FindObjects-BOF : A Cobalt Strike Beacon Object File (BOF)

FindObjects-BOF is a Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific modules or process handles.

What Is This Repository For?

  • Use direct systems calls within Beacon Object files to enumerate processes for specific loaded modules (e.g. winhttp.dll, amsi.dll or clr.dll).
  • Use direct systems calls within Beacon Object files to enumerate processes for specific process handles (e.g. lsass.exe).
  • Avoid using the Windows and Native APIs as much as possible (to avoid userland hooks).
  • Execute this code within the beacon process using Beacon object files to avoid fork&run.

Why Do I Need This?

Utilizing direct systems calls via inline assembly in BOF code provides a more opsec safe way of interacting with the system. Using direct system calls avoids AV/EDR software intercepting user-mode API calls.

  • The FindModule bof can be used to identify processes which have a certain module loaded, for example the .NET runtime clr.dll or the winhttp.dll module. This information can be used to select a more opsec safe spawnto candidate when using Cobalt Strike’s execute-assembly or before injecting an exfill beacon shellcode using the shinject command.
  • The FindProcHandle bof can be used to identify processes with a specific process handle in use, for example processes using a handle to the lsass.exe process. If there’s a process within the system with a lsass.exe process handle, we could use this existing process/handle to read or write memory without opening a new process handle. This bypasses certain AV/EDR’s capabilities of detecting and blocking LSASS process/memory access.

How Do I Set This Up?

We will not supply compiled binaries. You will have to do this yourself:

  • Clone this repository.
  • Make sure you have the Mingw-w64 compiler installed. On Mac OSX for example, you can use the ports collection to install Mingw-w64 (sudo port install mingw-w64).
  • Run the make command to compile the Beacon object file.
  • Within Cobalt Strike use the Script Manager to load the FindObjects.cna script.
  • Within a Cobalt Strike beacon context use the FindProcHandle or FindModule command with the required parameters (e.g. module or process name).
Download
R K

Share
Published by
R K
Tags: Cobalt Strike Beacon Object FileDirect System CallsEnumerate ProcessesFindObjects-BOF
4 years ago

Recent Posts

Log Analysis Fundamentals

Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…

4 hours ago

Networking Devices 101: Understanding Routers, Switches, Hubs, and More

What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…

18 hours ago

Sock Puppets in OSINT: How to Build and Use Research Accounts

Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…

19 hours ago

What is SIEM? Complete Guide to Security Information and Event Management

Introduction As cyber threats grow more sophisticated, organizations need more than just firewalls and antivirus…

1 day ago

Website OSINT: Tools and Techniques for Reconnaissance

Introduction When it comes to cybersecurity and ethical hacking, one of the most effective ways…

2 days ago

Top OSINT Tools to Find Emails, Usernames and Passwords

Introduction In the world of cybersecurity, knowledge is power. One of the most powerful skillsets…

2 days ago