CobaltWhispers
CobaltWhispers is an aggressor script that utilizes a collection of Beacon Object Files (BOF) for Cobalt Strike to perform process injection, persistence and more, leveraging direct syscalls (SysWhispers2) to bypass EDR/AV
Install / Use
/learn @NVISOsecurity/CobaltWhispersREADME
CobaltWhispers
Author: @Cerbersec
CobaltWhispers is an aggressor script that utilizes a collection of Beacon Object Files for Cobalt Strike to perform process injection, persistence and more, leveraging direct syscalls to bypass EDR/AV.
CobaltWhispers is powered by SysWhispers2 and InlineWhispers2
CobaltWhispers is based on StayKit and work from Hasherezade and Forrest Orr.
CobaltWhispers was made as part of an internship at NVISO Security's Red Team. The associated blogposts can be found here (process-injection) and here (kernel karnage).
Compiling from source
CobaltWhispers requires several tools to compile:
- MingW-w64 -
apt install mingw-w64 - Make -
apt install make - Python3
- SysWhispers2
- InlineWhispers2
Each project requires 3 files generated by SysWhispers2 / InlineWhispers2 to function:
- syscalls-asm.h
- syscalls.c
- syscalls.h
These files can be generated according to the InlineWhispers2 documentation, however this is not the optimal method because a lot of unused code will be included:
git clone https://github.com/Sh0ckFR/InlineWhispers2 && cd InlineWhispers2
cd SysWhispers2/ && python3 syswhispers.py --preset all -o syscalls_all && cd ..
python3 InlineWhispers2.py
Instead, use SysWhispers2 to generate the output files only for the necessary APIs, then manually (or script it) supply them to InlineWhispers2 which will convert them to the proper format. See the included makefile for additional information or use the included files at your own risk.
Injection
SpawnProcess
| Payload Type | Target | Reliability (0-5) | Elevated | Remarks | | :---: | :---: | :---: | :---: | :---: | | - | - | 5 | No | Inherit permissions from parent process |
Description
Spawns a new suspended process with Code Integrity Guard (CIG) enabled to block non-Microsoft signed binaries. Spoofs the specified parent process. The PID is returned.
Parameters
Parent process: The name of the process to set as parent
Executable location: Full path to executable on disk used to spawn new process
CreateRemoteThread
| Payload Type | Target | Reliability (0-5) | Elevated | Remarks | | :---: | :---: | :---: | :---: | :---: | | Shellcode/Raw | PID | 5 | No | - |
Description
Injects a payload into a remote process using NtCreateThreadEx
Parameters
Process PID: The process ID of the remote process
Payload location: Location of payload in binary form on disk (Conditional | Optional)
Payload b64: Raw shellcode in base64 encoded string format (Conditional | Optional)
Listener: Listener to generate payload for (Conditional)
A listener should be specified to generate a Beacon payload. If a manual payload is desired, it should be provided via a path to the raw binary on disk, or Base64 encoded shellcode.
QueueUserAPC
| Payload Type | Target | Reliability (0-5) | Elevated | Remarks | | :---: | :---: | :---: | :---: | :---: | | Shellcode/Raw | PID | 2 | No | Potentially crash target process |
Description
Injects a payload into a remote process using NtQueueApcThread
Parameters
Process PID: The process ID of the remote process
Threads: Number of threads to add an APC call to
Payload location: Location of payload in binary form on disk (Conditional | Optional)
Payload b64: Raw shellcode in base64 encoded string format (Conditional | Optional)
Listener: Listener to generate payload for (Conditional)
A listener should be specified to generate a Beacon payload. If a manual payload is desired, it should be provided via a path to the raw binary on disk, or Base64 encoded shellcode.
MapViewOfSection
| Payload Type | Target | Reliability (0-5) | Elevated | Remarks | | :---: | :---: | :---: | :---: | :---: | | Shellcode/Raw | Surrogate Process | 5 | No | - |
Description
Injects a payload into a surrogate process using NtMapViewOfSection
Parameters
Parent process: The name of the process to set as parent
Executable location: The location of the executable on disk to be used to spawn a new process
Payload location: Location of payload in binary form on disk (Conditional | Optional)
Payload b64: Raw shellcode in base64 encoded string format (Conditional | Optional)
Listener: Listener to generate payload for (Conditional)
A listener should be specified to generate a Beacon payload. If a manual payload is desired, it should be provided via a path to the raw binary on disk, or Base64 encoded shellcode.
TransactedHollowing
| Payload Type | Target | Reliability (0-5) | Elevated | Remarks | | :---: | :---: | :---: | :---: | :---: | | PE | Surrogate Process | 5 | No | Requires x64 PE payload |
Description
Injects a payload into a surrogate process using transacted sections and mapped views. Remote entry point and PEB are updated, no anomalous memory sections or memory permissions. See here for more information.
Parameters
Parent process: The name of the process to set as parent
Executable location: The location of the executable on disk to be used to spawn a new process
Payload location: Location of x64 PE payload on disk (Conditional | Optional)
Payload b64: x64 PE payload in base64 encoded string format (Conditional | Optional)
Listener: Listener to generate payload for (Conditional)
A listener should be specified to generate a Beacon payload. If a manual payload is desired, it should be provided via a path to the x64 PE on disk, or Base64 encoded x64 PE.
PhantomDLLHollowing
CURRENTLY NOT IMPLEMENTED
| Payload Type | Target | Reliability (0-5) | Elevated | Remarks | | :---: | :---: | :---: | :---: | :---: | | Position Independent Shellcode (PIC) | Surrogate Process | 5 | Yes | Elevated permissions are required to open system DLLs with write permissions |
Description
Injects a payload into a surrogate process using transacted sections in combination with DLL hollowing. See here for more information.
Parameters
Parent process: The name of the process to set as parent
Executable location: The location of the executable on disk to be used to spawn a new process
Payload location: Location of payload in binary form on disk (Conditional | Optional)
Payload b64: Raw shellcode in base64 encoded string format (Conditional | Optional)
Listener: Listener to generate payload for (Conditional)
A listener should be specified to generate a Beacon payload. If a manual payload is desired, it should be provided via a path to the raw binary on disk, or Base64 encoded shellcode.
Persistence
ElevatedRegKey
Description
Create or modify a registry key at the specified location.
- HKLM:Software\Microsoft\Windows\CurrentVersion\Run
- HKLM:Software\Microsoft\Windows\CurrentVersion\RunOnce
Parameters
Key name: Value name
Command: Command to be ran when registry is used
Registry key: Location where registry key will be created
Hidden: Will prepend a null byte to the key name; throws errors in regedit
Cleanup: Removes created key
Cleanup requires the key name and registry key (location).
ElevatedUserInitRegKey
Description
Create or modify a registry key at the specified location.
- HKLM:Software\Microsoft\Windows NT\CurrentVersion\Winlogon [UserInit]
Parameters
Key name: Value name
Command: Command to be ran when registry is used
Registry key: Location where registry key will be created
Hidden: Will prepend a null byte to the key name; throws errors in regedit
Cleanup: Removes created key
Cleanup requires the key name and registry key (location).
UserInit: Automatically sets 'Key name' and 'Registry key'.
UserRegKey
Description
Create or modify a registry key at the specified location.
- HKCU:Software\Microsoft\Windows\CurrentVersion\Run
- HKCU:Software\Microsoft\Windows\CurrentVersion\RunOnce
Parameters
Key name: Value name
Command: Command to be ran when registry is used
Registry key: Location where registry key will be created
Hidden: Will prepend a null byte to the key name; throws errors in regedit
Cleanup: Removes created key
Cleanup requires the key name and registry key (location).
UserInitMprRegKey
Description
Create or modify a registry key at the specified location.
- HKCU:Environment [UserInitMprLogonScript]
Parameters
Key name: Value name
Command: Command to be ran when registry is used
Registry key: Location where registry key will be created
Hidden: Will prepend a null byte to the key name; throws errors in regedit
Cleanup: Removes created key
Cleanup requires the key name and registry key (location).
UserInitMprLogonScript: Automatically sets 'Key name'and 'Registry key'.
Scheduled Task COM Hijack
Description
Hijacks a scheduled task's COM handler. Creates a registry key at HKCU:\Software\Classes\CLSID\<CLSID>\InprocServer32 which points to a DLL.
Parameters
Class ID: The CLSID that corresponds to the task's COM handler CLSID
DLL path: Path to DLL that is to be loaded
Cleanup: Removes create
Related Skills
node-connect
337.1kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
83.1kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
337.1kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
commit-push-pr
83.1kCommit, push, and open a PR
