Having a great technical understanding of the programs we land on throughout an engagement is a key situation for deciding what’s going to be the subsequent step inside an operation. Collecting and analyzing information of operating processes from compromised programs provides us numerous data and helps us to higher perceive how the IT panorama from a goal organisation is setup. Moreover, periodically polling course of information permits us to react on adjustments inside the atmosphere or present triggers when an investigation is going down.
To be capable to accumulate detailed course of information from compromised finish-factors we wrote a set of course of instruments which brings the facility of those superior course of utilities to C2 frameworks (equivalent to Cobalt Strike).
Trying to copy the performance and knowledge offered by a software like Process Explorer is just not a simple job. First, we have to work out how these instruments work below the hood (and inside consumer-mode), subsequent we have to work out one of the simplest ways to show this data from a console as an alternative of a GUI.
After analyzing publicly obtainable code it grew to become clear that many low-stage system data instruments are closely primarily based on the native NtQuerySystemInformation API. Although the API and associated buildings will not be totally documented, this API lets you accumulate a wealth of details about a Windows system. So, with NtQuerySystemInformation as a place to begin to gather general details about all processes operating within the system, we then use the PEB of particular person processes to gather extra detailed information about every course of. Using the NtQueryInformationProcess API we will learn the PROCESS_BASIC_INFORMATION construction from a course of utilizing its course of deal with and find the PebBaseAddress. From there we will use the NtReadVirtualMemory API to learn the RTL_USER_PROCESS_PARAMETERS construction which permits us to learn the ImagePathName and CommandLine parameters of a course of.
These instruments are all written as reflective DLLs in C language and could be reflectively loaded inside a spawned course of utilizing a C2 framework like Cobalt Strike (or every other framework which permits Reflective DLL injection). For Cobalt Strike we included an aggressor script which can be utilized to load the instruments utilizing the Cobalt Strike script supervisor.
The following performance is included within the toolkit:
Psx: Shows an in depth record of all processes operating on the system. Psk: Shows detailed kernel data together with loaded driver modules. Psc: Shows an in depth record of all processes with Established TCP connections. Psm: Show detailed module data from a selected course of id (loaded modules, community connections e.g.). Psh: Show detailed deal with data from a selected course of id (object handles, community connections e.g.). Psw: Show Window titles from processes with lively Windows.
Download the Outflank-Ps-Tools folder and cargo the Ps-Tools.cna script inside the Cobalt Strike Script Manager. Use the Beacon assist command to show syntax data.
This mission is written in C/C++ You can use Visual Studio to compile the reflective dll's from supply.
Link for extra particulars :
Author: Cornelis de Plaa (@Cneelis) / Outflank