Detection Strategies for AskCreds Beacon Object File Credential Harvesting Across Multiple C2 Frameworks

Defenders relying on default Windows logging have no visibility into credential-harvesting techniques that operate within an established beacon process via legitimate Windows APIs. The AskCreds Beacon Object File exemplifies this class by invoking CredUIPromptForWindowsCredentials() entirely in memory, spawning no child process, writing nothing to disk, and producing no file-based artifact for signature engines. Because harvested credentials drive lateral movement that can persist undetected for months, the gap carries significant operational risk. Prior research has addressed BOF evasion broadly and C2 network detection independently, but no study has empirically measured detection efficacy for CredUIPromptForWindowsCredentials abuse delivered via Beacon Object File execution across multiple C2 frameworks under active ETW suppression.

This study evaluates layered detection strategies against AskCreds BOF execution in an isolated Azure lab using Cobalt Strike 4.12 and Outflank C2 v2.11.1, with Velociraptor as the primary DFIR platform. A Sysmon Event ID 7 ImageLoad rule scoped to credui.dll loaded by any process outside the established legitimate baseline, supported by ETW kernel telemetry and C2 network analysis, identified AskCreds execution in all six beacon sessions tested, with zero false positives against a 267-event legitimate baseline. T

he detection's durability derives from architectural independence: Sysmon's kernel driver observes image loads below the user-mode ETW subsystem that the tested C2 frameworks actively patch (Sysmon-only 100%, ETW-only 0% under AskCreds BOF Detection Strategies 2 identical execution conditions with Blind ETW active). Claims are scoped to what the experiment measured. Licensed commercial EDR platforms were not tested; coverage extends to AskCreds via the credui.dll code path rather than the full T1056.002 technique class; and rates are point estimates from a six-session cohort that practitioners should re-baseline against their own environment. Deliverables include a freely deployable Velociraptor artifact pack, a custom Sysmon configuration, and VQL hunting queries actionable by enterprise defenders.