Since its introduction in version 4.5 (2021), the Cobalt Strike Process Injection Kit allows users to define their own process injection techniques. This is done through the PROCESS_INJECT_SPAWN (fork&run) and PROCESS_INJECT_EXPLICIT (remote injection) hook functions. These hooks enable users to define the execution flow of memory allocation, code writing, and execution for a significant number of the Cobalt Strike built-in post-exploitation commands like keylogger, screenshot, and mimikatz.
Additional information and a complete list of the supported post-exploitation commands can be found here: Controlling Process Injection.
This project's goal is to showcase the application of the Process Injection Kit, which is utilized across a broad spectrum of Cobalt Strike's built-in commands. Moreover, the custom kits in this repository offer the potential for further refinement by integrating OPSEC best practices.
Additional variations/techniques will be added at a later time.
The following process injection techniques are currently in the InjectKit:
| Name | Description |
|---|---|
| Tartarus Gate | Indirect syscalls via the Tartarus' Gate method. |
Each individual process injection kit has its own README file with additional information and compile instructions.