C&C Cobalt Strike vs Windows Defender

[iHack]

Hello xss.
I've been trying for over a month to get past the Windows Defender EDR with no success. I've tried looking into the artifact kit, but I'm not good enough to modify it myself to get it past the defender. I'm not even sure what causes the triggers in the first place.
Tried working with the Sourcepoint C2 generator from github and changed some things like the URIs and other strings around and made sure to have the sleep mask and obfuscation enabled. No success there either.
I even purchased a crypter, but even crypted it still gets detected. This time it's not detected as cobalt strike but as a generic trojan wakatak. After this I tried using a public loader from github and encrypting the stub afterwards. This doesn't get detected, but it won't connect to the c2 either.
How do the pros do it? Or even the more successful skids for that mater. Is there no way for the average skid to make it bypass defender?

 

[ThorZirael]

Проблема в том, что Cobalt Strike изучается всеми антивирусами до ниточки и косточки собирая как можно больше сигнатур, из-за чего менять нужно в нем абсолютно все. Ты можешь закриптовать идеально пейлоад, но как только он будет запущен, антивирус по сетевому трафику может его обнаружить.

Даже если ты добьешься стабильной чистоты, то далее у тебя будут детектиться модули кобальта, к примеру как только ты включишь кейлогер то получишь детект. Еще антивирусы, особенно Windows Defender не любит когда какой либо процесс висит в System, т.е. с правами системы, поэтому если ты мигрируешь или пытаешься сидеть в системе, то ты можешь получать детекты только из-за этого.

 

[iHack]

Yes, I've noticed that even when the beacon is executed in an excluded folder, the second that i try to inject another process or escalate privs, it gets caught by defender or the exploit for escalation gets stopped by AMSI. Though the last part I've managed to fix.
Now, yes, I imagine that most of it is signatured to oblivion and needs to be changed. What perplexes me is how people are still able to use it effectively. I'm not even talking about people with the skills to re-write all functions in the bypass pipe/artifact kit. I'm pretty sure skids on my level use it successfully and I feel i'm missing something but at the same time I can't find it, lol.

 

[bulbazar]

Hello,
To have a good result with your cobalt beacon you need at least a custom UDRL, a custom sleep mask and a custom malleable profile. So study the artifact kit, you have a lot of examples on github
Your detections could be due to your beacon's built-in commands and interactive mode. Everyone is using BOF to perform tasks and not using staged payloads.

There are articles like this that can help you https://www.cobaltstrike.com/blog/opsec-considerations-for-beacon-commands. or type cobaltstrike opsec on google

 

[0xNate]

Вы можете попробовать написать свой собственный loader. Я предлагаю вам изучить исправления AMSI, исправления ETW и обходные пути EDR, такие как Peruns-Fart или непрямые системные вызовы. Также попробуйте удалить обнаруженные строки с помощью strrep в профиле CS, и вы сможете добавить в шеллкод бесполезные коды операций, которые запутают AV. По крайней мере, у меня это работает с Defender, подключенным к облаку (к сожалению, не с EDR). Также, как только вы получите оболочку, я советую вам по возможности работать только с BOF.

 

[highwayw3]

You can try writing your own loader. I suggest you look into AMSI fixes, ETW fixes, and EDR workarounds like Peruns-Fart or indirect syscalls. Also try removing detected strings using strrep in the CS profile and you can add useless opcodes to the shellcode that will confuse AV. At least it works for me with Defender connected to the cloud (unfortunately not with EDR). Also, once you get the shell, I advise you to only work with BOF if possible.

indirect syscalls detectable these days because of return address checking and call stack unwinding
Cobalt strike has IOCs but theres plenty of ways around them

 

[0xNate]

indirect syscalls detectable these days because of return address checking and call stack unwinding
Cobalt strike has IOCs but theres plenty of ways around them

да, вы правы в отношении EDR, но косвенный системный вызов, похоже, все еще работает для защитника Windows.

 

[molotov477]

indirect syscalls detectable these days because of return address checking and call stack unwinding
Cobalt strike has IOCs but theres plenty of ways around them

On a side note, how did you get that post above you translated in english? Are you using an in browser translator or is that a forum function I do not know about?

 

[highwayw3]

On a side note, how did you get that post above you translated in english? Are you using an in browser translator or is that a forum function I do not know about?

install grammarly bro

 

[molotov477]

install grammarly bro

Ah, I might sound a bit paranoid but I'd rather not install a third party extension on my browser that uses online cloud engine to perform translations.

 

[DefaultDNS]

Проблема в том, что Cobalt Strike изучается всеми антивирусами до ниточки и косточки собирая как можно больше сигнатур, из-за чего менять нужно в нем абсолютно все. Ты можешь закриптовать идеально пейлоад, но как только он будет запущен, антивирус по сетевому трафику может его обнаружить.

Даже если ты добьешься стабильной чистоты, то далее у тебя будут детектиться модули кобальта, к примеру как только ты включишь кейлогер то получишь детект. Еще антивирусы, особенно Windows Defender не любит когда какой либо процесс висит в System, т.е. с правами системы, поэтому если ты мигрируешь или пытаешься сидеть в системе, то ты можешь получать детекты только из-за этого.

Про Malleable-C2-Profiles слышал что-то?

 

[Pen lab]

https://github.com/elastic/protecti...in/yara/rules/Windows_Trojan_CobaltStrike.yar обычно обойдя данное правило defender перестает выдавать детекты

 

[Sec13B]

Hello xss.
I've been trying for over a month to get past the Windows Defender EDR with no success. I've tried looking into the artifact kit, but I'm not good enough to modify it myself to get it past the defender. I'm not even sure what causes the triggers in the first place.
Tried working with the Sourcepoint C2 generator from github and changed some things like the URIs and other strings around and made sure to have the sleep mask and obfuscation enabled. No success there either.
I even purchased a crypter, but even crypted it still gets detected. This time it's not detected as cobalt strike but as a generic trojan wakatak. After this I tried using a public loader from github and encrypting the stub afterwards. This doesn't get detected, but it won't connect to the c2 either.
How do the pros do it? Or even the more successful skids for that mater. Is there no way for the average skid to make it bypass defender?

I have always same problem , make a shellcde beacon stageless , and try use new shellcode Generator or shellcode evasion , example i try payload generator CSSG - Cobalt Strike Shellcode Generator , but i dont know to compile .
be carefull at the nullbyte from shellcde beacon you make.


Its any option to have (\\192.168.1.114\ADMIN$\74c35f5.exe) crypted , to bypass av/erd
Tasked beacon to run windows/beacon_bind_pipe (\\.\pipe\msagent_e1) on 192.168.1.114 via Service Control Manager (\\192.168.1.114\ADMIN$\74c35f5.exe)