From dc36b843f4c82f5d141e45a2ece13d1ff8a46094 Mon Sep 17 00:00:00 2001 From: CPol Date: Thu, 18 Aug 2022 22:59:20 +0000 Subject: [PATCH] GitBook: [#3406] No subject --- c2/cobalt-strike.md | 30 +++++++++++++++++++ .../basic-powershell-for-pentesters/README.md | 4 +++ 2 files changed, 34 insertions(+) diff --git a/c2/cobalt-strike.md b/c2/cobalt-strike.md index 140ca5940..790f3b915 100644 --- a/c2/cobalt-strike.md +++ b/c2/cobalt-strike.md @@ -171,3 +171,33 @@ beacon> socks 1080 # SSH connection beacon> ssh 10.10.17.12:22 username password + +## Avoiding AVs + +### Artifact Kit + +Usually in `/opt/cobaltstrike/artifact-kit` you can find the code and pre-compiled templates (in `/src-common`) of the payloads that cobalt strike is going to use to generate the binary beacons. + +Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the generated backdoor (or just with the compiled template) you can find what is making defender trigger. It's usually a string. Therefore you can just modify the code that is generating the backdoor so that string doesn't appear in the final binary. + +After modifying the code just run `./build.sh` from the same directory and copy the `dist-pipe/` folder into the Windows client in `C:\Tools\cobaltstrike\ArtifactKit`. + +``` +pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe . +``` + +Don't forget to load the aggressive script `dist-pipe\artifact.cna` to indicate Cobalt Strike to use the resources from disk that we want and not the ones loaded. + +### Resource Kit + +The ResourceKit folder contains the templates for Cobalt Strike's script-based payloads including PowerShell, VBA and HTA. + +Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the templates you can find what is defender (AMSI in this case) not liking and modify it: + +``` +.\ThreatCheck.exe -e AMSI -f .\cobaltstrike\ResourceKit\template.x64.ps1 +``` + +Modifying the detected lines one can generate a template that won't be caught. + +Don't forget to load the aggressive script `ResourceKit\resources.cna` to indicate Cobalt Strike to luse the resources from disk that we want and not the ones loaded. diff --git a/windows-hardening/basic-powershell-for-pentesters/README.md b/windows-hardening/basic-powershell-for-pentesters/README.md index aede9ffb6..62d365e1b 100644 --- a/windows-hardening/basic-powershell-for-pentesters/README.md +++ b/windows-hardening/basic-powershell-for-pentesters/README.md @@ -191,6 +191,10 @@ Add-MpPreference -ExclusionPath "C:\users\public\documents\magichk" ### AMSI bypass + ** `amsi.dll`** is **loaded** into your process, and has the necessary **exports** for any application interact with. And because it's loaded into the memory space of a process you **control**, you can change its behaviour by **overwriting instructions in memory**. Making it not detect anything. + +Therefore, the goal of the AMSI bypasses you will are are to **overwrite the instructions of that DLL in memory to make the detection useless**. + **AMSI bypass generator** web page: [**https://amsi.fail/**](https://amsi.fail/)**** ```bash