Skip to content

CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

License

Notifications You must be signed in to change notification settings

boku7/injectEtwBypass

Repository files navigation

Cobalt Strike BOF - Inject ETW Bypass

Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

Running InjectEtwBypass BOF from CobaltStrike to Bypass ETW in Notepad.exe

Compile with x64 MinGW:

cat compile.sh
x86_64-w64-mingw32-gcc -m64 -mwindows -c injectEtwBypass.c -o injectEtwBypass.o \
-masm=intel -Wall -fno-asynchronous-unwind-tables -nostdlib -fno-ident -Wl,-Tlinker.ld,--no-seh
bash compile.sh

Run from Cobalt Strike Beacon Console

  • After compiling injectEtwBypass.o, load the injectEtwBypass.cna script into Cobalt Strikes via the Script Manager
  • Once loaded into Cobalt Strike, you can use the command from the interactive beacon console:
beacon> help
injectEtwBypass - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)
beacon> help injectEtwBypass
Synopsis: injectEtwBypass PID
beacon> injectEtwBypass 8968
[*] Inject ETW Bypass (Bobby Cooke//SpiderLabs|@0xBoku|github.com/boku7)
[+] host called home, sent: 2336 bytes
[+] received output:
Injecting NTDLL.EtwEventWrite bypass in remote process: 8968 (PID)

Credits / References

ETW Bypass Massive Credits to Adam Chester (@_xpn_) of TrustedSec

Creating Shellcode BOFs with C Chetan Nayak (@NinjaParanoid)

HalosGate SysCaller

HellsGate Syscaller

Process Injection - Pavel Yosifovich (@zodiacon)

BOF Helpers

Raphael Mudge - Beacon Object Files - Luser Demo
Cobalt Strike - Beacon Object Files
ajpc500/BOFs
trustedsec/CS-Situational-Awareness-BOF

Great Resource for learning Intel ASM - Vivek Ramachandran (@vivekramac)

Implementing ASM in C Code with GCC

About

CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published