A BOF tool that can be used to enumerate processes for specific loaded modules or process handles.
- Enumerate processes for specific loaded modules (e.g. winhttp.dll, amsi.dll or clr.dll).
- Enumerate processes for specific process handles (e.g. lsass.exe).
- Avoid using the Windows and Native APIs as much as possible (to avoid userland hooks).
- Execute this code within the beacon process using Beacon object files to avoid fork&run.
- Make sure that Mingw-w64 (including mingw-w64-binutils) has been installed.
- Enter the SOURCE folder within the tool folder.
- Type "make" to compile the object files.
- Use Cobal Strike script manager to import the
FindObjects.cnascript.
Running the tools is straightforward. Once you imported the CNA script using Cobalt Strike's Script Manager, they are available as Cobalt Strike commands that can be executed within a beacon. This tools supports the following commands:
-
The
FindModule example.dllcommand can be used to identify processes which have a certain module loaded, for example the .NET runtimeclr.dllor thewinhttp.dllmodule. This information can be used to select a more opsec safe spawnto candidate when using Cobalt Strike'sexecute-assemblyor before injecting an exfill beacon shellcode using theshinjectcommand. -
The
FindProcHandle example.execommand can be used to identify processes with a specific process handle in use, for example processes using a handle to thelsass.exeprocess. If there's a process within the system with alsass.exeprocess handle, we could use this existing process/handle to read or write memory without opening a new process handle. This bypasses certain AV/EDR's capabilities of detecting and blocking LSASS process/memory access.
This BOF tool has been successfully compiled on Mac OSX systems and used on Windows 8.1+ (x64) systems. Compiling the BOF code should also work on other systems (Linux, Windows) that have the Mingw-w64 compiler installed.