08 September 2025
Claudio Contin
Beacon Object File (BOF) to kill a process by specifying its PID
During a recent red team engagement, we successfully phished some of the client staff, and lured them to execute a payload that provided us with Command & Control (C2) access.
One of the users we managed to compromise belonged to a cloud administrators group.
Since the payload deployed to the targets via the phishing was crafted in a way to run the C2 agent code in both Microsoft Edge and Google Chrome browser processes on each victim's host, Tier Zero Security proceeded with an attempt to dump the cookies.
An awesome BOF, Cookie Monster, already exists to dump the cookies while running within a browser's process.
We successfully tested the BOF using Havoc C2 on our controlled Windows 11 machine, and we were able to obtain the Cookies database without any issues.
However, in the client environment, the tool was unable to identify the correct process with a handle already opened to the Cookies file. This may have been due to a specific EDR running in these hosts, but in any case, no alerts were generated by the attempts. The App Bound Key could be obtained without any problems.
We then considered the possibility of using the C2 agent running in Edge to kill the Chrome processes and download the file manually, which is located at %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies.
While searching for BOFs to kill a process by Process ID (PID), we could not find any publicly available ones. Given the simplicity of the code to kill a process, we decided to quickly implement one. The tool is available at https://github.com/TierZeroSecurity/killerPID-BOF.
After killing the Chrome processes, we were able to retrieve the Cookies file and decrypt their values with the App Bound Key previously recovered.
The cookies contained an AWS Single Sign-On (SSO) cookie, which was still valid. We used the cookie to authenticate to the AWS SSO service and obtained access tokens for the customer's AWS environment, revealing that the compromised user had high privileges.