Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR

Detect-Hooks

Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will return a list of detected API hooks or let the operator know no hooks were detected. This can be useful knowledge to have before performing certain post-exploitation actions. This BOF is only a slight modificaiton of the work already done by @spotheplanet which can be found on their ired.team blog below.

Subject References

This tool wouldn't exist without being able to piggyback off some really great research, tools, and code already published by members of the security community. So thank you. Lastly, if you feel anyone has been left out below, please let me know and I will be sure to get them added.

  • Detecting Hooked Syscalls - (by @spotheplanet) - here - Detecting Hooks Logic -> The Real MVP

Getting Started

  1. Copy the Detect-Hooks folder with all of its contents to a system you plan to connect with via the Cobalt Strike GUI application.
  2. Load in the detect-hooks.cna Aggressor script
  3. Run detect-hooks

Build Your Own

Run the below command inside the src directory via x64 Native Tools Command Prompt for VS 2019

cl.exe /c detect-hooks.c /GS- /Fodetect-hooksx64.o

Use Case

Detect hooks in AV/EDR

Syntax

beacon> detect-hooks
[*] Running detect-hooks by (@anthemtotheego)
[+] host called home, sent: 1964 bytes
[+] received output:

NtCreateFile
NtCreateKey
NtCreateUserProcess
NtDeleteFile
NtDeleteKey
NtDeleteValueKey
NtMapViewOfSection
NtOpenFile
NtOpenKey
NtOpenKeyEx
NtRenameKey
NtSetInformationFile
NtSetValueKey
NtTerminateProcess
NtTerminateThread
ZwCreateFile
ZwCreateKey
ZwCreateUserProcess
ZwDeleteFile
ZwDeleteKey
ZwDeleteValueKey
ZwMapViewOfSection
ZwOpenFile
ZwOpenKey
ZwOpenKeyEx
ZwRenameKey
ZwSetInformationFile
ZwSetValueKey
ZwTerminateProcess
ZwTerminateThread

Caveats

  1. x64 only currently
Similar Resources

A refactored Proof-of-concept originally developed in 2017 to print all function calls with their arguments data types and values using Ptrace during program execution.

print-function-args-debugger A refactored Proof-of-concept originally developed in 2017 to print all function calls with their arguments data types an

Jun 17, 2022

Proof-of-concept implementation for the paper "Osiris: Automated Discovery of Microarchitectural Side Channels" (USENIX Security'21)

Osiris This repository contains the implementation of the Osiris framework discussed in the research paper "Osiris: Automated Discovery of Microarchit

Nov 11, 2022

A small proof-of-concept for using disk devices for DMA on Windows.

A small proof-of-concept for using disk devices for DMA on Windows.

ddma A small proof-of-concept for using disk devices for DMA on Windows. Why Some native hypervisors (i.e. Hyper-V) allow the guest unvirtualized devi

Oct 27, 2022

A proof-of-concept port of uxn to the STM32duino environment

ArdUxno-demo A quick-and-dirty proof-of-concept port of Devine Lu Linvega's amazing Uxn virtual stack machine to an STM32 microcontroller. uxn.c and u

Nov 9, 2022

An implementation and proof-of-concept of Process Forking.

ForkPlayground A library to implement the Process Forking attack described in this blog post. ForkLib - C++ library that implements the Process Forkin

Nov 21, 2022

The Machinery IDL - Proof of Concept

The Machinery IDL - Proof of Concept This is a proof of concept for an Interface Description Language isomorphic with C for describing C11 ABI compati

Jul 21, 2022

CVE-2021-4034: Local Privilege Escalation in polkit's pkexec proof of concept

CVE-2021-4034: Local Privilege Escalation in polkit's pkexec proof of concept

CVE-2021-4034 Proof of Concept Qualys researches found a pretty cool local privilege escalation vulnerability in Polkit's pkexec: writeup, tweet. This

Jun 22, 2022

Proof of Concept (PoC) CVE-2021-4034

Proof of Concept (PoC) CVE-2021-4034

PwnKit-Exploit CVE-2021-4034 @c0br40x help to make this section in README!! Proof of Concept [email protected]:~/PwnKit-Exploit$ make cc -Wall exploit.

Nov 10, 2022

Proof of Concept for CVE-2021-1585: Cisco ASA Device Manager RCE

staystaystay staystaystay is a proof of concept exploit for CVE-2021-1585, a man in the middle or evil endpoint RCE issue affecting Cisco ASA Device M

Sep 28, 2022
Nov 19, 2022
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state

Beacon Object File (BOF) that spawns an arbitrary process from beacons memory. Supports Parent Process ID (PPID) spoofing & blocking non-MS signed DLLs from loading into the processes memory (some EDR DLLs).

Nov 15, 2022
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

Cobalt Strike "Where Am I?" Beacon Object File Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environmen

Nov 30, 2022
RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc
RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc

Introduction RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks,

Nov 27, 2022
Proof of concept userspace filesystem that executes filenames as shell commands and makes the result accessible though reading the file.

ExecFS Proof of concept userspace filesystem that executes filenames as shell commands and makes the result accessible though reading the file. $ ./ex

Sep 9, 2022
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

Nov 9, 2022
A Beacon Object File that creates a minidump of the LSASS process.
A Beacon Object File that creates a minidump of the LSASS process.

NanoDump A Beacon Object File that creates a minidump of the LSASS process. Features It uses syscalls (with SysWhispers2) for most operations You can

Nov 24, 2022
This repository is meant to host the core files needed to create a Beacon Object File for use with Cobalt Strike

BOF Template This repository is meant to host the core files needed to create a Beacon Object File for use with Cobalt Strike. A Beacon Object File (B

Nov 9, 2022
Beacon Object File allowing creation of Beacons in different sessions.
Beacon Object File allowing creation of Beacons in different sessions.

JumpSession_BOF This is a Beacon Object File allowing creation of Beacons in different sessions. Must be Elevated. This BOF was created on the heels o

Nov 18, 2022
A BOF for enumerating version information for DLLs associated for a Beacon process.
A BOF for enumerating version information for DLLs associated for a Beacon process.

DLL Image Resource Version Enumeration BOF What is this? This is a Cobalt Strike BOF file (a mildly massaged port of @N4k3dTurtl3's existing PoC , mea

Nov 5, 2022