MemFiles : Enhancing CobaltStrike With In-Memory File Management

MemFiles is a toolkit for CobaltStrike that enables Operators to write files produced by the Beacon process into memory, rather than writing them to disk on the target system.

It has been successfully tested on Windows 7, 10, and 11; corresponding server versions should work without issue. MemFiles is restricted to x64 Beacons.

It accomplishes this by hooking several different NtAPI’s within NTDLL.dll and redirecting calls to those API’s to functions that have been injected into the Beacon process memory space.

MemFiles assumes a clean/unhooked copy of NTDLL in the Beacon process.

No guarantees are made about the viability of MemFiles in a Beacon process where EDR hooks are still in place. Repair/refresh NTDLL before using MemFiles!

A “special”, non-existent directory is defined within the MemFiles toolkit; any files that are written to this special directory will be captured by MemFiles and written into memory where they can then be downloaded to the Teamserver.

MemFiles is compatible with most (not all) tools that run within the Beacon process and that can be instructed to write their output to a specific directory. It does NOT require elevated privileges to work.

This includes:
-BOF’s
-.NET assemblies ran inline using something like inline-executeAssembly
-PE’s ran inline using something like Inline-Execute-PE

All of these are compatible because they run inside the Beacon process, where the relevant NtAPI’s have been hooked.

MemFiles does NOT work with things like:
-execute-assembly
-shell
-run

None of these are compatible because they all spawn other processes whose NtAPI’s have NOT been hooked.

MemFiles has successfully been tested with tools like Rubeus, SharpHound, Procdump, and Powershell when they are ran within the Beacon process.

Setup

Clone the repository and optionally alter the hookdir variable that is defined at line 56 in both /PIC/Source/NtCreateFile.c and /PIC/Source/NtOpenFile.c.

This variable is the “special” directory that signals to MemFiles it should intercept the file being created.

The hookdir variable is set to “redteam” by default. Ensure this variable is not a real directory on the target system, and that it is the same in both files!

Load MemFiles.cna into the CobaltStrike Client. Ensure the directory that CobaltStrike is running from is writable by your user; MemFiles creates a text file there (memfiles.txt) in order to ensure availability of the data required by MemFiles to function.

MemFiles can be configured to install in each new Beacon that calls into the Teamserver; this is accomplished by using the MemFiles->Config menu item.

By default, MemFiles does NOT auto-install in new Beacons. 

Note that this is a global setting; if two Clients are connected to the Teamserver and both have MemFiles.cna loaded, if Client A toggles the “Install on beacon initial” setting, the change will also take effect for Client B!

For more information click here.