Austin Lai | November 10th, 2022
This or previous tool is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that me (Austin) is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (data loss, system crash, system compromise, etc.) caused by the use of these programs is not Austin responsibility.
InlineExecute-Assembly created by anthemtotheego is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module.
In this write up; we going to test and understand how it can be used with cobaltstrike along with Seatbelt
.
First of all, we can clone the repo down.
git clone https://github.com/anthemtotheego/InlineExecute-Assembly.git
There is ready to use Beacon Object File located at inlineExecuteAssembly
directory.
Of course in certain case, you can also manually compile and create your own version.
Now, let's load the cna
(that is located at inlineExecuteAssembly
directory) into cobaltstrike.
Once beacon up, we can use beacon command below to execute Seatbelt
:
inlineExecute-Assembly --dotnetassembly C:\Users\user\Desktop\inlineExecuteAssembly\Seatbelt.exe --assemblyargs AntiVirus
If you encountered error below:
Process refusing to load v2.0.50727 CLR version. Try running an assembly that requires a differnt CLR version.
It's mean the victim's Windows unable to load DotNet version lower than 4.0
This is because most updated Windows prohibited DotNet version 2.0 or 3.5
Ensure you have the Seatbelt
executable compiled with DotNet version 4.0 or 4.5.