Controlling Process Injection
Cobalt Strike 4.5 added support to allow users to define their own process injection technique instead of using the built-in techniques. This is done through the PROCESS_INJECT_SPAWN and PROCESS_INJECT_EXPLICIT hook functions. Cobalt Strike will call one of these hook functions when executing post exploitation commands. See the section on the hook for a table of supported commands.
The two hooks will cover most of the post exploitation commands. However, there are some exceptions which will not use these hooks and will continue to use the built-in technique.
| Beacon Command | Aggressor Script function |
|---|---|
| &bdllspawn | |
| shell | &bshell |
| execute-assembly | &bexecute_assembly |
To implement your own injection technique, you will be required to supply a Beacon Object File (BOF) containing your executable code for x86 and/or x64 architectures and an Aggressor Script file containing the hook function. See the Process Injection Hook Examples in the Community Kit.
Since you are implementing your own injection technique, the process-inject settings in your Malleable C2 profile will not be used unless your BOF calls the Beacon API function BeaconInjectProcess or BeaconInjectTemporaryProcess. These functions implement the default injection and most likely will not be used unless it is to implement a fallback to the default technique.
Built-In Process Injection Options
Cobalt Strike 4.12 introduced several new built-in injection implementations, which are available in the new Process Injection dialog, accessible from the Advanced Config drop-down. These injections are implemented as BOFs to increase operator capability without changing the size of Beacon. These BOFs do not use the use_driploading malleable option. These options include:
| Option | Explicit | Spawn | x86 > x86 | x64 > x64 | Syswow64 | Minimum Windows version | Notes |
|---|---|---|---|---|---|---|---|
| RtlCloneUserProcess | Yes | Yes | Yes | Yes | No | Windows 7 | Performs injection primitives from a cloned process |
| TpDirect | Yes | Yes | No | Yes | No | Windows 10 (19045) | Manipulates the TP_DIRECT structure from a target process. |
| TpStartRoutineStub | Yes | Yes | Yes | Yes | No | Windows 10 (19045) | Manipulates the minimum thread count of a target process's thread pool. |
| EarlyCascade | No | Yes | No | Yes | No | Windows 10 (19045) | Hijacks process initialization to achieve payload execution. |
Process Injection Spawn
The PROCESS_INJECT_SPAWN hook is used to define the fork&run process injection technique. The following beacon commands, aggressor script functions, and UI interfaces listed in the table below will call the hook and the user can implement their own technique or use the built-in technique.
Note the following:
- The elevate, runasadmin, &belevate, &brunasadmin and [beacon] -> Access -> Elevate commands will only use the PROCESS_INJECT_SPAWN hook when the specified exploit uses one of the listed aggressor script functions in the table, for example &bpowerpick.
- For the net and &bnet command the ‘domain’ command will not use the hook.
-
The ‘(use a hash)’ note means select a credential that references a hash.
Job Types
| Command | Aggressor Script | UI |
|---|---|---|
| chromedump | ||
| dcsync | &bdcsync | |
| elevate | &belevate | [beacon] -> Access -> Elevate |
| [beacon] -> Access -> Golden Ticket | ||
| hashdump | &bhashdump | [beacon] -> Access -> Dump Hashes |
| keylogger | &bkeylogger | |
| logonpasswords | &blogonpasswords | [beacon] -> Access -> Run Mimikatz |
| [beacon] -> Access -> Make Token (use a hash) | ||
| mimikatz | &bmimikatz | |
| &bmimikatz_small | ||
| net | &bnet | [beacon] -> Explore -> Net View |
| portscan | &bportscan | [beacon] -> Explore -> Port Scan |
| postex_kit | beacon_execute_postex_job() | |
| powerpick | &bpowerpick | |
| printscreen | &bprintscreen | |
| pth | &bpassthehash | |
| runasadmin | &brunasadmin | |
| [target] -> Scan | ||
| screenshot | &bscreenshot | [beacon] -> Explore -> Screenshot |
| screenwatch | &bscreenwatch | |
| ssh | &bssh | [target] -> Jump -> ssh |
| ssh-key | &bssh_key | [target] -> Jump -> ssh-key |
| [target] -> Jump -> [exploit] (use a hash) |
The PROCESS_INJECT_SPAWN_USER hook provides users with a way to register their user-defined injection BOFs for fork&run spawn injections. These BOFs must follow the argument packing conventions for the Process Inject Kit.
To register custom fork&run spawn injections, a user can set the PROCESS_INJECT_SPAWN_USER hook and return a map that contained the name of the injection technique and the path to the BOF as the key-value pair.
Process Injection Explicit
The PROCESS_INJECT_EXPLICIT hook is used to define the explicit process injection technique. The following beacon commands, aggressor script functions, and UI interfaces listed in the table below will call the hook and the user can implement their own technique or use the built-in technique.
Note the following:
- The [Process Browser] interface is accessed by [beacon] -> Explore -> Process List. There is also a multi version of this interface which is accessed by selecting multiple sessions and using the same UI menu. When in the Process Browser use the buttons to perform additional commands on the selected process.
- The chromedump, dcsync, hashdump, keylogger, logonpasswords, mimikatz, net, portscan, printscreen, pth, screenshot, screenwatch, ssh, and ssh-key commands also have a fork&run version. To use the explicit version requires the pid and architecture arguments.
- For the net and &bnet command the ‘domain’ command will not use the hook.
Job Types
| Command | Aggressor Script | UI |
|---|---|---|
| browserpivot | &bbrowserpivot | [beacon] -> Explore -> Browser Pivot |
| chromedump | ||
| dcsync | &bdcsync | |
| dllinject | &bdllinject | |
| hashdump | &bhashdump | |
| inject | &binject | [Process Browser] -> Inject |
| keylogger | &bkeylogger | [Process Browser] -> Log Keystrokes |
| logonpasswords | &blogonpasswords | |
| mimikatz | &bmimikatz | |
| &bmimikatz_small | ||
| net | &bnet | |
| portscan | &bportscan | |
| postex kit | beacon_execute_postex_job() | |
| printscreen | &bprintscreen | |
| psinject | &bpsinject | |
| pth | &bpassthehash | |
| screenshot | &bscreenshot | [Process Browser] -> Screenshot (Yes) |
| screenwatch | &bscreenwatch | [Process Browser] -> Screenshot (No) |
| shinject | &bshinject | |
| ssh | &bssh | |
| ssh-key | &bssh_key |
The PROCESS_INJECT_EXPLICIT_USER hook provides users with a way to register their user-defined injection BOFs that follow the argument packing conventions for the Process Inject Kit.
To register custom explicit injections, a user can set the PROCESS_INJECT_EXPLICIT_USER hook and return a map that contains the name of the injection technique and the path to the BOF as the key-value pair.