Beacon Object File allowing creation of Beacons in different sessions.

JumpSession_BOF

This is a Beacon Object File allowing creation of Beacons in different sessions. Must be Elevated.

image

This BOF was created on the heels of research I did on Session 1 -> Session 0 Migration. To understand what is happening under the hood I suggest you read the full writeup there.

With an Elevated Beacon an operator may spawn a beacon in a different session; This may be session 0, so as to prevent losing your beacon should the victim log off, or even another user's session.

A couple things to keep in mind:

  1. The "sessionpid" you select must be a process which has the SE_ASSIGNPRIMARYTOKEN_PRIVILEGE and SE_TCB_PRIVILEGE privileges. This means you are going to be looking at system integrity processes, not high integrity ones ran by a user. Note that PPL protected processes like smss.exe MAY be used here (and are in fact a desired target when jumping to session 0). Smss.exe is a good target for session 0, while winlogon is a good target for user sessions.

  2. The "parentpid" you select CAN NOT be PPL protected. Ideally you will select a parentpid in the same session that you want to jump to; spoolsv is a good target for session 0, while winlogon is a good target for user sessions.

  3. The Beacon in the new session will spawn as the same architecture as the Beacon that JumpSession was ran from; architecture migration is not supported.

To Compile:

x64

x86_64-w64-mingw32-gcc -o JumpSession.x64.o -Os -c main.c -DBOF

x86

i686-w64-mingw32-gcc -o JumpSession.x86.o -Os -c main.c -DBOF

Credit

Thanks to TrustedSec for their CS-Remote-OPs-Bof repo, from which I stole the .cna script as a template for this one along with some assorted WINAPI prototypes for bofdefs.h.

Similar Resources

Blazingly fast multi-object tracker. Works on 1 (x, y) point per object.

Blazingly fast multi-object tracker. Works on 1 (x, y) point per object.

Norfair++ This is a C++ implementation of Techainer's Norfair, which originates from Norfair, a library for real-time 2D object tracking. Its function

Jan 26, 2022

Exploit allowing you to read registry hives as non-admin on Windows 10 and 11

Exploit allowing you to read registry hives as non-admin on Windows 10 and 11

HiveNightmare aka SeriousSam, or now CVE-2021–36934. Exploit allowing you to read any registry hives as non-admin. What is this? An zero day exploit f

Sep 30, 2022

Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.

Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.

Thread Stack Spoofing PoC A PoC implementation for an advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to byp

Sep 23, 2022

ESP32 + GitHub Actions + Husarnet. A boilerplate project for ESP32 allowing in-field firmware update using GitHub Actions workflow.

esp32-internet-ota ESP32 + GitHub Actions + Husarnet. A boilerplate project for ESP32 allowing in-field firmware update using GitHub Actions workflow.

Sep 17, 2022

A set of tools allowing JUCE 6.1 + Cmake to build a CLAP

JUCE6/CMake Clap Support This is a set of code which, combined with a JUCE6/CMake project, allows you to build a (buggy, feature incomplete, work in p

Feb 15, 2022

Turn your ESP32 into a easy to use micro web-server allowing to interact with any GPIO by simple http(s) calls.

WebhooksTriggeredESP32WiFi Turn your ESP32 into an easy to use and manage wireless micro web-server allowing it to process reliably and asynchronouly

Jun 1, 2022

AWS Ambit Scenario Designer for Unreal Engine 4 (Ambit) is a suite of tools to streamline content creation at scale for autonomous vehicle and robotics simulation applications.

AWS Ambit Scenario Designer for Unreal Engine 4 (Ambit) is a suite of tools to streamline content creation at scale for autonomous vehicle and robotics simulation applications.

AWS Ambit Scenario Designer for Unreal Engine 4 Welcome to AWS Ambit Scenario Designer for Unreal Engine 4 (Ambit), a suite of tools to streamline 3D

Sep 25, 2022

Blender is the free and open source 3D creation suite

Blender is the free and open source 3D creation suite

Blender is the free and open source 3D creation suite. It supports the entirety of the 3D pipeline-modeling, rigging, animation, simulation, rendering, compositing, motion tracking and video editing.

Sep 26, 2022

OpenToonz - An open-source full-featured 2D animation creation software

OpenToonz 日本語 What is OpenToonz? OpenToonz is a 2D animation software published by DWANGO. It is based on Toonz Studio Ghibli Version, originally deve

Sep 26, 2022
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state

Beacon Object File (BOF) that spawns an arbitrary process from beacons memory. Supports Parent Process ID (PPID) spoofing & blocking non-MS signed DLLs from loading into the processes memory (some EDR DLLs).

Sep 22, 2022
Sep 29, 2022
Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR

Detect-Hooks Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will r

Aug 27, 2022
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

Cobalt Strike "Where Am I?" Beacon Object File Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environmen

Sep 23, 2022
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

Sep 7, 2022
A Beacon Object File that creates a minidump of the LSASS process.
A Beacon Object File that creates a minidump of the LSASS process.

NanoDump A Beacon Object File that creates a minidump of the LSASS process. Features It uses syscalls (with SysWhispers2) for most operations You can

Oct 2, 2022
This repository is meant to host the core files needed to create a Beacon Object File for use with Cobalt Strike

BOF Template This repository is meant to host the core files needed to create a Beacon Object File for use with Cobalt Strike. A Beacon Object File (B

Sep 29, 2022
Collection of Beacon Object Files

Beacon Object Files Name Syntax ETW Patching etw stop / etw start API Function Utility read_function / check_function / patch_function <dll_path> <fun

Sep 8, 2022
A program and toolset to analyze iDevice USB sessions

A program and toolset to analyze iDevice USB sessions

Jul 26, 2022
Tsdf-plusplus - TSDF++: A Multi-Object Formulation for Dynamic Object Tracking and Reconstruction

TSDF++: A Multi-Object Formulation for Dynamic Object Tracking and Reconstruction TSDF++ is a novel multi-object TSDF formulation that can encode mult

Sep 18, 2022