System Calls

The Beacon payload has implemented the ability to use system calls instead of the standard Windows API functions. Currently Beacon supports a limited set of functions for this capability.

The following functions support the use of system calls:

CloseHandle
CreateFileMapping
CreateRemoteThread
CreateThread
DuplicateHandle
GetThreadContext
MapViewOfFile
OpenProcess
OpenThread
ReadProcessMemory
ResumeThread
SetThreadContext
UnmapViewOfFile
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualProtect
VirtualProtectEx
VirtualQuery
WriteProcessMemory

When you generate a stageless beacon payload from the Cobalt Strike UI or a supported aggressor function, you can choose which system call method will be used at execution time.

System Call Method	Description
None	Use the standard Windows API function
Direct	Use the Nt* version of the function
Indirect	Jump to the appropriate instruction within the Nt* version of the function

There are some commands and workflows that inject or spawn a new beacon that do not allow you to set the initial system call method. In these cases, setting the ‘stage.syscall_method’ setting in the profile will allow you to control the initial method used at execution time.

The following commands and workflows use the stage.syscall_method setting:

elevate
inject
jump
spawn
spawnas
spawnu
team server responding to a stageless payload request
team server responding to an external c2 payload request

Use the syscall-method [method] command to modify which method will be used for subsequent commands. In addition, syscall-method without any arguments will query the current method.

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
4.9 | 202312200338 | December 2023