF What is this? This is a Cobalt Strike BOF file (a mildly massaged port of @N4k3dTurtl3's existing PoC , mea

null 10 Nov 5, 2022
A BOF to interact with COM objects associated with the Windows software firewall.

Firewall_Enumerator_BOF What is this? This is meant as a supplement to interact with the Windows firewall via COM interfaces. Did you derive inspirati

null 97 Dec 7, 2022
Owner
Somewhere, doing something.
null
GitHub
Doom port for InfOS - the University of Edinburgh Informatics research operating system used in the UG3 OS course

Doom on InfOS InfOS is the Informatics research operating system, designed specifically for the UG3 Operating Systems course. This project aims to por

Cheng Kai 14 Aug 20, 2022
InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module

InlineExecute-Assembly InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process

anthemtotheego 402 Dec 26, 2022
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state

Beacon Object File (BOF) that spawns an arbitrary process from beacons memory. Supports Parent Process ID (PPID) spoofing & blocking non-MS signed DLLs from loading into the processes memory (some EDR DLLs).

boku 349 Dec 1, 2022
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Bobby Cooke 203 Dec 20, 2022
Strstr with user-supplied needle and filename as a BOF.

Needle_Sift_BOF What is this? Strstr with user-supplied needle and filename as a BOF. Why? Why not? Supply what you want, and don't worry about downlo

null 29 Nov 9, 2022
CredBandit - Proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel

CredBandit CredBandit is a proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process a

anthemtotheego 188 Dec 25, 2022
PLP Project Programming Language | Programming for projects and computer science and research on computer and programming.

PLPv2b PLP Project Programming Language Programming Language for projects and computer science and research on computer and programming. What is PLP L

PLP Language 5 Aug 20, 2022
Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

Cobalt Strike BOF - Inject AMSI Bypass Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. Running inje

boku 307 Dec 28, 2022
Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR

Detect-Hooks Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will r

anthemtotheego 121 Dec 25, 2022
Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes

HalosGate Processlist Cobalt Strike BOF Cobalt Strike Beacon Object File (BOF) that uses a custom HalosGate & HellsGate syscaller, written in assembly

Bobby Cooke 50 Nov 9, 2022