Forwarded from Pwn3rzs
arsenal-kit20230315.zip
3 MB
Cobalt Strike Artifact Kit - 15 March 2023
It was provided by a user as is, we take no responsibility.
Thanks again for the share from anonymous user :)
EDIT: A user notified that this is a repack of the official, so please pay attention, even if it's all just source code.
It was provided by a user as is, we take no responsibility.
Thanks again for the share from anonymous user :)
EDIT: A user notified that this is a repack of the official, so please pay attention, even if it's all just source code.
SharpTerminatator is a C# port of ZeroMemoryEx's art piece called Terminator. It can be used with Cobalt Strike's execute-assembly or as a standalone executable to terminate AV/EDR processes.
Chinese Threat Actor Used Modified Cobalt Strike Variant to Attack Taiwanese Critical Infrastructure
https://blog.eclecticiq.com/chinese-threat-actor-used-modified-cobalt-strike-variant-to-attack-taiwanese-critical-infrastructure
https://blog.eclecticiq.com/chinese-threat-actor-used-modified-cobalt-strike-variant-to-attack-taiwanese-critical-infrastructure
Eclecticiq
Chinese Threat Actor Used Modified Cobalt Strike Variant to Attack Taiwanese Critical Infrastructure
EclecticIQ researchers identified a malicious web server very likely operated by a Chinese threat actor used to target Taiwanese government entities.
Reviewed, Modified RunCoff arguments.
Added Cleanup for beacon compatability failure, and ran code beautifier on the C#
https://github.com/trustedsec/CS_COFFLoader
Added Cleanup for beacon compatability failure, and ran code beautifier on the C#
https://github.com/trustedsec/CS_COFFLoader
GitHub
GitHub - trustedsec/CS_COFFLoader
Contribute to trustedsec/CS_COFFLoader development by creating an account on GitHub.
BOFMask
BOFMask is a tool designed to conceal Cobalt Strike's Beacon payload while executing a Beacon Object File (BOF). By applying a XOR mask and modifying memory protection settings, BOFMask enables users to execute BOFs without exposing Beacon, thereby avoiding detection by EDR products that scan system memory.
Research:
https://securityintelligence.com/posts/how-to-hide-beacon-during-bof-execution/
Source:
https://github.com/xforcered/bofmask
BOFMask is a tool designed to conceal Cobalt Strike's Beacon payload while executing a Beacon Object File (BOF). By applying a XOR mask and modifying memory protection settings, BOFMask enables users to execute BOFs without exposing Beacon, thereby avoiding detection by EDR products that scan system memory.
Research:
https://securityintelligence.com/posts/how-to-hide-beacon-during-bof-execution/
Source:
https://github.com/xforcered/bofmask
Security Intelligence
Your BOFs are gross, put on a mask: How to hide beacon during BOF execution
Explore a simple technique developed to encrypt Cobalt Strike’s Beacon in memory while executing BOFs to prevent a memory scan from detecting Beacon.
Winsocket implementation for Cobalt Strike. Used to communicate with the victim using winsockets instead of the traditional ways.
https://github.com/WKL-Sec/Winsocky/
https://github.com/WKL-Sec/Winsocky/
GitHub
GitHub - WKL-Sec/Winsocky: Winsocket for Cobalt Strike.
Winsocket for Cobalt Strike. Contribute to WKL-Sec/Winsocky development by creating an account on GitHub.
Run BOFs written for Cobalt Strike in Brute Ratel C4
https://blog.nviso.eu/2023/07/17/introducing-cs2br-pt-ii-one-tool-to-port-them-all/
https://github.com/NVISOsecurity/cs2br-bof
https://blog.nviso.eu/2023/07/17/introducing-cs2br-pt-ii-one-tool-to-port-them-all/
https://github.com/NVISOsecurity/cs2br-bof
NVISO Labs
Introducing CS2BR pt. II – One tool to port them all
Introduction In the previous post of this series we showed why Brute Ratel C4 (BRC4) isn’t able to execute most BOFs that use the de-facto BOF API standard by Cobalt Strike (CS): BRC4 impleme…
https://github.com/Octoberfest7/CVE-2023-36874_BOF
Weaponized CobaltStrike BOF for CVE-2023-36874 Windows Error Reporting LPE
Weaponized CobaltStrike BOF for CVE-2023-36874 Windows Error Reporting LPE
GitHub
GitHub - Octoberfest7/CVE-2023-36874_BOF: Weaponized CobaltStrike BOF for CVE-2023-36874 Windows Error Reporting LPE
Weaponized CobaltStrike BOF for CVE-2023-36874 Windows Error Reporting LPE - Octoberfest7/CVE-2023-36874_BOF
Cobalt Strike 4.9: Take Me To Your Loader
https://www.cobaltstrike.com/blog/cobalt-strike-49-take-me-to-your-loader
https://www.cobaltstrike.com/blog/cobalt-strike-49-take-me-to-your-loader
Cobalt Strike
Cobalt Strike 4.9: Take Me To Your Loader | Cobalt Strike
Cobalt Strike 4.9 is live, with post-ex support for UDRLs, the ability to export Beacon without a loader, support for callbacks and more.
Taking a quick look at the new Aggressor callbacks in Cobalt Strike 4.9.
https://rastamouse.me/cobalt-strike-aggressor-callbacks/
https://rastamouse.me/cobalt-strike-aggressor-callbacks/
BOFRYPTOR: ENCRYPTING YOUR BEACON DURING BOF EXECUTION TO AVOID MEMORY SCANNERS
https://github.com/securifybv/BOFRyptor
https://github.com/securifybv/BOFRyptor
GitHub
GitHub - securifybv/BOFRyptor
Contribute to securifybv/BOFRyptor development by creating an account on GitHub.
Create Reflective DLL for Cobalt Strike with GOLANG
https://sokarepo.github.io//redteam/2023/10/11/create-reflective-dll-for-cobaltstrike.html
https://sokarepo.github.io//redteam/2023/10/11/create-reflective-dll-for-cobaltstrike.html
sokarepo
Create Reflective DLL for Cobalt Strike
Context
Creating Object File Monstrosities with Sleep Mask and LLVM
The Mutator kit is now part of the Cobalt Strike Arsenal Kit. It allows you to mutate BOFs, sleep masks and more with LLVM.
🔗 https://www.cobaltstrike.com/blog/introducing-the-mutator-kit-creating-object-file-monstrosities-with-sleep-mask-and-llvm
The Mutator kit is now part of the Cobalt Strike Arsenal Kit. It allows you to mutate BOFs, sleep masks and more with LLVM.
🔗 https://www.cobaltstrike.com/blog/introducing-the-mutator-kit-creating-object-file-monstrosities-with-sleep-mask-and-llvm
Cobalt Strike
Introducing the Mutator Kit: Creating Object File Monstrosities with Sleep Mask and LLVM
This blog introduces the mutator kit, which uses an LLVM obfuscator to break in-memory YARA scanning of the sleep mask.