Alternate Parent Processes

Use ppid [pid] to assign an alternate parent process for programs run by your Beacon session. This is a means to make your activity blend in with normal actions on the target. The current Beacon session must have rights to the alternate parent and it’s best if the alternate parent process exists in the same desktop session as your Beacon. Type ppid, with no arguments, to have Beacon launch processes with no spoofed parent.

The runu command will execute a command with another process as the parent. This command will run with the rights and desktop session of its alternate parent process. The current Beacon session must have full rights to the alternate parent. The spawnu command will spawn a temporary process, as a child of a specified process, and inject a Beacon payload stage into it.

The spawnto value controls which program is used as a temporary process.

 

Related Topics