Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 04:33:28 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [#3406] No subject

Browse source
This commit is contained in:
CPol 2022-08-18 22:59:20 +00:00 committed by gitbook-bot
parent ab5f3e9c47
commit dc36b843f4
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
2 changed files with 34 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
c2/cobalt-strike.md
View file

@ -171,3 +171,33 @@ beacon> socks 1080
# SSH connection # SSH connection
beacon> ssh 10.10.17.12:22 username password</code></pre> beacon> ssh 10.10.17.12:22 username password</code></pre>
## Avoiding AVs
### Artifact Kit
Usually in `/opt/cobaltstrike/artifact-kit` you can find the code and pre-compiled templates (in `/src-common`) of the payloads that cobalt strike is going to use to generate the binary beacons.
Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the generated backdoor (or just with the compiled template) you can find what is making defender trigger. It's usually a string. Therefore you can just modify the code that is generating the backdoor so that string doesn't appear in the final binary.
After modifying the code just run `./build.sh` from the same directory and copy the `dist-pipe/` folder into the Windows client in `C:\Tools\cobaltstrike\ArtifactKit`.
```
pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe .
```
Don't forget to load the aggressive script `dist-pipe\artifact.cna` to indicate Cobalt Strike to use the resources from disk that we want and not the ones loaded.
### Resource Kit
The ResourceKit folder contains the templates for Cobalt Strike's script-based payloads including PowerShell, VBA and HTA.
Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the templates you can find what is defender (AMSI in this case) not liking and modify it:
```
.\ThreatCheck.exe -e AMSI -f .\cobaltstrike\ResourceKit\template.x64.ps1
```
Modifying the detected lines one can generate a template that won't be caught.
Don't forget to load the aggressive script `ResourceKit\resources.cna` to indicate Cobalt Strike to luse the resources from disk that we want and not the ones loaded.

4
windows-hardening/basic-powershell-for-pentesters/README.md
View file

@ -191,6 +191,10 @@ Add-MpPreference -ExclusionPath "C:\users\public\documents\magichk"
### AMSI bypass ### AMSI bypass
&#x20;** `amsi.dll`** is **loaded** into your process, and has the necessary **exports** for any application interact with. And because it's loaded into the memory space of a process you **control**, you can change its behaviour by **overwriting instructions in memory**. Making it not detect anything.
Therefore, the goal of the AMSI bypasses you will are are to **overwrite the instructions of that DLL in memory to make the detection useless**.
**AMSI bypass generator** web page: [**https://amsi.fail/**](https://amsi.fail/)**** **AMSI bypass generator** web page: [**https://amsi.fail/**](https://amsi.fail/)****
```bash ```bash