TEB (GS Register) –> PEB –> ProcessParameters –> Environment Block Address & Environment Size
COBALT STRIKE BEACON SOURCE CODE WINDOWS
To make our BOF work from anywhere in memory, we will use windows operating system functionality to get the TEB address, from the TEB we will get the Process Environment Block (PEB) address, from the PEB we will get the ProcessParameters struct address, and from the ProcessParameters struct we will get the address of the Environment string block & the size of the Environment string block.WinDBG has an awesome feature that allows you to supply it a structure & a memory address while debugging a process, and it will format the values there into the struct you supply.I discovered that TrustedSec had already created a BOF for this, and of course they did because they are awesome! If you’d like to view their original work you can find it here: trustedsec/CS-Situational-Awareness-BOF/env Our BOF Flow to get the Environment Variables Dynamically in Memoryīelow is the high-level flow & WinDBG commands to map our path from the Thread Environment Block (TEB) to the Environment strings we will ultimately display in our Cobalt Strike interactive beacon console.
COBALT STRIKE BEACON SOURCE CODE FULL
Since the goal was to make it ninja/OPSEC safe, I figured why not just do it dynamically with Assembly? About halfway through creation, I bit the bullet and burned the extra time to make it into a blog post as well, so here it is!įor the full code to the project see the GitHub repo: So that’s what I did! I created a Beacon Object File that grabs the information we’d want, right there from the beacon process memory! I thought “Why not just get the whoami.exe info from the process? It’s already right there in the beacon processes memory!”.
Matt uses an example where after the beacon compromises the endpoint, the first thing it does is run the whoami.exe local binary.In this talk, Matt shows how EDR heuristics can detect Cobalt Strike beacons based on their behavior.This idea was inspired by Matt Eidelberg’s DEF CON 29 talk Operation Bypass Catch My Payload If You Can. This is a walkthrough of creating the Cobalt Strike Beacon Object File (BOF) “Where Am I?”
0 kommentar(er)
