mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 14:10:41 +00:00
GitBook: [#3406] No subject
This commit is contained in:
parent
ab5f3e9c47
commit
dc36b843f4
2 changed files with 34 additions and 0 deletions
|
@ -171,3 +171,33 @@ beacon> socks 1080
|
||||||
|
|
||||||
# SSH connection
|
# SSH connection
|
||||||
beacon> ssh 10.10.17.12:22 username password</code></pre>
|
beacon> ssh 10.10.17.12:22 username password</code></pre>
|
||||||
|
|
||||||
|
## Avoiding AVs
|
||||||
|
|
||||||
|
### Artifact Kit
|
||||||
|
|
||||||
|
Usually in `/opt/cobaltstrike/artifact-kit` you can find the code and pre-compiled templates (in `/src-common`) of the payloads that cobalt strike is going to use to generate the binary beacons.
|
||||||
|
|
||||||
|
Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the generated backdoor (or just with the compiled template) you can find what is making defender trigger. It's usually a string. Therefore you can just modify the code that is generating the backdoor so that string doesn't appear in the final binary.
|
||||||
|
|
||||||
|
After modifying the code just run `./build.sh` from the same directory and copy the `dist-pipe/` folder into the Windows client in `C:\Tools\cobaltstrike\ArtifactKit`.
|
||||||
|
|
||||||
|
```
|
||||||
|
pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe .
|
||||||
|
```
|
||||||
|
|
||||||
|
Don't forget to load the aggressive script `dist-pipe\artifact.cna` to indicate Cobalt Strike to use the resources from disk that we want and not the ones loaded.
|
||||||
|
|
||||||
|
### Resource Kit
|
||||||
|
|
||||||
|
The ResourceKit folder contains the templates for Cobalt Strike's script-based payloads including PowerShell, VBA and HTA.
|
||||||
|
|
||||||
|
Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the templates you can find what is defender (AMSI in this case) not liking and modify it:
|
||||||
|
|
||||||
|
```
|
||||||
|
.\ThreatCheck.exe -e AMSI -f .\cobaltstrike\ResourceKit\template.x64.ps1
|
||||||
|
```
|
||||||
|
|
||||||
|
Modifying the detected lines one can generate a template that won't be caught.
|
||||||
|
|
||||||
|
Don't forget to load the aggressive script `ResourceKit\resources.cna` to indicate Cobalt Strike to luse the resources from disk that we want and not the ones loaded.
|
||||||
|
|
|
@ -191,6 +191,10 @@ Add-MpPreference -ExclusionPath "C:\users\public\documents\magichk"
|
||||||
|
|
||||||
### AMSI bypass
|
### AMSI bypass
|
||||||
|
|
||||||
|
 ** `amsi.dll`** is **loaded** into your process, and has the necessary **exports** for any application interact with. And because it's loaded into the memory space of a process you **control**, you can change its behaviour by **overwriting instructions in memory**. Making it not detect anything.
|
||||||
|
|
||||||
|
Therefore, the goal of the AMSI bypasses you will are are to **overwrite the instructions of that DLL in memory to make the detection useless**.
|
||||||
|
|
||||||
**AMSI bypass generator** web page: [**https://amsi.fail/**](https://amsi.fail/)****
|
**AMSI bypass generator** web page: [**https://amsi.fail/**](https://amsi.fail/)****
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
|
Loading…
Reference in a new issue