For Cobalt Strike, this tool is an alternative to the usual fork and run method. Any process, including the current Beacon, can be injected with the loader. Long-running assemblies, similar to execute-assembly, will continue to run and transmit output back to the Beacon.
Inject-assembly is made up of two parts:
BOF initializer: A short programme that injects the assembly loader with any inputs supplied into a remote process. It does the injection using BeaconInjectProcess, which means that this behaviour can be changed in a Malleable C2 profile or with process injection BOFs (as of version 4.5).
The majority of the project is the PIC assembly loader. The loader will load and execute the specified assembly after initialising the.NET runtime. When the target process is finished, the loader will create a new AppDomain so that the loaded assembly can be completely discharged.
A named pipe is used to communicate between the remote process and Beacon. The Aggressor script creates a pipe name, which is subsequently passed to the BOF Initializer.
Features to Look For
- Environment Patches
- To prevent the remote process from departing, use Exit().
- MZ bytes, e lfanew, DOS Header, Rich Text, PE Header).NET assembly header stomping
- SourcePoint is used to generate random pipe names.
- Even if the assembly is loaded into the current process, the Beacon will not be blocked.
Disclaimer: The intended use for the tool is strictly educational and should not be used for any other purposes.
Download Link: https://github.com/kyleavery/inject-assembly