MemFiles: Bypassing Disk-Based Detection with CobaltStrike
MemFiles
MemFiles is a toolkit for CobaltStrike that enables Operators to write files produced by the Beacon process into memory, rather than writing them to disk on the target system. It has been successfully tested on Windows 7, 10, and 11; corresponding server versions should work without issue. MemFiles is restricted to x64 Beacons.
It accomplishes this by hooking several different NtAPI’s within NTDLL.dll and redirecting calls to those API’s to functions that have been injected into the Beacon process memory space.
MemFiles assumes a clean/unhooked copy of NTDLL in the Beacon process. No guarantees are made about the viability of MemFiles in a Beacon process where EDR hooks are still in place. Repair/refresh NTDLL before using MemFiles!
A “special”, non-existent directory is defined within the MemFiles toolkit; any files that are written to this special directory will be captured by MemFiles and written into memory where they can then be downloaded to the Teamserver.
MemFiles is compatible with most (not all) tools that run within the Beacon process and that can be instructed to write their output to a specific directory. It does NOT require elevated privileges to work.
This includes:
-BOF’s
-.NET assemblies ran inline using something like inline-executeAssembly
-PE’s ran inline using something like Inline-Execute-PE
All of these are compatible because they run inside the Beacon process, where the relevant NtAPI’s have been hooked.
MemFiles does NOT work with things like:
-execute-assembly
-shell
-run
None of these are compatible because they all spawn other processes whose NtAPI’s have NOT been hooked.
MemFiles has successfully been tested with tools like Rubeus, SharpHound, Procdump, and Powershell when they are run within the Beacon process.
Usage
Initialize MemFiles in a Beacon by using the meminit command. This can be configured to happen automatically by toggling the option in the MemFiles->Config menu.
With MemFiles initialized, you can now use your favorite tools to write files into memory! How you do so will depend on the specific tool; some allow you to specify a directory to output multiple files into, while others allow an absolute path to be specified for a singular file that is created by the tool. A few examples can be seen below:
SharpHound:
Here we specify that SharpHound should output all produced files to the c:\redteam\ directory (our special MemFiles directory) and that it should not zip the files; MemFiles does not support programs reading files from memory, only writing them, so the zip functionality in SharpHound does not work.
Rubeus:
The “dump” command is used with Rubeus and we instruct it to send all console output to a file (located in our special directory)
Powershell:
In this example, Inline-Execute-PE is used to load powershell.exe into the Beacon process and run ‘Get-ADUser’ to retrieve a list of domain users. Using a pipe and ‘out-file’, the data can be written into memory and then retrieved.
When you want to retrieve your files, run memfetch:
When you are done with MemFiles and/or don’t want to leave it installed in a Beacon process, run memclean:
Note that in the above example, there was a file that had not been downloaded yet; memclean downloads this file and wipes it from memory before uninstalling MemFiles.
Query the status and configuration of MemFiles using memtable. During long operations, clear entries from dead/old beacons from memtable to avoid clutter.
