Inline-EA
Inline-EA is a Beacon Object File (BOF) designed for executing .NET assemblies stealthily within the current Beacon process. It was developed to bypass leading security solutions like Elastic and CrowdStrike Falcon.
Key Features:
- Evasive Execution: Execute .NET assemblies without detection by security products.
- AMSI Bypass: Optionally bypass AMSI by modifying clr.dll directly in memory.
- ETW Bypass: Utilize EAT hooking to prevent logging by ETW.
- Exit Patching: Includes an option to patch System.Environment.Exit to prevent process termination, although this feature may be detected.
Benefits:
- Ideal for security professionals and penetration testers aiming to execute .NET payloads under radar.
- Supports running assemblies with additional options to enhance stealth.
How to Use:
- Compile code from the
src/directory. - Place the
inline-ea.cnaandinline-ea.x64.oin the same directory. - Load the script into your Cobalt Strike script manager.
Help Command:
Use help inline-ea in the Beacon console for usage details.