This BOF can execute a binary on disk in the context of another user. It achieves this through cross-session interaction using the IStandardActivator, ISpecialSystemProperties, and IHxHelpPaneServer COM interfaces. Consequently, process injection is not necessary to run code on behalf of another logged-on user.
Similar to process injection, this technique requires local administrator privileges on the system to interact with another user's session.
This BOF implementation is entirely based on the work of Michael Zhmailo. More information about his work can be found on his blog. Furthermore, a working POC named IHxExec can be found on his github.
<binary path>: path to the binary you want to execute.<session ID>: specify the session ID of the user session in which the specified binary needs to be executed.
executecrosssession <binary path> <session ID>
executecrosssession C:\\Windows\\System32\\calc.exe 2
- 1. Make sure Visual Studio is installed and supports C/C++.
- 2. Open the
x64 Native Tools Command Prompt for VS <2019/2022>terminal. - 3. Run the
bofcompile.batscript to compile the object file. - 4. In Cobalt strike, use the script manager to load the .cna script to import the tool.