BOFMask
BOFMask is a tool designed to conceal Cobalt Strike's Beacon payload while executing a Beacon Object File (BOF). By applying a XOR mask and modifying memory protection settings, BOFMask enables users to execute BOFs without exposing Beacon, thereby avoiding detection by EDR products that scan system memory.
Research:
https://securityintelligence.com/posts/how-to-hide-beacon-during-bof-execution/
Source:
https://github.com/xforcered/bofmask
BOFMask is a tool designed to conceal Cobalt Strike's Beacon payload while executing a Beacon Object File (BOF). By applying a XOR mask and modifying memory protection settings, BOFMask enables users to execute BOFs without exposing Beacon, thereby avoiding detection by EDR products that scan system memory.
Research:
https://securityintelligence.com/posts/how-to-hide-beacon-during-bof-execution/
Source:
https://github.com/xforcered/bofmask
Security Intelligence
Your BOFs are gross, put on a mask: How to hide beacon during BOF execution
Explore a simple technique developed to encrypt Cobalt Strike’s Beacon in memory while executing BOFs to prevent a memory scan from detecting Beacon.
Winsocket implementation for Cobalt Strike. Used to communicate with the victim using winsockets instead of the traditional ways.
https://github.com/WKL-Sec/Winsocky/
https://github.com/WKL-Sec/Winsocky/
GitHub
GitHub - WKL-Sec/Winsocky: Winsocket for Cobalt Strike.
Winsocket for Cobalt Strike. Contribute to WKL-Sec/Winsocky development by creating an account on GitHub.
Run BOFs written for Cobalt Strike in Brute Ratel C4
https://blog.nviso.eu/2023/07/17/introducing-cs2br-pt-ii-one-tool-to-port-them-all/
https://github.com/NVISOsecurity/cs2br-bof
https://blog.nviso.eu/2023/07/17/introducing-cs2br-pt-ii-one-tool-to-port-them-all/
https://github.com/NVISOsecurity/cs2br-bof
NVISO Labs
Introducing CS2BR pt. II – One tool to port them all
Introduction In the previous post of this series we showed why Brute Ratel C4 (BRC4) isn’t able to execute most BOFs that use the de-facto BOF API standard by Cobalt Strike (CS): BRC4 impleme…
https://github.com/Octoberfest7/CVE-2023-36874_BOF
Weaponized CobaltStrike BOF for CVE-2023-36874 Windows Error Reporting LPE
Weaponized CobaltStrike BOF for CVE-2023-36874 Windows Error Reporting LPE
GitHub
GitHub - Octoberfest7/CVE-2023-36874_BOF: Weaponized CobaltStrike BOF for CVE-2023-36874 Windows Error Reporting LPE
Weaponized CobaltStrike BOF for CVE-2023-36874 Windows Error Reporting LPE - Octoberfest7/CVE-2023-36874_BOF
Cobalt Strike 4.9: Take Me To Your Loader
https://www.cobaltstrike.com/blog/cobalt-strike-49-take-me-to-your-loader
https://www.cobaltstrike.com/blog/cobalt-strike-49-take-me-to-your-loader
Cobalt Strike
Cobalt Strike 4.9: Take Me To Your Loader | Cobalt Strike
Cobalt Strike 4.9 is live, with post-ex support for UDRLs, the ability to export Beacon without a loader, support for callbacks and more.
Taking a quick look at the new Aggressor callbacks in Cobalt Strike 4.9.
https://rastamouse.me/cobalt-strike-aggressor-callbacks/
https://rastamouse.me/cobalt-strike-aggressor-callbacks/
BOFRYPTOR: ENCRYPTING YOUR BEACON DURING BOF EXECUTION TO AVOID MEMORY SCANNERS
https://github.com/securifybv/BOFRyptor
https://github.com/securifybv/BOFRyptor
GitHub
GitHub - securifybv/BOFRyptor
Contribute to securifybv/BOFRyptor development by creating an account on GitHub.
Create Reflective DLL for Cobalt Strike with GOLANG
https://sokarepo.github.io//redteam/2023/10/11/create-reflective-dll-for-cobaltstrike.html
https://sokarepo.github.io//redteam/2023/10/11/create-reflective-dll-for-cobaltstrike.html
sokarepo
Create Reflective DLL for Cobalt Strike
Context
Creating Object File Monstrosities with Sleep Mask and LLVM
The Mutator kit is now part of the Cobalt Strike Arsenal Kit. It allows you to mutate BOFs, sleep masks and more with LLVM.
🔗 https://www.cobaltstrike.com/blog/introducing-the-mutator-kit-creating-object-file-monstrosities-with-sleep-mask-and-llvm
The Mutator kit is now part of the Cobalt Strike Arsenal Kit. It allows you to mutate BOFs, sleep masks and more with LLVM.
🔗 https://www.cobaltstrike.com/blog/introducing-the-mutator-kit-creating-object-file-monstrosities-with-sleep-mask-and-llvm
Cobalt Strike
Introducing the Mutator Kit: Creating Object File Monstrosities with Sleep Mask and LLVM
This blog introduces the mutator kit, which uses an LLVM obfuscator to break in-memory YARA scanning of the sleep mask.
Injecting Malicious Code into PDF Files and PDF Dropper Creation
https://cti.monster/blog/2024/07/25/pdfdropper.html
https://cti.monster/blog/2024/07/25/pdfdropper.html
0x6rss
Injecting Malicious Code into PDF Files and PDF Dropper Creation
DojoLoader — Generic PE Loader for Prototyping Evasion Techniques
This is a versatile PE loader designed for prototyping evasion techniques. It supports downloading and executing encrypted shellcode, dynamic IAT hooking, and three Sleep obfuscation methods. Ideal for use with UDRL-less Beacon payloads from Cobalt Strike.
Blog Post:
https://www.naksyn.com/cobalt%20strike/2024/07/02/raising-beacons-without-UDRLs-teaching-how-to-sleep.html
Source:
https://github.com/naksyn/DojoLoader
#cobaltstrike #udrl #memory #evasion
This is a versatile PE loader designed for prototyping evasion techniques. It supports downloading and executing encrypted shellcode, dynamic IAT hooking, and three Sleep obfuscation methods. Ideal for use with UDRL-less Beacon payloads from Cobalt Strike.
Blog Post:
https://www.naksyn.com/cobalt%20strike/2024/07/02/raising-beacons-without-UDRLs-teaching-how-to-sleep.html
Source:
https://github.com/naksyn/DojoLoader
#cobaltstrike #udrl #memory #evasion
Naksyn’s blog
Raising Beacons without UDRLs and Teaching them How to Sleep
UDRLs and prepended loaders aren’t the only way to execute a raw payload and get a direct hooking in place. In the case of Cobalt Strike, a generic PE loader can be tweaked to execute an UDRL-less Beacon and get direct hooking for an easier prototyping of…