In this post we will explore the use of direct system calls within Cobalt Strike Beacon Object Files (BOF). In detail, we will:
- Explain how direct system calls can be used in Cobalt Strike BOF to circumvent typical AV and EDR detections.
- Release InlineWhispers: a script to make working with direct system calls more easy in BOF code.
- Provide Proof-of-Concept BOF code which can be used to enable WDigest credential caching and circumvent Credential Guard by patching LSASS process memory.
Source code of the PoC can be found here:
Source code of InlineWhispers can be found here: