Cobalt Strike “Where Am I?” Beacon Object File
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL’s.
This idea was inspired by Matt Eidelberg’s DEF CON 29 talk Operation Bypass Catch My Payload If You Can.
In this talk, Matt shows how EDR heuristics can detect Cobalt Strike beacons based on their behavior.
Matt uses an example where after the beacon compromises the endpoint, the first thing it does is run …