Inline-EA

Inline-EA

Inline-EA is a Beacon Object File (BOF) designed for executing .NET assemblies stealthily within the current Beacon process. It was developed to bypass leading security solutions like Elastic and CrowdStrike Falcon.

Key Features:

• Evasive Execution: Execute .NET assemblies without detection by security products.
• AMSI Bypass: Optionally bypass AMSI by modifying clr.dll directly in memory.
• ETW Bypass: Utilize EAT hooking to prevent logging by ETW.
• Exit Patching: Includes an option to patch System.Environment.Exit to prevent process termination, although this feature may be detected.

Benefits:

• Ideal for security professionals and penetration testers aiming to execute .NET payloads under radar.
• Supports running assemblies with additional options to enhance stealth.

How to Use:

1. Compile code from the src/ directory.
2. Place the inline-ea.cna and inline-ea.x64.o in the same directory.
3. Load the script into your Cobalt Strike script manager.

Help Command:

Use help inline-ea in the Beacon console for usage details.