A collection of random small Aggressor snippets that don't warrant their own repo
https://github.com/Octoberfest7/aggressor_snippets
https://github.com/Octoberfest7/aggressor_snippets
GitHub
GitHub - Octoberfest7/aggressor_snippets: A collection of random small Aggressor snippets that don't warrant their own repo
A collection of random small Aggressor snippets that don't warrant their own repo - Octoberfest7/aggressor_snippets
Microsoft and Fortra crack down on malicious Cobalt Strike servers 🔥
https://therecord.media/cobalt-strike-abuse-microsoft-fortra-health-isac
https://therecord.media/cobalt-strike-abuse-microsoft-fortra-health-isac
therecord.media
Microsoft, Fortra get legal permission to counter Cobalt Strike abuse
The two companies, along with the Health-ISAC, have been granted the power to go after "malicious infrastructure" associated with abusive uses of the popular penetration testing software.
This media is not supported in your browser
VIEW IN TELEGRAM
Dir2json
.NET utility that lists directory contents with attributes and saves it as a .json file. It can be executed from the command line or Cobalt Strike's BOF. NET. Json2csv.ps1 script is also available for easier querying
https://github.com/bitsadmin/dir2json
.NET utility that lists directory contents with attributes and saves it as a .json file. It can be executed from the command line or Cobalt Strike's BOF. NET. Json2csv.ps1 script is also available for easier querying
https://github.com/bitsadmin/dir2json
Cool writeup by Xusheng Li on using Binary Ninja for reverse engineering a Cobalt Strike dropper
(credits @vector35)
https://binary.ninja/2022/07/22/reverse-engineering-cobalt-strike.html
(credits @vector35)
https://binary.ninja/2022/07/22/reverse-engineering-cobalt-strike.html
Binary Ninja
Binary Ninja - Reverse Engineering a Cobalt Strike Dropper With Binary Ninja
Binary Ninja is a modern reverse engineering platform with a scriptable and extensible decompiler.
Python script for automating the creation of serverless cloud redirectors from Cobalt Strike malleable C2 profiles
https://github.com/FortyNorthSecurity/AutoFunkt
https://github.com/FortyNorthSecurity/AutoFunkt
GitHub
GitHub - RedSiege/AutoFunkt: Python script for automating the creation of serverless cloud redirectors from Cobalt Strike malleable…
Python script for automating the creation of serverless cloud redirectors from Cobalt Strike malleable C2 profiles - RedSiege/AutoFunkt
Freeze.rs
Freeze•rs is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls written in RUST
Freeze•rs is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls written in RUST
A little BOF that enumerates the protection level of a PP/PPL process.
https://github.com/rasta-mouse/PPEnum
https://github.com/rasta-mouse/PPEnum
GitHub
GitHub - rasta-mouse/PPEnum: Simple BOF to read the protection level of a process
Simple BOF to read the protection level of a process - rasta-mouse/PPEnum
A Cobalt Strike profile, modified it, and bypassed Crowdstrike & Sophos without encrypting the shellcode. Also bypassed all published YARA rules, sleep detections, and string detections around a CS beacon.
Blog: https://whiteknightlabs.com/2023/05/23/unleashing-the-unseen-harnessing-the-power-of-cobalt-strike-profiles-for-edr-evasion/
Blog: https://whiteknightlabs.com/2023/05/23/unleashing-the-unseen-harnessing-the-power-of-cobalt-strike-profiles-for-edr-evasion/
Hidden Desktop BOF
HVNC for Cobalt Strike (Hidden Desktop) is a tool that allows operators to interact with a remote desktop session without the user knowing. The VNC protocol is not involved, but the result is a similar experience.
HVNC for Cobalt Strike (Hidden Desktop) is a tool that allows operators to interact with a remote desktop session without the user knowing. The VNC protocol is not involved, but the result is a similar experience.
GitHub
GitHub - WKL-Sec/HiddenDesktop: HVNC for Cobalt Strike
HVNC for Cobalt Strike. Contribute to WKL-Sec/HiddenDesktop development by creating an account on GitHub.
DropSpawn
download
CobaltStrike BOF для создания маяков с использованием DLL Application Directory Hijackingdownload
Forwarded from Pwn3rzs
arsenal-kit20230315.zip
3 MB
Cobalt Strike Artifact Kit - 15 March 2023
It was provided by a user as is, we take no responsibility.
Thanks again for the share from anonymous user :)
EDIT: A user notified that this is a repack of the official, so please pay attention, even if it's all just source code.
It was provided by a user as is, we take no responsibility.
Thanks again for the share from anonymous user :)
EDIT: A user notified that this is a repack of the official, so please pay attention, even if it's all just source code.
SharpTerminatator is a C# port of ZeroMemoryEx's art piece called Terminator. It can be used with Cobalt Strike's execute-assembly or as a standalone executable to terminate AV/EDR processes.
Chinese Threat Actor Used Modified Cobalt Strike Variant to Attack Taiwanese Critical Infrastructure
https://blog.eclecticiq.com/chinese-threat-actor-used-modified-cobalt-strike-variant-to-attack-taiwanese-critical-infrastructure
https://blog.eclecticiq.com/chinese-threat-actor-used-modified-cobalt-strike-variant-to-attack-taiwanese-critical-infrastructure
Eclecticiq
Chinese Threat Actor Used Modified Cobalt Strike Variant to Attack Taiwanese Critical Infrastructure
EclecticIQ researchers identified a malicious web server very likely operated by a Chinese threat actor used to target Taiwanese government entities.
Reviewed, Modified RunCoff arguments.
Added Cleanup for beacon compatability failure, and ran code beautifier on the C#
https://github.com/trustedsec/CS_COFFLoader
Added Cleanup for beacon compatability failure, and ran code beautifier on the C#
https://github.com/trustedsec/CS_COFFLoader
GitHub
GitHub - trustedsec/CS_COFFLoader
Contribute to trustedsec/CS_COFFLoader development by creating an account on GitHub.
BOFMask
BOFMask is a tool designed to conceal Cobalt Strike's Beacon payload while executing a Beacon Object File (BOF). By applying a XOR mask and modifying memory protection settings, BOFMask enables users to execute BOFs without exposing Beacon, thereby avoiding detection by EDR products that scan system memory.
Research:
https://securityintelligence.com/posts/how-to-hide-beacon-during-bof-execution/
Source:
https://github.com/xforcered/bofmask
BOFMask is a tool designed to conceal Cobalt Strike's Beacon payload while executing a Beacon Object File (BOF). By applying a XOR mask and modifying memory protection settings, BOFMask enables users to execute BOFs without exposing Beacon, thereby avoiding detection by EDR products that scan system memory.
Research:
https://securityintelligence.com/posts/how-to-hide-beacon-during-bof-execution/
Source:
https://github.com/xforcered/bofmask
Security Intelligence
Your BOFs are gross, put on a mask: How to hide beacon during BOF execution
Explore a simple technique developed to encrypt Cobalt Strike’s Beacon in memory while executing BOFs to prevent a memory scan from detecting Beacon.
Winsocket implementation for Cobalt Strike. Used to communicate with the victim using winsockets instead of the traditional ways.
https://github.com/WKL-Sec/Winsocky/
https://github.com/WKL-Sec/Winsocky/
GitHub
GitHub - WKL-Sec/Winsocky: Winsocket for Cobalt Strike.
Winsocket for Cobalt Strike. Contribute to WKL-Sec/Winsocky development by creating an account on GitHub.