Controlling Process Injection

Cobalt Strike 4.5 added support to allow users to define their own process injection technique instead of using the built-in techniques. This is done through the PROCESS_INJECT_SPAWN and PROCESS_INJECT_EXPLICIT hook functions. Cobalt Strike will call one of these hook functions when executing post exploitation commands. See the section on the hook for a table of supported commands.

The two hooks will cover most of the post exploitation commands. However, there are some exceptions which will not use these hooks and will continue to use the built-in technique.

Beacon Command Aggressor Script function
  &bdllspawn
shell &bshell
execute-assembly &bexecute_assembly

To implement your own injection technique, you will be required to supply a Beacon Object File (BOF) containing your executable code for x86 and/or x64 architectures and an Aggressor Script file containing the hook function. See the Process Injection Hook Examples in the Community Kit.

Since you are implementing your own injection technique, the process-inject settings in your Malleable C2 profile will not be used unless your BOF calls the Beacon API function BeaconInjectProcess or BeaconInjectTemporaryProcess. These functions implement the default injection and most likely will not be used unless it is to implement a fallback to the default technique.

Process Injection Spawn

The PROCESS_INJECT_SPAWN hook is used to define the fork&run process injection technique. The following beacon commands, aggressor script functions, and UI interfaces listed in the table below will call the hook and the user can implement their own technique or use the built-in technique.

Note the following:
  • The elevate, runasadmin, &belevate, &brunasadmin and [beacon] -> Access -> Elevate commands will only use the PROCESS_INJECT_SPAWN hook when the specified exploit uses one of the listed aggressor script functions in the table, for example &bpowerpick.
  • For the net and &bnet command the ‘domain’ command will not use the hook.
  • The ‘(use a hash)’ note means select a credential that references a hash.

Job Types

 

Command Aggressor Script UI
chromedump  
dcsync &bdcsync  
elevate &belevate [beacon] -> Access -> Elevate
[beacon] -> Access -> Golden Ticket
hashdump &bhashdump [beacon] -> Access -> Dump Hashes
keylogger &bkeylogger  
logonpasswords &blogonpasswords [beacon] -> Access -> Run Mimikatz
[beacon] -> Access -> Make Token (use a hash)
mimikatz &bmimikatz  
&bmimikatz_small  
net &bnet [beacon] -> Explore -> Net View
portscan &bportscan [beacon] -> Explore -> Port Scan
postex_kit beacon_execute_postex_job()  
powerpick &bpowerpick  
printscreen &bprintscreen  
pth &bpassthehash  
runasadmin &brunasadmin  
[target] -> Scan
screenshot &bscreenshot [beacon] -> Explore -> Screenshot
screenwatch &bscreenwatch  
ssh &bssh [target] -> Jump -> ssh
ssh-key &bssh_key [target] -> Jump -> ssh-key
[target] -> Jump -> [exploit] (use a hash)

 

Process Injection Explicit

The PROCESS_INJECT_EXPLICIT hook is used to define the explicit process injection technique. The following beacon commands, aggressor script functions, and UI interfaces listed in the table below will call the hook and the user can implement their own technique or use the built-in technique.

Note the following:
  • The [Process Browser] interface is accessed by [beacon] -> Explore -> Process List. There is also a multi version of this interface which is accessed by selecting multiple sessions and using the same UI menu. When in the Process Browser use the buttons to perform additional commands on the selected process.
  • The chromedump, dcsync, hashdump, keylogger, logonpasswords, mimikatz, net, portscan, printscreen, pth, screenshot, screenwatch, ssh, and ssh-key commands also have a fork&run version. To use the explicit version requires the pid and architecture arguments.
  • For the net and &bnet command the ‘domain’ command will not use the hook.

Job Types

 

Command Aggressor Script UI
browserpivot &bbrowserpivot [beacon] -> Explore -> Browser Pivot
chromedump    
dcsync &bdcsync  
dllinject &bdllinject  
hashdump &bhashdump  
inject &binject [Process Browser] -> Inject
keylogger &bkeylogger [Process Browser] -> Log Keystrokes
logonpasswords &blogonpasswords  
mimikatz &bmimikatz  
&bmimikatz_small  
net &bnet  
portscan &bportscan  
postex kit beacon_execute_postex_job()  
printscreen &bprintscreen  
psinject &bpsinject  
pth &bpassthehash  
screenshot &bscreenshot [Process Browser] -> Screenshot (Yes)
screenwatch &bscreenwatch [Process Browser] -> Screenshot (No)
shinject &bshinject  
ssh &bssh  
ssh-key &bssh_key