cobaltstrike

A Cobalt Strike profile, modified it, and bypassed Crowdstrike & Sophos without encrypting the shellcode. Also bypassed all published YARA rules, sleep detections, and string detections around a CS beacon.

Blog: https://whiteknightlabs.com/2023/05/23/unleashing-the-unseen-harnessing-the-power-of-cobalt-strike-profiles-for-edr-evasion/

2.2K views20:53

cobaltstrike

Hidden Desktop BOF

HVNC for Cobalt Strike (Hidden Desktop) is a tool that allows operators to interact with a remote desktop session without the user knowing. The VNC protocol is not involved, but the result is a similar experience.

GitHub

GitHub - WKL-Sec/HiddenDesktop: HVNC for Cobalt Strike

HVNC for Cobalt Strike. Contribute to WKL-Sec/HiddenDesktop development by creating an account on GitHub.

2.6K views20:55

cobaltstrike

DropSpawn
CobaltStrike BOF для создания маяков с использованием DLL Application Directory Hijacking
download

2.2K views09:03

cobaltstrike

Forwarded from Pwn3rzs

arsenal-kit20230315.zip

3 MB

Cobalt Strike Artifact Kit - 15 March 2023

It was provided by a user as is, we take no responsibility.

Thanks again for the share from anonymous user :)

EDIT: A user notified that this is a repack of the official, so please pay attention, even if it's all just source code.

2.3K views07:37

cobaltstrike

SharpTerminatator is a C# port of ZeroMemoryEx's art piece called Terminator. It can be used with Cobalt Strike's execute-assembly or as a standalone executable to terminate AV/EDR processes.

2.8K views03:27

cobaltstrike

Chinese Threat Actor Used Modified Cobalt Strike Variant to Attack Taiwanese Critical Infrastructure

https://blog.eclecticiq.com/chinese-threat-actor-used-modified-cobalt-strike-variant-to-attack-taiwanese-critical-infrastructure

Eclecticiq

Chinese Threat Actor Used Modified Cobalt Strike Variant to Attack Taiwanese Critical Infrastructure

EclecticIQ researchers identified a malicious web server very likely operated by a Chinese threat actor used to target Taiwanese government entities.

2.6K views12:55

cobaltstrike

Reviewed, Modified RunCoff arguments.
Added Cleanup for beacon compatability failure, and ran code beautifier on the C#

https://github.com/trustedsec/CS_COFFLoader

GitHub

GitHub - trustedsec/CS_COFFLoader

Contribute to trustedsec/CS_COFFLoader development by creating an account on GitHub.

2.5K views08:58

cobaltstrike

BOFMask

BOFMask is a tool designed to conceal Cobalt Strike's Beacon payload while executing a Beacon Object File (BOF). By applying a XOR mask and modifying memory protection settings, BOFMask enables users to execute BOFs without exposing Beacon, thereby avoiding detection by EDR products that scan system memory.

Research:
https://securityintelligence.com/posts/how-to-hide-beacon-during-bof-execution/

Source:
https://github.com/xforcered/bofmask

Security Intelligence

Your BOFs are gross, put on a mask: How to hide beacon during BOF execution

Explore a simple technique developed to encrypt Cobalt Strike’s Beacon in memory while executing BOFs to prevent a memory scan from detecting Beacon.

2.8K views08:19

cobaltstrike

Winsocket implementation for Cobalt Strike. Used to communicate with the victim using winsockets instead of the traditional ways.

https://github.com/WKL-Sec/Winsocky/

GitHub

GitHub - WKL-Sec/Winsocky: Winsocket for Cobalt Strike.

Winsocket for Cobalt Strike. Contribute to WKL-Sec/Winsocky development by creating an account on GitHub.

2.9K views07:37

cobaltstrike

MSI BOF LPE

https://www.mandiant.com/resources/blog/privileges-third-party-windows-installers

https://github.com/mandiant/msi-search

Google Cloud Blog

Escalating Privileges via Third-Party Windows Installers | Mandiant | Google Cloud Blog

3.0K views19:13

cobaltstrike

Run BOFs written for Cobalt Strike in Brute Ratel C4

https://blog.nviso.eu/2023/07/17/introducing-cs2br-pt-ii-one-tool-to-port-them-all/

https://github.com/NVISOsecurity/cs2br-bof

NVISO Labs