Помощь EDR

triboulet · 05.09.2025

I'm getting very annoyed now..

I land beacon via phishing and everytime after 2-3 min EDR kills it... I'm using cobalt strike.
Any hint / tip guys appreciate it. I am using indirect syscalls with lnk execution
----------------------------
Меня это уже очень раздражает..
.Я запускаю маяк через фишинг, и каждый раз через 2-3 минуты EDR его убивает... Использую Cobalt Strike.
Буду благодарен за любые подсказки/советы. Я использую косвенные системные вызовы с выполнением LNK.

ice0 · 06.09.2025

im thinking u should just change method, coba is mostly tool for post exploitation, kinda bad idea to land coba beacon firstly...

triboulet · 06.09.2025

ice0 сказал(а):

im thinking u should just change method, coba is mostly tool for post exploitation, kinda bad idea to land coba beacon firstly...

what do you suggest I drop first? just proxy and get NTLM of current user?

ice0 · 06.09.2025

triboulet сказал(а):

what do you suggest I drop first? just proxy and get NTLM of current user?

yep, proxy and then go on, depends on the target actually.
but landing smth like coba firstly as i said its not good, christmas tree for edrs

triboulet · 06.09.2025

ice0 сказал(а):

yep, proxy and then go on, depends on the target actually.
but landing smth like coba firstly as i said its not good, christmas tree for edrs

ok bro ty, i will drop chisel and hopefully this time will not get kicked out of environment.

Bork · 21.09.2025

You need any other C2 that works via DNS.

tenac1ous · 22.09.2025

triboulet сказал(а):

I'm getting very annoyed now..

I land beacon via phishing and everytime after 2-3 min EDR kills it... I'm using cobalt strike.
Any hint / tip guys appreciate it. I am using indirect syscalls with lnk execution
----------------------------
Меня это уже очень раздражает..
.Я запускаю маяк через фишинг, и каждый раз через 2-3 минуты EDR его убивает... Использую Cobalt Strike.
Буду благодарен за любые подсказки/советы. Я использую косвенные системные вызовы с выполнением LNK.

You need to dig in into the beacon logic pretty deep and change it fundamentally to avoid detects/kills. I would suggest to stop using proprietary solutions and switch to opensource/selfwritten infrastructure. When it comes to a real attack - nothing comes more handy than a tools that do exactly what you are expecting of them doing.

Помощь EDR

triboulet

floppy-диск

ice0

RAID-массив

triboulet

floppy-диск

ice0

RAID-массив

triboulet

floppy-диск

Bork

RAID-массив

tenac1ous

Shellcode