Fortra often answers questions about circumvention. Will Cobalt Strike bypass anti-virus products? What anti-virus products does it bypass? How often should I check it?
The Cobalt Strike default artifact can be intercepted by most endpoint security solutions. Although circumvention is not the default goal of Cobalt Strike products, Cobalt Strike does offer some flexibility.
As an operator, you can change the executables, DLLs, applets, and script templates that Cobalt Strike uses in its workflows. You can also export Cobalt Strike's Beacon payload in a variety of formats, which can be used with third-party tools used for circumvention.
This chapter will focus on the Cobalt Strike feature that provides this flexibility.
#6.1、Artifact 工件集
Cobalt Strike uses the Artifact Kit to generate its executables and DLLs. The Artifact Kit is part of the Arsenal Kit, which contains a series of toolkits, which is a source code framework for building executables and DLLs that circumvent certain antivirus products.
#6.1.1、Artifact 工件集理论
Traditional antivirus products use signatures to identify known malicious code. If we embed a known malicious shellcode into an executable file, the antivirus product will recognize the shellcode and mark the executable as malicious.
To bypass this detection, attackers will often somehow obfuscate the shellcode and put it in a binary. This obfuscation process can bypass antivirus products that use a simple string search to identify malicious code.
Many antivirus products are now subject to more rigorous testing. Run the executable by emulating a virtual sandbox. At each impersonation step, the antivirus product checks the impersonation process space for malicious behavior. If there is known bad behavior, the antivirus product will flag the executable or DLL as malicious. This technology beats many encoders and packers that try to hide malicious code from signature-based antivirus products.
Cobalt Strike's response is simple. Antivirus sandboxes have their limitations. It's not a full virtual machine. There are some system behaviors that cannot be simulated by an antivirus sandbox. Artifact Kit is a collection of executable files and DLL templates that rely on some antivirus products that don't emulate the behavior of shellcode in binary.
One of these techniques [see: src-common/bypass-pipe.c in Artifact Kit] generates executables and DLLs that provide shellcode for themselves through named pipes. If the antivirus sandbox can't emulate a named pipe, it won't be able to spot this malicious shellode.
#6.1.2、Artifact Kit 无效的地方
Of course, an antivirus product may defeat a particular implementation of Artifact Kit. If the antivirus vendor writes a signature for the Artifact Kit technology you use, the executable files and DLLs it creates will be captured. Cobalt Strike 2.5 and even earlier versions have been targeted by anti-virus software. Over time, the default bypass technique in Cobalt Strike will gradually become ineffective. You can use one of these Artifact Artifact Artifact Sets as a foundation to build your own Artifact Artifact Artifact Sets implementation.
But that's not enough. Some anti-virus products will call the servers of the anti-virus vendors to perform cloud scanning and detection to determine whether the executable file or DLL is non-malicious or an unknown executable file or DLL that has never been seen before. Some of these products automatically send unknown executables and DLLs to the vendor for further analysis and to warn the user. Some products treat unknown executables or DLLs as malicious. It depends on the antivirus product and its settings.
Takeaway: No amount of "confusion" will help in this case. You are faced with a different type of defense and need to address it accordingly. These cases are handled in the same way as application whitelisting. Try to find a good known program (e.g., PowerShell) and use it to inject your Payload Stager into memory.
#6.1.3、如何使用Artifact Kit
点击 Cobalt Strike 菜单Help -> Arsenal 以下载 Arsenal 套件(需要Cobalt Strike注册码)。 还可以直接访问Arsenal网址:https://www.cobaltstrike.com/scripts
Fortra distributes the Arsenal Kit as a .tgz file. Use the tar command to unzip it. The Arsenal Kit includes the Artifact Kit, which can be built with other kits or as a standalone kit. For information about building kits, see the Arsenal Kit README.md file.
We encourage you to modify the Artifact Kit and its technology to meet your needs. While there is more to be done with Artifact Kit by skilled C programmers, it is also very feasible for adventurous non-programmers.
#6.2
Veil is a popular framework for generating executables that can bypass certain antivirus products. You can use Veil to generate an executable file for Cobalt Strike's payload.
Installation instructions: https://github.com/Veil-Framework/Veil
Steps:
1、点击Payloads -> Stager Payload Generator
2. Select a listener
3. Select Veil as the output type
4. Click Generate to generate payload and save the file
5. Launch the Veil Evasion Framework and select the technology you want to use.
6. Vei will ask about the shellcode generation option, select Custom
7、粘贴 Cobalt Strike 刚生成的payload的文件内容。
8. Press the Enter key and you will get a new executable made by Veil
$ ./Veil.py
Veil>: use Evasion //使用Evasion
Veil/Evasion>: use python/shellcode_inject/flat.py //设置payload技术
.....
[python/shellcode_inject/flat>>]: generate //开始生成
[?] Generate or supply custom shellcode?
1 - Ordnance (default)
2 - MSFVenom
3 - Custom shellcode string
4 - File with shellcode (\x41\x42..)
5 - Binary file with shellcode
[>] Please enter the number of your choice: 3 //选择自定义
[>] Please enter custom shellcode (one line, no quotes, \x00.. format): //在此处粘贴payload txt内容
[>] Please enter the base name for output files (default is payload): //按回车
[?] How would you like to create your payload executable?
1 - PyInstaller (default)
2 - Py2Exe
[>] Please enter the number of your choice: 1 //选择创建payload执行程序的方法
==============================================================================
[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================
[*] Language: python
[*] Payload Module: python/shellcode_inject/flat
[*] Executable written to: /var/lib/veil/output/compiled/payload.exe
[*] Source code written to: /var/lib/veil/output/source/payload.py
#6.3 Java applet attack
Fortra 将源代码作为 Applet Kit 分发给 Cobalt Strike 的 Applet Attacks。 Cobalt Strike 武器库中也提供了此功能。 通过Help -> Arsenal下载 Applet 工具包。
Use the included build.sh script to build the applet toolkit on Kali Linux. Many Cobalt Strike customers take advantage of this flexibility by using the code signing certificates they purchased to sign Cobalt Strike's Java applet attacks. This practice is highly recommended.
To make Cobalt Strike use your applet toolkit instead of the built-in toolkit, load the applet.cna script included in the applet toolkit.
On the Cobalt Strike Arsenal page, you'll notice the Power applet (a small Powershell applet). This is an alternative implementation of Cobalt Strike's Java applet attack using PowerShell to inject a payload into memory. Power applets demonstrate the flexibility you have in the workflow of using a completely different approach to reconstructing Cobalt Strike's standard attacks and using it for Cobalt Strike. By loading the applet.cna script included in the applet, you can make Cobalt Strike use your applet.cna instead of the built-in toolkit.
#6.4、Resource Kit资源集
资源集是 Cobalt Strike 改变其在工作流中使用的 HTA,Powershell,Python,VBA 和 VBA 脚本模板的方法。 Resource Kit是 Cobalt Strike arsenal的一部分,通过Help -> Arsenal下载。
The README.md of a resource set records the scripts that are included and the features that use them. To circumvent antivirus products, consider changing the strings or behaviors in these scripts.
要使 Cobalt Strike 使用你的脚本模板而不是内置脚本模板,请加载 dist/arsenal_kit.cna 或dist/resource/resources.cna脚本。 有关更多信息,请参阅 Arsenal Kit README.md 文件。
#6.5, Sleep Mask Kit (Sleep Mask Kit)
The Sleep Mask Kit is the source code for a sleep mask function that is executed to mask itself and related memory (e.g., heap memory) before the beacon goes to sleep. Used to circumvent detection for .text/.data sections, downloaded via Help -> Arsenal. These include the Sleep Mask kit.
有关sleep mask套件的更多信息,请参阅 arsenal-kit/README.md 和 arsenal-kit/kits/sleepmask/README.md 文件。
#说明
This article is compiled by the author on the basis of the original text (https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/welcome_main.htm) of the official user guide of Cobalt Strike, if you need to reprint, please indicate the source.