A Cobalt Strike profile, modified it, and bypassed Crowdstrike & Sophos without encrypting the shellcode. Also bypassed all published YARA rules, sleep detections, and string detections around a CS beacon.
Blog: https://whiteknightlabs.com/2023/05/23/unleashing-the-unseen-harnessing-the-power-of-cobalt-strike-profiles-for-edr-evasion/
Blog: https://whiteknightlabs.com/2023/05/23/unleashing-the-unseen-harnessing-the-power-of-cobalt-strike-profiles-for-edr-evasion/
White Knight Labs
Unleashing the Unseen: Harnessing the Power of Cobalt Strike Profiles for EDR Evasion | White Knight Labs
In this blog post, we will go through the importance of each profile's option, and explore the differences between default and customized Malleable C2
Hidden Desktop BOF
HVNC for Cobalt Strike (Hidden Desktop) is a tool that allows operators to interact with a remote desktop session without the user knowing. The VNC protocol is not involved, but the result is a similar experience.
HVNC for Cobalt Strike (Hidden Desktop) is a tool that allows operators to interact with a remote desktop session without the user knowing. The VNC protocol is not involved, but the result is a similar experience.
GitHub
GitHub - WKL-Sec/HiddenDesktop: HVNC for Cobalt Strike
HVNC for Cobalt Strike. Contribute to WKL-Sec/HiddenDesktop development by creating an account on GitHub.
👍2❤1
DropSpawn
download
CobaltStrike BOF для создания маяков с использованием DLL Application Directory Hijackingdownload
👍2
Forwarded from Pwn3rzs
arsenal-kit20230315.zip
3 MB
Cobalt Strike Artifact Kit - 15 March 2023
It was provided by a user as is, we take no responsibility.
Thanks again for the share from anonymous user :)
EDIT: A user notified that this is a repack of the official, so please pay attention, even if it's all just source code.
It was provided by a user as is, we take no responsibility.
Thanks again for the share from anonymous user :)
EDIT: A user notified that this is a repack of the official, so please pay attention, even if it's all just source code.
👍2❤1
SharpTerminatator is a C# port of ZeroMemoryEx's art piece called Terminator. It can be used with Cobalt Strike's execute-assembly or as a standalone executable to terminate AV/EDR processes.
Chinese Threat Actor Used Modified Cobalt Strike Variant to Attack Taiwanese Critical Infrastructure
https://blog.eclecticiq.com/chinese-threat-actor-used-modified-cobalt-strike-variant-to-attack-taiwanese-critical-infrastructure
https://blog.eclecticiq.com/chinese-threat-actor-used-modified-cobalt-strike-variant-to-attack-taiwanese-critical-infrastructure
Eclecticiq
Chinese Threat Actor Used Modified Cobalt Strike Variant to Attack Taiwanese Critical Infrastructure
EclecticIQ researchers identified a malicious web server very likely operated by a Chinese threat actor used to target Taiwanese government entities.
❤1
Reviewed, Modified RunCoff arguments.
Added Cleanup for beacon compatability failure, and ran code beautifier on the C#
https://github.com/trustedsec/CS_COFFLoader
Added Cleanup for beacon compatability failure, and ran code beautifier on the C#
https://github.com/trustedsec/CS_COFFLoader
GitHub
GitHub - trustedsec/CS_COFFLoader
Contribute to trustedsec/CS_COFFLoader development by creating an account on GitHub.
❤2
BOFMask
BOFMask is a tool designed to conceal Cobalt Strike's Beacon payload while executing a Beacon Object File (BOF). By applying a XOR mask and modifying memory protection settings, BOFMask enables users to execute BOFs without exposing Beacon, thereby avoiding detection by EDR products that scan system memory.
Research:
https://securityintelligence.com/posts/how-to-hide-beacon-during-bof-execution/
Source:
https://github.com/xforcered/bofmask
BOFMask is a tool designed to conceal Cobalt Strike's Beacon payload while executing a Beacon Object File (BOF). By applying a XOR mask and modifying memory protection settings, BOFMask enables users to execute BOFs without exposing Beacon, thereby avoiding detection by EDR products that scan system memory.
Research:
https://securityintelligence.com/posts/how-to-hide-beacon-during-bof-execution/
Source:
https://github.com/xforcered/bofmask
Security Intelligence
Your BOFs are gross, put on a mask: How to hide beacon during BOF execution
Explore a simple technique developed to encrypt Cobalt Strike’s Beacon in memory while executing BOFs to prevent a memory scan from detecting Beacon.
👍4
Winsocket implementation for Cobalt Strike. Used to communicate with the victim using winsockets instead of the traditional ways.
https://github.com/WKL-Sec/Winsocky/
https://github.com/WKL-Sec/Winsocky/
GitHub
GitHub - WKL-Sec/Winsocky: Winsocket for Cobalt Strike.
Winsocket for Cobalt Strike. Contribute to WKL-Sec/Winsocky development by creating an account on GitHub.
👍3
Run BOFs written for Cobalt Strike in Brute Ratel C4
https://blog.nviso.eu/2023/07/17/introducing-cs2br-pt-ii-one-tool-to-port-them-all/
https://github.com/NVISOsecurity/cs2br-bof
https://blog.nviso.eu/2023/07/17/introducing-cs2br-pt-ii-one-tool-to-port-them-all/
https://github.com/NVISOsecurity/cs2br-bof
NVISO Labs
Introducing CS2BR pt. II – One tool to port them all
Introduction In the previous post of this series we showed why Brute Ratel C4 (BRC4) isn’t able to execute most BOFs that use the de-facto BOF API standard by Cobalt Strike (CS): BRC4 impleme…
👍2
https://github.com/Octoberfest7/CVE-2023-36874_BOF
Weaponized CobaltStrike BOF for CVE-2023-36874 Windows Error Reporting LPE
Weaponized CobaltStrike BOF for CVE-2023-36874 Windows Error Reporting LPE
GitHub
GitHub - Octoberfest7/CVE-2023-36874_BOF: Weaponized CobaltStrike BOF for CVE-2023-36874 Windows Error Reporting LPE
Weaponized CobaltStrike BOF for CVE-2023-36874 Windows Error Reporting LPE - Octoberfest7/CVE-2023-36874_BOF
👍2
Cobalt Strike 4.9: Take Me To Your Loader
https://www.cobaltstrike.com/blog/cobalt-strike-49-take-me-to-your-loader
https://www.cobaltstrike.com/blog/cobalt-strike-49-take-me-to-your-loader
Cobalt Strike
Cobalt Strike 4.9: Take Me To Your Loader | Cobalt Strike
Cobalt Strike 4.9 is live, with post-ex support for UDRLs, the ability to export Beacon without a loader, support for callbacks and more.
👍1
Taking a quick look at the new Aggressor callbacks in Cobalt Strike 4.9.
https://rastamouse.me/cobalt-strike-aggressor-callbacks/
https://rastamouse.me/cobalt-strike-aggressor-callbacks/
BOFRYPTOR: ENCRYPTING YOUR BEACON DURING BOF EXECUTION TO AVOID MEMORY SCANNERS
https://github.com/securifybv/BOFRyptor
https://github.com/securifybv/BOFRyptor
GitHub
GitHub - securifybv/BOFRyptor
Contribute to securifybv/BOFRyptor development by creating an account on GitHub.
👍5