{"id":21988082,"url":"https://github.com/nvisosecurity/cobaltwhispers","last_synced_at":"2026-02-27T10:43:44.645Z","repository":{"id":89494126,"uuid":"457346431","full_name":"NVISOsecurity/CobaltWhispers","owner":"NVISOsecurity","description":"CobaltWhispers is an aggressor script that utilizes a collection of Beacon Object Files (BOF) for Cobalt Strike to perform process injection, persistence and more, leveraging direct syscalls (SysWhispers2) to bypass EDR/AV","archived":false,"fork":false,"pushed_at":"2023-01-04T15:42:25.000Z","size":118,"stargazers_count":229,"open_issues_count":1,"forks_count":34,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-03-02T13:08:12.858Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NVISOsecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-09T12:20:20.000Z","updated_at":"2025-01-30T09:22:03.000Z","dependencies_parsed_at":null,"dependency_job_id":"553cac3c-feb3-4f22-8f0a-4a9d3066f2f5","html_url":"https://github.com/NVISOsecurity/CobaltWhispers","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NVISOsecurity%2FCobaltWhispers","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NVISOsecurity%2FCobaltWhispers/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NVISOsecurity%2FCobaltWhispers/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NVISOsecurity%2FCobaltWhispers/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NVISOsecurity","download_url":"https://codeload.github.com/NVISOsecurity/CobaltWhispers/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244047646,"owners_count":20389206,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-29T19:15:33.489Z","updated_at":"2026-02-27T10:43:39.597Z","avatar_url":"https://github.com/NVISOsecurity.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CobaltWhispers\n\nAuthor: [@Cerbersec](https://twitter.com/cerbersec)\n\nCobaltWhispers is an aggressor script that utilizes a collection of Beacon Object Files for Cobalt Strike to perform process injection, persistence and more, leveraging direct syscalls to bypass EDR/AV.\n\n\u003e CobaltWhispers is powered by [SysWhispers2](https://github.com/jthuraisamy/SysWhispers2) and [InlineWhispers2](https://github.com/Sh0ckFR/InlineWhispers2)  \n\u003e CobaltWhispers is based on [StayKit](https://github.com/0xthirteen/StayKit) and work from [Hasherezade](https://github.com/hasherezade/transacted_hollowing) and [Forrest Orr](https://github.com/forrest-orr/phantom-dll-hollower-poc).\n\nCobaltWhispers was made as part of an internship at NVISO Security's Red Team. The associated blogposts can be found [here (process-injection)](https://cerbersec.com/2021/08/26/beacon-object-files-part-1.html) and [here (kernel karnage)](https://blog.nviso.eu/2021/10/21/kernel-karnage-part-1/).\n\n# Compiling from source\n\nCobaltWhispers requires several tools to compile:\n* MingW-w64 - `apt install mingw-w64`\n* Make - `apt install make`\n* Python3\n* [SysWhispers2](https://github.com/jthuraisamy/SysWhispers2)\n* [InlineWhispers2](https://github.com/Sh0ckFR/InlineWhispers2)\n\nEach project requires 3 files generated by SysWhispers2 / InlineWhispers2 to function:\n* syscalls-asm.h\n* syscalls.c\n* syscalls.h\n\nThese files can be generated according to the InlineWhispers2 documentation, **however this is not the optimal method** because a lot of unused code will be included:\n```\ngit clone https://github.com/Sh0ckFR/InlineWhispers2 \u0026\u0026 cd InlineWhispers2\ncd SysWhispers2/ \u0026\u0026 python3 syswhispers.py --preset all -o syscalls_all \u0026\u0026 cd ..\npython3 InlineWhispers2.py\n\n```\n\nInstead, use SysWhispers2 to generate the output files only for the necessary APIs, then manually (or script it) supply them to InlineWhispers2 which will convert them to the proper format. See the included makefile for additional information or use the included files at your own risk.\n\n## Injection\n### SpawnProcess\n\n| Payload Type | Target | Reliability (0-5) | Elevated | Remarks |\n| :---: | :---: | :---: | :---: | :---: |\n| - | - | 5 | No | Inherit permissions from parent process |\n\n#### Description\n\nSpawns a new suspended process with Code Integrity Guard (CIG) enabled to block non-Microsoft signed binaries. Spoofs the specified parent process. The PID is returned.\n\n#### Parameters\n\n**Parent process:** The name of the process to set as parent  \n**Executable location:** Full path to executable on disk used to spawn new process\n\n___\n\n### CreateRemoteThread\n\n| Payload Type | Target | Reliability (0-5) | Elevated | Remarks |\n| :---: | :---: | :---: | :---: | :---: |\n| Shellcode/Raw | PID | 5 | No | - |\n\n#### Description\n\nInjects a payload into a remote process using NtCreateThreadEx\n\n#### Parameters\n\n**Process PID:** The process ID of the remote process  \n**Payload location:** Location of payload in binary form on disk (Conditional | Optional)  \n**Payload b64:** Raw shellcode in base64 encoded string format (Conditional | Optional)  \n**Listener:** Listener to generate payload for (Conditional)\n\nA listener should be specified to generate a Beacon payload. If a manual payload is desired, it should be provided via a path to the raw binary on disk, or Base64 encoded shellcode.\n\n___\n\n### QueueUserAPC\n\n| Payload Type | Target | Reliability (0-5) | Elevated | Remarks |\n| :---: | :---: | :---: | :---: | :---: |\n| Shellcode/Raw | PID | 2 | No | Potentially crash target process |\n\n#### Description\n\nInjects a payload into a remote process using NtQueueApcThread\n\n#### Parameters\n\n**Process PID:** The process ID of the remote process  \n**Threads:** Number of threads to add an APC call to  \n**Payload location:** Location of payload in binary form on disk (Conditional | Optional)  \n**Payload b64:** Raw shellcode in base64 encoded string format (Conditional | Optional)  \n**Listener:** Listener to generate payload for (Conditional)\n\nA listener should be specified to generate a Beacon payload. If a manual payload is desired, it should be provided via a path to the raw binary on disk, or Base64 encoded shellcode.\n\n___\n\n### MapViewOfSection\n\n| Payload Type | Target | Reliability (0-5) | Elevated | Remarks |\n| :---: | :---: | :---: | :---: | :---: |\n| Shellcode/Raw | Surrogate Process | 5 | No | - |\n\n#### Description\n\nInjects a payload into a surrogate process using NtMapViewOfSection\n\n#### Parameters\n\n**Parent process:** The name of the process to set as parent  \n**Executable location:** The location of the executable on disk to be used to spawn a new process  \n**Payload location:** Location of payload in binary form on disk (Conditional | Optional)  \n**Payload b64:** Raw shellcode in base64 encoded string format (Conditional | Optional)  \n**Listener:** Listener to generate payload for (Conditional)  \n\nA listener should be specified to generate a Beacon payload. If a manual payload is desired, it should be provided via a path to the raw binary on disk, or Base64 encoded shellcode.\n\n___\n\n### TransactedHollowing\n\n| Payload Type | Target | Reliability (0-5) | Elevated | Remarks |\n| :---: | :---: | :---: | :---: | :---: |\n| PE | Surrogate Process | 5 | No | Requires x64 PE payload |\n\n#### Description\n\nInjects a payload into a surrogate process using transacted sections and mapped views. Remote entry point and PEB are updated, no anomalous memory sections or memory permissions. See [here](https://blog.malwarebytes.com/threat-analysis/2018/08/process-doppelganging-meets-process-hollowing_osiris/) for more information.\n\n#### Parameters\n\n**Parent process:** The name of the process to set as parent  \n**Executable location:** The location of the executable on disk to be used to spawn a new process  \n**Payload location:** Location of x64 PE payload on disk (Conditional | Optional)  \n**Payload b64:** x64 PE payload in base64 encoded string format (Conditional | Optional)  \n**Listener:** Listener to generate payload for (Conditional)\n\nA listener should be specified to generate a Beacon payload. If a manual payload is desired, it should be provided via a path to the x64 PE on disk, or Base64 encoded x64 PE.\n\n___\n\n### PhantomDLLHollowing\n\n**CURRENTLY NOT IMPLEMENTED**\n\n| Payload Type | Target | Reliability (0-5) | Elevated | Remarks |\n| :---: | :---: | :---: | :---: | :---: |\n| Position Independent Shellcode (PIC) | Surrogate Process | 5 | Yes | Elevated permissions are required to open system DLLs with write permissions |\n\n#### Description\n\nInjects a payload into a surrogate process using transacted sections in combination with DLL hollowing. See [here](https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing) for more information.\n\n#### Parameters\n\n**Parent process:** The name of the process to set as parent  \n**Executable location:** The location of the executable on disk to be used to spawn a new process  \n**Payload location:** Location of payload in binary form on disk (Conditional | Optional)  \n**Payload b64:** Raw shellcode in base64 encoded string format (Conditional | Optional)  \n**Listener:** Listener to generate payload for (Conditional)\n\nA listener should be specified to generate a Beacon payload. If a manual payload is desired, it should be provided via a path to the raw binary on disk, or Base64 encoded shellcode.\n\n___\n\n## Persistence\n### ElevatedRegKey\n#### Description\n\nCreate or modify a registry key at the specified location.\n* HKLM:Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\n* HKLM:Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\n\n#### Parameters\n\n**Key name:** Value name  \n**Command:** Command to be ran when registry is used  \n**Registry key:** Location where registry key will be created  \n**Hidden:** Will prepend a null byte to the key name; throws errors in regedit  \n**Cleanup:** Removes created key\n\nCleanup requires the key name and registry key (location).\n\n___\n\n### ElevatedUserInitRegKey\n#### Description\n\nCreate or modify a registry key at the specified location.\n* HKLM:Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon [UserInit]\n\n#### Parameters\n\n**Key name:** Value name  \n**Command:** Command to be ran when registry is used  \n**Registry key:** Location where registry key will be created  \n**Hidden:** Will prepend a null byte to the key name; throws errors in regedit  \n**Cleanup:** Removes created key\n\nCleanup requires the key name and registry key (location).  \nUserInit: Automatically sets 'Key name' and 'Registry key'.\n\n___\n\n### UserRegKey\n#### Description\nCreate or modify a registry key at the specified location.\n* HKCU:Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\n* HKCU:Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\n\n#### Parameters\n\n**Key name:** Value name  \n**Command:** Command to be ran when registry is used  \n**Registry key:** Location where registry key will be created  \n**Hidden:** Will prepend a null byte to the key name; throws errors in regedit  \n**Cleanup:** Removes created key\n\nCleanup requires the key name and registry key (location).\n\n___\n\n### UserInitMprRegKey\n#### Description\nCreate or modify a registry key at the specified location.\n* HKCU:Environment [UserInitMprLogonScript]\n\n#### Parameters\n\n**Key name:** Value name  \n**Command:** Command to be ran when registry is used  \n**Registry key:** Location where registry key will be created  \n**Hidden:** Will prepend a null byte to the key name; throws errors in regedit  \n**Cleanup:** Removes created key\n\nCleanup requires the key name and registry key (location).  \nUserInitMprLogonScript: Automatically sets 'Key name'and 'Registry key'.\n\n___\n\n### Scheduled Task COM Hijack\n#### Description\n\nHijacks a scheduled task's COM handler. Creates a registry key at HKCU:\\\\Software\\\\Classes\\\\CLSID\\\\\u003cCLSID\u003e\\\\InprocServer32 which points to a DLL.\n\n#### Parameters\n\n**Class ID:** The CLSID that corresponds to the task's COM handler CLSID  \n**DLL path:** Path to DLL that is to be loaded  \n**Cleanup:** Removes created key\n\n___\n\n## Drivers\n### DisableDSE\n\n| Reliability (0-5) | Elevated | Remarks |\n| :---: | :---: | :---: |\n| 4 | Yes | Can potentially BSOD target system |\n\n#### Description\n\nLoads a vulnerable signed driver with arbitrary kernel memory read/write (NalDrv/iqvm64.sys). Changes the ntoskrnl.exe `g_CiEnabled` or CI.dll `g_CiOptions` flag to disable Driver Signature Enforcement (DSE).  \nLoads a non-signed driver (Interceptor/Interceptor.sys), then restores the DSE flag values. Both the signed driver and non-signed driver are written to disk.\n\n| Driver | MD5 checksum |\n| :---: | :---: |\n| iqvm64.sys | 1898ceda3247213c084f43637ef163b3 |\n| Interceptor.sys | 508c8943359717cfa0c77b61ebea2118 |\n\n#### Parameters\n\n**Vulnerable driver location:** Location of vulnerable signed driver in binary form on disk  \n**Malicious driver location:** Location of the malicious non-signed driver in binary form on disk  \n**Vulnerable driver name:** name used to create the registry key '\\\\Registry\\\\Machine\\\\System\\\\CurrentControlSet\\\\Services\\\\\u003cname\u003e'  \n**Vulnerable driver device name:** name used to contact the driver '\\\\DosDevices\\\\\u003cname\u003e'  \n**Malicious driver name:** name used to create the registry key '\\\\Registry\\\\Machine\\\\System\\\\CurrentControlSet\\\\Services\\\\\u003cname\u003e'  \n**Malicious driver device name:** name used to contact the driver '\\\\DosDevices\\\\\u003cname\u003e'  \n**Target path:** temporary path to write the vulnerable and malicious driver files to\n\n___\n\n### UnloadDriver\n\n| Reliability (0-5) | Elevated | Remarks |\n| :---: | :---: | :---: |\n| 5 | Yes | - |\n\n#### Description\n\nUnloads a driver on the target using the provided registry key and deletes the binary from disk at the specified path.\n\n#### Parameters\n\n**Driver registry key:** registry key used to unload driver '\\\\Registry\\\\Machine\\\\System\\\\CurrentControlSet\\\\Services\\\\\u003cname\u003e'  \n**Driver installation path:** location of driver on disk\n\n___\n\n### Intercept\n\n| Reliability (0-5) | Elevated | Remarks |\n| :---: | :---: | :---: |\n| 4 | No | Can potentially BSOD target system |\n\n#### Description\n\n**Information:** Query the Interceptor driver  \n**Hook:** Hook the target driver's major functions (IRP)  \n**Unhook:** Restore the target driver's major functions  \n**Patch:** Patch the target kernel callbacks  \n**Restore:** Restore the target kernel callbacks\n\n#### Parameters: Information\n\n**Vendors:** display supported vendors  \n**Modules:** query all loaded drivers  \n**Hooked modules:** display all hooked drivers  \n**Callbacks:** query all registered callbacks\n\n#### Parameters: Hook\n\n**Index:** hook a driver by index (see: information - modules)  \n**Name:** hook a driver by device name (\\\\Device\\\\Name)  \n**Values:** comma separated list of indexes (conditional)  \n**Name:** device name of the target driver (conditional)\n\nValues are required when 'Index' is selected. Name is required when 'Name' is selected.\n\n#### Parameters: Unhook\n\n**Index:** unhook a driver by index (see: information - hooked modules)  \n**All:** unhook all hooked drivers  \n**Values:** comma separated list of indexes (conditional)\n\nValues is required when 'Index' is selected.\n\n#### Parameters: Patch\n\n**Vendor:** patch all callbacks associated with vendor module(s)  \n**Module:** patch all callbacks associated with module(s)  \n**Process:** patch process callback(s)  \n**Thread:** patch thread callback(s)  \n**Image:** patch image callback(s)  \n**Registry:** patch registry callback(s)  \n**Object process:** patch object process callbac(s)  \n**Object thread:** patch object thread callback(s)  \n**Values:** comma separated list of indexes (see: information - callbacks) (conditional)  \n**Name:** comma separated list of module names or single vendor name (see: information - vendors) (conditional)\n\nValues is required when 'process', 'thread', 'image', 'registry', 'object process' or 'object thread' is selected. Name is required when 'vendor' or 'module' is selected.\n\n#### Parameters: Restore\n\n**Vendor:** restore all callbacks associated with vendor module(s)  \n**Module:** restore all callbacks associated with module(s)  \n**Process:** restore process callback(s)  \n**Thread:** restore thread callback(s)  \n**Image:** restore image callback(s)  \n**Registry:** restore registry callback(s)  \n**Object process:** restore object process callbac(s)  \n**Object thread:** restore object thread callback(s)  \n**All:** restore all callbacks  \n**Values:** comma separated list of indexes (see: information - callbacks) (conditional)  \n**Name:** comma separated list of module names or single vendor name (see: information - vendors) (conditional)\n\nValues is required when 'process', 'thread', 'image', 'registry', 'object process' or 'object thread' is selected. Name is required when 'vendor' or 'module' is selected.\n\n___\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnvisosecurity%2Fcobaltwhispers","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnvisosecurity%2Fcobaltwhispers","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnvisosecurity%2Fcobaltwhispers/lists"}