😴
gatari
  • πŸ‘‹root@gatari
  • πŸ”«Active Directory (Boxes)
    • Access Walkthrough
  • πŸ”΄Red Team
    • What is Windows Defender?
    • Post-Exploitation on Disk
    • Command and Control (C2)
      • Signatured by Default
      • Bring Your Own Loader
    • Creating A C2 Framework
      • Prototyping
      • Interfaces
      • Endpoints & Listeners
  • 🚩CTF Writeups
    • 🀑GCTF 2022
      • πŸͺ„ret2secret
      • 🀑login
    • 🀑LNC 2023
      • πŸ‘½Alien Portal
    • 🀑Gryphons Mini-CTF 2023
      • πŸ‘¨β€πŸ’»Web
        • πŸ₯ΆChill
        • πŸͺ Leaked Login
        • πŸͺCookie Monster
        • ✈️Traveller
        • 🀯Headers
      • ☠️Pwn
        • 🐱Netcat
        • πŸ‘¨β€πŸ’»Login
        • πŸ‘©β€πŸ’»Login 2
        • πŸ§‘β€πŸ’»Login 3
      • βͺReverse
        • πŸ”«Valorant Aimbot
        • 🀣WannaLaugh
        • πŸͺšHacksaw
        • 🀫Secret
        • ❓Command & ...POST?
        • πŸ’€Bruh
      • 🧠Sanity Check
        • πŸ‡¨πŸ‡³ζ—©δΈŠε₯½δΈ­ε›½
        • πŸͺ‘Needle in a Haystack(s)
      • πŸ“€Crypto
        • 🀦Ascee? Asskey?
  • πŸ“˜Reviews
    • 😭CRTO - Certified Red Team Operator
Powered by GitBook
On this page
  • Context
  • Dropping to Disk
  • Customization
  1. Red Team
  2. Command and Control (C2)

Signatured by Default

How to drop to disk part 2 :D

PreviousCommand and Control (C2)NextBring Your Own Loader

Last updated 1 year ago

Context

I will only be using 2 hosts for the rest of this blog (because I'm lazy) which is a Kali VM hosting the Cobalt Strike teamserver with the default malleable C2 profile, and my Windows 10 Host PC.

We will only have 1 listener over HTTP.

Dropping to Disk

The dropped payload is a Windows Stageless PE x64

As expected, the default cobalt beacon is also heavily signatured.

Customization

Instead of trying to patch the heavily signatured cobalt beacon to evade anti-virus, we're going to make our own custom dropper that will inject the cobalt beacon shellcode!

A well-made dropper with OPSEC considerations will likely evade static analysis.

πŸ”΄