MemFiles is a toolkit for CobaltStrike that enables Operators to write files produced by the Beacon process into memory, rather than writing them to disk on the target system.
It has been successfully tested on Windows 7, 10, and 11; corresponding server versions should work without issue. MemFiles is restricted to x64 Beacons.
It accomplishes this by hooking several different NtAPI’s within NTDLL.dll and redirecting calls to those API’s to functions that have been injected into the Beacon process memory space.
MemFiles assumes a clean/unhooked copy of NTDLL in the Beacon process.
No guarantees are made about the viability of MemFiles in a Beacon process where EDR hooks are still in place. Repair/refresh NTDLL before using MemFiles!
A “special”, non-existent directory is defined within the MemFiles toolkit; any files that are written to this special directory will be captured by MemFiles and written into memory where they can then be downloaded to the Teamserver.
MemFiles is compatible with most (not all) tools that run within the Beacon process and that can be instructed to write their output to a specific directory. It does NOT require elevated privileges to work.
This includes:
-BOF’s
-.NET assemblies ran inline using something like inline-executeAssembly
-PE’s ran inline using something like Inline-Execute-PE
All of these are compatible because they run inside the Beacon process, where the relevant NtAPI’s have been hooked.
MemFiles does NOT work with things like:
-execute-assembly
-shell
-run
None of these are compatible because they all spawn other processes whose NtAPI’s have NOT been hooked.
MemFiles has successfully been tested with tools like Rubeus, SharpHound, Procdump, and Powershell when they are ran within the Beacon process.
Clone the repository and optionally alter the hookdir variable that is defined at line 56 in both /PIC/Source/NtCreateFile.c and /PIC/Source/NtOpenFile.c.
This variable is the “special” directory that signals to MemFiles it should intercept the file being created.
The hookdir variable is set to “redteam” by default. Ensure this variable is not a real directory on the target system, and that it is the same in both files!
Load MemFiles.cna into the CobaltStrike Client. Ensure the directory that CobaltStrike is running from is writable by your user; MemFiles creates a text file there (memfiles.txt) in order to ensure availability of the data required by MemFiles to function.
MemFiles can be configured to install in each new Beacon that calls into the Teamserver; this is accomplished by using the MemFiles->Config menu item.
By default, MemFiles does NOT auto-install in new Beacons.
Note that this is a global setting; if two Clients are connected to the Teamserver and both have MemFiles.cna loaded, if Client A toggles the “Install on beacon initial” setting, the change will also take effect for Client B!
For more information click here.
Learning Without Walls Remote education has long been a lifeline for students in rural areas…
Have you ever come across a picture on the internet and wondered where it came…
Overview WhatsMyName is a free, community-driven OSINT tool designed to identify where a username exists…
Managing disk usage is a crucial task for Linux users and administrators alike. Understanding which…
Efficient disk space management is vital in Linux, especially for system administrators who manage servers…
Knowing how to check directory sizes in Linux is essential for managing disk space and…