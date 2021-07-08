Cobalt Strike, a popular adversary simulation software, recognized the trend of red teams moving away from PowerShell tooling in favor of C# due to the increase in detection capability for PowerShell, and in 2018 with Cobalt Strike version 3.11 introduced the execute-assembly module. This allowed operators to take advantage of the power of post-exploitation .NET assemblies by executing them in memory without having the added risk of dropping those tools to disk. While the capability of loading .NET assemblies in memory via unmanaged code wasn’t new or unknown at the time of release, I would say Cobalt Strike brought the capability to the mainstream and helped continue to fuel the popularity of .NET for post-exploitation tradecraft.

Cobalt Strike’s execute-assembly module uses the fork and run technique, which is to spawn a new sacrificial process, inject your post-exploitation malicious code into that new process, execute your malicious code and when finished, kill the new process. This has both its benefits and its drawbacks. The benefit to the fork and run method is that execution occurs outside our Beacon implant process. This means that if something in our post-exploitation action goes wrong or gets caught, there is a much greater chance of our implant surviving. To simplify, it really helps with overall implant stability. However, due to security vendors catching on to this fork and run behavior it has now added what Cobalt Strike admits, an OPSEC expensive pattern.

As of version 4.1 released in June of 2020, Cobalt Strike introduced a new feature to try and help address this issue with the introduction of Beacon Object Files (BOFs). BOFs allow operators to avoid the well-known execution patterns as described above or other OPSEC failures such as using cmd.exe/powershell.exe by executing object files in memory within the same process as our beacon implant. While I won’t be going into the inner workings of BOFs, here are a few blog posts I found insightful:

If you read the above blogs, we should now see that BOFs weren’t exactly the saving grace we hoped for and if you were dreaming of re-writing all those awesome .NET tools and turning them into BOFs, those dreams have now been crushed. Sorry. Hope however is not lost as there are, in my opinion, some great things BOFs can offer, and I have recently had a lot of fun (and some frustration too) pushing the limits of what can be done with them. First, was by creating CredBandit which performs a complete in memory dump of a process such as LSASS and sends it back through your existing Beacon communication channel. Today I am releasing InlineExecute-Assembly, which can be used to execute .NET assemblies inside your beacon process with no modification to your favorite .NET tooling. Let’s dive into why I wrote the BOF, some of its key features, caveats, and how it could be useful when conducting adversary simulations/red teams.