🌐SeeProxy is a Golang reverse proxy with CobaltStrike malleable profile validation.
The premise of this tool is to not open your teamserver to the world but to a single instance of SeeProxy instead.
This way every request reaching your teamserver is a legitimate C2 traffic.
DEMO: https://www.youtube.com/watch?v=iWuphwQggxk
The premise of this tool is to not open your teamserver to the world but to a single instance of SeeProxy instead.
This way every request reaching your teamserver is a legitimate C2 traffic.
DEMO: https://www.youtube.com/watch?v=iWuphwQggxk
GitHub
GitHub - nopbrick/SeeProxy: Golang reverse proxy with CobaltStrike malleable profile validation.
Golang reverse proxy with CobaltStrike malleable profile validation. - GitHub - nopbrick/SeeProxy: Golang reverse proxy with CobaltStrike malleable profile validation.
Cobalt Strike (CS) Beacon Object File (BOF) for kernel exploitation using AMD's Ryzen Master Driver (version 17).
https://github.com/tijme/amd-ryzen-master-driver-v17-exploit
https://github.com/tijme/amd-ryzen-master-driver-v17-exploit
GitHub
GitHub - tijme/amd-ryzen-master-driver-v17-exploit: Cobalt Strike (CS) Beacon Object File (BOF) for kernel exploitation using AMD's…
Cobalt Strike (CS) Beacon Object File (BOF) for kernel exploitation using AMD's Ryzen Master Driver (version 17). - tijme/amd-ryzen-master-driver-v17-exploit
Pure-python implementation of MemoryModule technique to load a dll entirely from memory
https://github.com/naksyn/PythonMemoryModule
https://github.com/naksyn/PythonMemoryModule
GitHub
GitHub - naksyn/PythonMemoryModule: pure-python implementation of MemoryModule technique to load dll and unmanaged exe entirely…
pure-python implementation of MemoryModule technique to load dll and unmanaged exe entirely from memory - naksyn/PythonMemoryModule
Cobalt Strike BOF for quser.exe implementation using Windows API
https://github.com/netero1010/Quser-BOF
https://github.com/netero1010/Quser-BOF
GitHub
GitHub - netero1010/Quser-BOF: Cobalt Strike BOF for quser.exe implementation using Windows API
Cobalt Strike BOF for quser.exe implementation using Windows API - netero1010/Quser-BOF
CobaltWhispers is an aggressor script that utilizes a collection of Beacon Object Files (BOF) for Cobalt Strike to perform process injection, persistence and more, leveraging direct syscalls (SysWhispers2) to bypass EDR/AV
https://github.com/NVISOsecurity/CobaltWhispers
https://github.com/NVISOsecurity/CobaltWhispers
GitHub
GitHub - NVISOsecurity/CobaltWhispers: CobaltWhispers is an aggressor script that utilizes a collection of Beacon Object Files…
CobaltWhispers is an aggressor script that utilizes a collection of Beacon Object Files (BOF) for Cobalt Strike to perform process injection, persistence and more, leveraging direct syscalls (SysWh...
Developing Cobalt Strike BOFs with Visual Studio
https://blog.yaxser.io/red/developing-cobalt-strike-bofs-with-visual-studio
https://blog.yaxser.io/red/developing-cobalt-strike-bofs-with-visual-studio
blog.yaxser.io
Developing Cobalt Strike BOFs with Visual Studio | Yaxser's Blog
CobaltStrike toolkit to write files produced by Beacon to memory instead of disk
https://github.com/Octoberfest7/MemFiles
https://github.com/Octoberfest7/MemFiles
GitHub
GitHub - Octoberfest7/MemFiles: A CobaltStrike toolkit to write files produced by Beacon to memory instead of disk
A CobaltStrike toolkit to write files produced by Beacon to memory instead of disk - Octoberfest7/MemFiles
Behind the Mask: Spoofing Call Stacks Dynamically with Timers
https://www.cobaltstrike.com/blog/behind-the-mask-spoofing-call-stacks-dynamically-with-timers/
https://www.cobaltstrike.com/blog/behind-the-mask-spoofing-call-stacks-dynamically-with-timers/
Cobalt Strike 4.8: (System) Call Me Maybe
https://www.cobaltstrike.com/blog/cobalt-strike-4-8-system-call-me-maybe/
https://www.cobaltstrike.com/blog/cobalt-strike-4-8-system-call-me-maybe/
Bypass Userland EDR hooks by Loading Reflective Ntdll in memory from a remote server based on Windows ReleaseID to avoid opening a handle to ntdll , and trigger exported APIs from the export table
https://github.com/TheD1rkMtr/NTDLLReflection
https://github.com/TheD1rkMtr/NTDLLReflection
GitHub
GitHub - SaadAhla/NTDLLReflection: Bypass Userland EDR hooks by Loading Reflective Ntdll in memory from a remote server based on…
Bypass Userland EDR hooks by Loading Reflective Ntdll in memory from a remote server based on Windows ReleaseID to avoid opening a handle to ntdll , and trigger exported APIs from the export table ...
Revisiting the User-Defined Reflective Loader Part 1: Simplifying Development
https://www.cobaltstrike.com/blog/revisiting-the-udrl-part-1-simplifying-development/
https://www.cobaltstrike.com/blog/revisiting-the-udrl-part-1-simplifying-development/
A collection of random small Aggressor snippets that don't warrant their own repo
https://github.com/Octoberfest7/aggressor_snippets
https://github.com/Octoberfest7/aggressor_snippets
GitHub
GitHub - Octoberfest7/aggressor_snippets: A collection of random small Aggressor snippets that don't warrant their own repo
A collection of random small Aggressor snippets that don't warrant their own repo - Octoberfest7/aggressor_snippets
Microsoft and Fortra crack down on malicious Cobalt Strike servers 🔥
https://therecord.media/cobalt-strike-abuse-microsoft-fortra-health-isac
https://therecord.media/cobalt-strike-abuse-microsoft-fortra-health-isac
therecord.media
Microsoft, Fortra get legal permission to counter Cobalt Strike abuse
The two companies, along with the Health-ISAC, have been granted the power to go after "malicious infrastructure" associated with abusive uses of the popular penetration testing software.
This media is not supported in your browser
VIEW IN TELEGRAM
Dir2json
.NET utility that lists directory contents with attributes and saves it as a .json file. It can be executed from the command line or Cobalt Strike's BOF. NET. Json2csv.ps1 script is also available for easier querying
https://github.com/bitsadmin/dir2json
.NET utility that lists directory contents with attributes and saves it as a .json file. It can be executed from the command line or Cobalt Strike's BOF. NET. Json2csv.ps1 script is also available for easier querying
https://github.com/bitsadmin/dir2json
Cool writeup by Xusheng Li on using Binary Ninja for reverse engineering a Cobalt Strike dropper
(credits @vector35)
https://binary.ninja/2022/07/22/reverse-engineering-cobalt-strike.html
(credits @vector35)
https://binary.ninja/2022/07/22/reverse-engineering-cobalt-strike.html
Binary Ninja
Binary Ninja - Reverse Engineering a Cobalt Strike Dropper With Binary Ninja
Binary Ninja is a modern reverse engineering platform with a scriptable and extensible decompiler.
Python script for automating the creation of serverless cloud redirectors from Cobalt Strike malleable C2 profiles
https://github.com/FortyNorthSecurity/AutoFunkt
https://github.com/FortyNorthSecurity/AutoFunkt
GitHub
GitHub - RedSiege/AutoFunkt: Python script for automating the creation of serverless cloud redirectors from Cobalt Strike malleable…
Python script for automating the creation of serverless cloud redirectors from Cobalt Strike malleable C2 profiles - RedSiege/AutoFunkt
Freeze.rs
Freeze•rs is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls written in RUST
Freeze•rs is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls written in RUST