In-process runtimes
In-process loaders that execute foreign code (BOFs, .NET assemblies, full Windows PEs) without spawning child processes. The implant becomes its own post-exploitation runtime — useful when child-process creation is heavily monitored.
Where to start (novice path):
bof— load a Cobalt-Strike-style BOF (small custom C-compiled gadget) in-process. Cheapest in-process post-ex runtime.pe— run a full Windows EXE or DLL in-process via the embedded No-Consolation BOF, capture its stdout. Drop-in replacement forCreateProcesswhen operator tools ship as.exe.clr— host the .NET CLR in-process to run Mimikatz / Seatbelt / SharpHound assemblies without spawningpowershell.exeor dropping.exeto disk.All three avoid child-process creation. Pair with
evasion/presetso the runtime calls don't tip AMSI / ETW.
Packages
| Package | Tech page | Detection | One-liner |
|---|---|---|---|
runtime/bof | bof-loader.md | quiet | Beacon Object File / COFF loader for in-memory x64 object-file execution |
runtime/pe | pe-loader.md | moderate | Full Windows EXE / DLL execution in-process via embedded No-Consolation BOF |
runtime/clr | clr.md | moderate | In-process .NET CLR hosting via ICLRMetaHost / ICorRuntimeHost |
Quick decision tree
| You want to… | Use |
|---|---|
| …run a small custom C-compiled gadget without dropping an EXE | runtime/bof |
| …run a Windows EXE (Mimikatz, Rubeus, sysinternals) in-process | runtime/pe |
| …run a .NET assembly (Mimikatz, Seatbelt, SharpHound) in-process | runtime/clr |
| …drop a managed assembly to disk and run it | not this area — see Donut via pe/srdi |
MITRE ATT&CK
| T-ID | Name | Packages | D3FEND counter |
|---|---|---|---|
| T1059 | Command and Scripting Interpreter | runtime/bof (in-process gadget runtime), runtime/pe (in-process EXE) | D3-PSA |
| T1620 | Reflective Code Loading | runtime/clr, runtime/pe | D3-PMA, D3-PSA |