Creating Object File Monstrosities with Sleep Mask and LLVM
The Mutator kit is now part of the Cobalt Strike Arsenal Kit. It allows you to mutate BOFs, sleep masks and more with LLVM.
🔗 https://www.cobaltstrike.com/blog/introducing-the-mutator-kit-creating-object-file-monstrosities-with-sleep-mask-and-llvm
The Mutator kit is now part of the Cobalt Strike Arsenal Kit. It allows you to mutate BOFs, sleep masks and more with LLVM.
🔗 https://www.cobaltstrike.com/blog/introducing-the-mutator-kit-creating-object-file-monstrosities-with-sleep-mask-and-llvm
Cobalt Strike
Introducing the Mutator Kit: Creating Object File Monstrosities with Sleep Mask and LLVM
This blog introduces the mutator kit, which uses an LLVM obfuscator to break in-memory YARA scanning of the sleep mask.
🔥4❤1👍1
Injecting Malicious Code into PDF Files and PDF Dropper Creation
https://cti.monster/blog/2024/07/25/pdfdropper.html
https://cti.monster/blog/2024/07/25/pdfdropper.html
0x6rss
Injecting Malicious Code into PDF Files and PDF Dropper Creation
❤2
DojoLoader — Generic PE Loader for Prototyping Evasion Techniques
This is a versatile PE loader designed for prototyping evasion techniques. It supports downloading and executing encrypted shellcode, dynamic IAT hooking, and three Sleep obfuscation methods. Ideal for use with UDRL-less Beacon payloads from Cobalt Strike.
Blog Post:
https://www.naksyn.com/cobalt%20strike/2024/07/02/raising-beacons-without-UDRLs-teaching-how-to-sleep.html
Source:
https://github.com/naksyn/DojoLoader
#cobaltstrike #udrl #memory #evasion
This is a versatile PE loader designed for prototyping evasion techniques. It supports downloading and executing encrypted shellcode, dynamic IAT hooking, and three Sleep obfuscation methods. Ideal for use with UDRL-less Beacon payloads from Cobalt Strike.
Blog Post:
https://www.naksyn.com/cobalt%20strike/2024/07/02/raising-beacons-without-UDRLs-teaching-how-to-sleep.html
Source:
https://github.com/naksyn/DojoLoader
#cobaltstrike #udrl #memory #evasion
Naksyn’s blog
Raising Beacons without UDRLs and Teaching them How to Sleep
UDRLs and prepended loaders aren’t the only way to execute a raw payload and get a direct hooking in place. In the case of Cobalt Strike, a generic PE loader can be tweaked to execute an UDRL-less Beacon and get direct hooking for an easier prototyping of…
❤4👍1🤡1🥱1😴1
BeaconGate, Sleepmask... customizing Cobalt Strike after 4.10
https://rwxstoned.github.io/2024-11-13-Cobalt-Strike-customization/
https://rwxstoned.github.io/2024-11-13-Cobalt-Strike-customization/
RWXStoned
BeaconGate, Sleepmask... customizing Cobalt Strike after 4.10 | RWXStoned
a quick new Sleep PoC using the latest Cobalt Strike features
👍3
Process Inject Kit
This is a port of Cobalt Strike's Process Inject Kit from C to the C++ BOF template.
This is a port of Cobalt Strike's Process Inject Kit from C to the C++ BOF template.
GitHub
GitHub - rasta-mouse/process-inject-kit: Port of Cobalt Strike's Process Inject Kit
Port of Cobalt Strike's Process Inject Kit. Contribute to rasta-mouse/process-inject-kit development by creating an account on GitHub.
🥱2❤1👎1💩1
rasta-mouse/process-inject-kit
Port of Cobalt Strike's Process Inject Kit
https://github.com/rasta-mouse/process-inject-kit
Port of Cobalt Strike's Process Inject Kit
https://github.com/rasta-mouse/process-inject-kit
GitHub
GitHub - rasta-mouse/process-inject-kit: Port of Cobalt Strike's Process Inject Kit
Port of Cobalt Strike's Process Inject Kit. Contribute to rasta-mouse/process-inject-kit development by creating an account on GitHub.
🔥3👍1🤡1🥱1😴1
Various resources to enhance Cobalt Strike's functionality and its ability to evade antivirus/EDR detection
URL:https://github.com/RedefiningReality/Cobalt-Strike
URL:https://github.com/RedefiningReality/Cobalt-Strike
GitHub
GitHub - RedefiningReality/Cobalt-Strike: Various resources to enhance Cobalt Strike's functionality and its ability to evade antivirus/EDR…
Various resources to enhance Cobalt Strike's functionality and its ability to evade antivirus/EDR detection - RedefiningReality/Cobalt-Strike
👍1
SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys ..etc) without invalidating or breaking the existing signature.
https://github.com/med0x2e/SigFlip
https://github.com/med0x2e/SigFlip
GitHub
GitHub - med0x2e/SigFlip: SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys ..etc) without invalidating…
SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys ..etc) without invalidating or breaking the existing signature. - med0x2e/SigFlip
🤡2
Patchwerk
Cobalt Strike BOF that finds all the Nt*system call stubs within NTDLL and overwrites the memory with clean stubs (user land hook evasion). This way we can use the NTAPIs from our implant code, and if EDR check the call stack it will have originated from NTDLL. It’s pretty much the same as the original unhook by Raph Mudge, but this way there's no need to map ntdll.dll from disk or open handles to remote processes.
Cobalt Strike BOF that finds all the Nt*system call stubs within NTDLL and overwrites the memory with clean stubs (user land hook evasion). This way we can use the NTAPIs from our implant code, and if EDR check the call stack it will have originated from NTDLL. It’s pretty much the same as the original unhook by Raph Mudge, but this way there's no need to map ntdll.dll from disk or open handles to remote processes.
• Uses HellsGate & HalosGate to call direct syscalls for NtOpenProcess, NtWriteVirtualMemory, and NtProtectVirtualMemory.
• Has custom GetModuleHandle & GetProcAddress(getSymbolAddress) written in C and ASM to evade hooks on kernel32.
• If patching table of current process, does not use NtOpenProcess. Just uses hProc = (HANDLE)-1; instead.
❤6💩3🤡2👍1👎1🥱1
StringReaper
CobaltStrike BOF designed to carve strings out of remote process memory. This tool allows operators to carve ASCII and UTF-16 strings from targeted processes, making it effective for retrieving JWT tokens, credentials, and other sensitive data directly from memory. Over the past 3 years i've had great success in using this tool on engagements. Saves time when oping from a C2 where you don't want to have to wait on a full process dump or deal with download size issues.
CobaltStrike BOF designed to carve strings out of remote process memory. This tool allows operators to carve ASCII and UTF-16 strings from targeted processes, making it effective for retrieving JWT tokens, credentials, and other sensitive data directly from memory. Over the past 3 years i've had great success in using this tool on engagements. Saves time when oping from a C2 where you don't want to have to wait on a full process dump or deal with download size issues.
🥱3👍2🤨2😴1
AWS Cobalt Redirector : Streamlining Red Team Operations With Automated C2 Infrastructure
https://kalilinuxtutorials.com/aws-cobalt-redirector/
https://kalilinuxtutorials.com/aws-cobalt-redirector/
Kali Linux Tutorials
AWS Cobalt Redirector : Streamlining Red Team Operations With
The AWS Cobalt Redirector is a tool designed to streamline the deployment of a command-and-control (C2) infrastructure for red team
👍3🔥2
Cobalt Strike 4.11: Shhhhhh, Beacon is Sleeping….
#cobaltstrike
Cobalt Strike 4.11 is now available. This release introduces a novel Sleepmask, a novel process injection technique, new out-of-the-box obfuscation options for Beacon, asynchronous BOFs, and a DNS over HTTPS (DoH) Beacon. Additionally, we have overhauled Beacon’s reflective loader and there are numerous QoL updates. Out-of-the-Box Evasion Overhaul The focus of this release (and the [...]
via Cobalt Strike Blog (author: William Burgess)
#cobaltstrike
Cobalt Strike 4.11 is now available. This release introduces a novel Sleepmask, a novel process injection technique, new out-of-the-box obfuscation options for Beacon, asynchronous BOFs, and a DNS over HTTPS (DoH) Beacon. Additionally, we have overhauled Beacon’s reflective loader and there are numerous QoL updates. Out-of-the-Box Evasion Overhaul The focus of this release (and the [...]
via Cobalt Strike Blog (author: William Burgess)
🔥8👍5❤1
PCAP Threat Hunting with Wireshark -TrickBot & Cobalt Strike Detection | DNS & HTTP
https://github.com/YASHWANTgs/pcap-threat-hunting-trickbot
https://github.com/YASHWANTgs/pcap-threat-hunting-trickbot
GitHub
GitHub - YASHWANTgs/pcap-threat-hunting-trickbot: PCAP Threat Hunting with Wireshark -TrickBot & Cobalt Strike Detection | DNS…
PCAP Threat Hunting with Wireshark -TrickBot & Cobalt Strike Detection | DNS & HTTP - YASHWANTgs/pcap-threat-hunting-trickbot
🔥3
Go-based C2 server inspired by Cobalt Strike; seamless agent control, web UI, and Malleable Profile support. Fast, extensible, and secure for red-team ops.
https://github.com/armin-hg/NewCobaltstrikeTeamServer
https://github.com/armin-hg/NewCobaltstrikeTeamServer
GitHub
GitHub - armin-hg/NewCobaltstrikeTeamServer: Go-based C2 server inspired by Cobalt Strike; seamless agent control, web UI, and…
Go-based C2 server inspired by Cobalt Strike; seamless agent control, web UI, and Malleable Profile support. Fast, extensible, and secure for red-team ops. 🐙 - armin-hg/NewCobaltstrikeTeamServer
👍2
Implementation of the concept of asynchronous Beacon Object Files. It provides a framework for running asynchronous monitoring tasks that can detect events and report back to the Cobalt Strike team server.
https://github.com/9Insomnie/async_bof
https://github.com/9Insomnie/async_bof
GitHub
GitHub - 9Insomnie/async_bof: 异步Beacon Object Files概念的实现。它提供了一个框架,用于运行可以检测事件并报告回Cobalt Strike团队服务器的异步监控任务。
异步Beacon Object Files概念的实现。它提供了一个框架,用于运行可以检测事件并报告回Cobalt Strike团队服务器的异步监控任务。 - 9Insomnie/async_bof
❤2