MemFiles is a toolkit for CobaltStrike that enables Operators to write files produced by the Beacon process into memory, rather than writing them to disk on the target system.
It has been successfully tested on Windows 7, 10, and 11; corresponding server versions should work without issue. MemFiles is restricted to x64 Beacons.
It accomplishes this by hooking several different NtAPI’s within NTDLL.dll and redirecting calls to those API’s to functions that have been injected into the Beacon process memory space.
MemFiles assumes a clean/unhooked copy of NTDLL in the Beacon process.
No guarantees are made about the viability of MemFiles in a Beacon process where EDR hooks are still in place. Repair/refresh NTDLL before using MemFiles!
A “special”, non-existent directory is defined within the MemFiles toolkit; any files that are written to this special directory will be captured by MemFiles and written into memory where they can then be downloaded to the Teamserver.
MemFiles is compatible with most (not all) tools that run within the Beacon process and that can be instructed to write their output to a specific directory. It does NOT require elevated privileges to work.
This includes:
-BOF’s
-.NET assemblies ran inline using something like inline-executeAssembly
-PE’s ran inline using something like Inline-Execute-PE
All of these are compatible because they run inside the Beacon process, where the relevant NtAPI’s have been hooked.
MemFiles does NOT work with things like:
-execute-assembly
-shell
-run
None of these are compatible because they all spawn other processes whose NtAPI’s have NOT been hooked.
MemFiles has successfully been tested with tools like Rubeus, SharpHound, Procdump, and Powershell when they are ran within the Beacon process.
Clone the repository and optionally alter the hookdir variable that is defined at line 56 in both /PIC/Source/NtCreateFile.c and /PIC/Source/NtOpenFile.c.
This variable is the “special” directory that signals to MemFiles it should intercept the file being created.
The hookdir variable is set to “redteam” by default. Ensure this variable is not a real directory on the target system, and that it is the same in both files!
Load MemFiles.cna into the CobaltStrike Client. Ensure the directory that CobaltStrike is running from is writable by your user; MemFiles creates a text file there (memfiles.txt) in order to ensure availability of the data required by MemFiles to function.
MemFiles can be configured to install in each new Beacon that calls into the Teamserver; this is accomplished by using the MemFiles->Config menu item.
By default, MemFiles does NOT auto-install in new Beacons.
Note that this is a global setting; if two Clients are connected to the Teamserver and both have MemFiles.cna loaded, if Client A toggles the “Install on beacon initial” setting, the change will also take effect for Client B!
For more information click here.
Introduction Bash scripting is a powerful way to automate Linux tasks, but writing a script…
Introduction A self-signed SSL certificate is a certificate that is created and signed by the…
Introduction Debugging is an important part of Bash scripting. When a script does not work…
Introduction Cron jobs are used in Linux to run commands or Bash scripts automatically at…
Introduction Pipes are an important feature in Linux and Bash scripting. A pipe allows you…
Introduction The grep, awk, and sed commands are powerful text-processing tools in Linux. They are…