Behavioural Detections
Last updated
Last updated
When dealing with behavioural detections, the Defender alerts look something like this:
\
The Beacon running on the file server is living inside the rundll32 process (PID 4404). When Cobalt Strike runs a post-ex command that uses the "" pattern, it will spawn a sacrificial process, inject the post-ex capability into it, retrieve the output over a named pipe, and then kills the process. The primary reason to do this is to ensure that "unstable" post-ex tools don't crash the Beacon.
\
\
The process used for post-ex commands and psexec can be changed on the fly in the CS GUI. To change the post-ex process, use the spawnto
command. x86 and x64 must be specified individually and environment variables can also be used.
The sysnative and syswow64 paths should be used rather than system32.
\
If we then use powerpick to get its own process name, it will return dllhost.
\
powerpick + PowerView will now run on the file server without being caught by AMSI or this behavioural detection.
\
Use the spawnto command without any argument to reset back to default.
\
To change the spawnto used by psexec, use the ak-settings
command.
The Artifact Kit does not support the use of environment variables by default. You may also change the name of the service (rather than 7 random characters) with ak-settings service [name]
.
\
Lateral movement with psexec will then land us in dllhost.exe.
\
\
The default spawnto can be changed inside Malleable C2 by including the spawnto_x64
and spawnto_x86
directives inside the post-ex block.
rundll32 being the default "spawnto" for Cobalt Strike has been for a long time and is now a common point of detection. The service binary payload used by psexec also uses this by default, which is why you see those Beacons running as rundll32.exe.