System Calls
The Beacon payload has implemented the ability to use system calls instead of the standard Windows API functions. Currently Beacon supports a limited set of functions for this capability.
The following functions support the use of system calls:
- CloseHandle
- CreateFile
- CreateFileMapping
- CreateRemoteThread
- CreateThread
-
DuplicateHandle
- GetThreadContext
- MapViewOfFile
- OpenProcess
- OpenThread
- ReadFile
-
ReadProcessMemory
- ResumeThread
- SetThreadContext
- UnmapViewOfFile
- VirtualAlloc
- VirtualAllocEx
- VirtualFree
- VirtualProtect
- VirtualProtectEx
- VirtualQuery
- WriteFile
-
WriteProcessMemory
When you generate a stageless beacon payload from the Cobalt Strike UI or a supported aggressor function, you can choose which system call method will be used at execution time.
| System Call Method | Description |
|---|---|
| None | Use the standard Windows API function |
| Direct | Use the Nt* version of the function |
| Indirect | Jump to the appropriate instruction within the Nt* version of the function |
There are some commands and workflows that inject or spawn a new beacon that do not allow you to set the initial system call method. In these cases, setting the ‘stage.syscall_method’ setting in the profile will allow you to control the initial method used at execution time.
The following commands and workflows use the stage.syscall_method setting:
- elevate
- inject
- jump
- spawn
- spawnas
- spawnu
- team server responding to a stageless payload request
- team server responding to an external c2 payload request
Use the syscall-method [method] command to modify which method will be used for subsequent commands. In addition, syscall-method without any arguments will query the current method.