🛠️Stealth with C2

What is a Command & Control (C2) Reminder

Cobalt / Havoc

once you have a shell on the victim, one of the most discreet ways to execute code is through object file because the idea is to avoid creating a sub-process but rather to allocate memory to run code and then resume its initial size.

Object file

Here is an example of how to launch the BoF (Beacon Object File) once compiled. The source code is available here and the goal is to verify if we are dealing with a virtual machine or not.

How to write BoF (Beacon Object File)

For example, if you need the RegCloseKey function.

Look at the Windows documentation (in our example https://learn.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regclosekey) to get the list of the arguments.

In our case :

Then, get the name of the library used (at the bottom of the page) in our case it is : Advapi32.lib

We have to structure it like this : DECLSPEC_IMPORT LSTATUS WINAPI <lib>$<Function>(<Args List>);

Still in our case, we will get this: DECLSPEC_IMPORT LSTATUS WINAPI ADVAPI32$RegCloseKey(HKEY);

Simply use the function like this in our code: ADVAPI32$RegCloseKeyA(hKey);

It is also possible to load a library and then call the method using methods like GetProcAddress or LoadLibraryA.

Below is an example of how to use this approach:

bof-collection/src/getAV/getAV-ll.c at main · matro7sh/bof-collectionGitHub

More information at this URL: https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/beacon-object-files_main.htm.