Anti-virus Evasion

Anti-virus evasion is a problem every penetration tester has to deal with. Any file that touches disk or loads in a browser is an opportunity for anti-virus to catch you.

Parts of Cobalt Strike's workflow use the Metasploit® Framework. The artifacts generated by the Metasploit® Framework are well understood by most anti-virus products and they will get caught.

While Cobalt Strike does not defeat anti-virus products for you, it does meet you half way. Through Cortana, Cobalt Strike's scripting technology, you may hook your anti-virus safe artifacts into Cobalt Strike's workflow.

For licensed users, Strategic Cyber maintains the Cobalt Strike arsenal. The arsenal contains source code and build files to artifacts that you may hook into Cobalt Strike. Cortana scripts are provided to integrate these artifacts into Cobalt Strike's workflow.

Unmodified, the arsenal capabilities will get past some anti-virus products, but this is not guaranteed. To defeat an anti-virus product, you should install it in a virtual machine, test your attack, and modify the attack's artifacts until it passes.

Currently, the arsenal contains:

Applet Kit - Cobalt Strike's Java Injector, the Java Signed Applet attack, and Smart Applet attacks. You may modify the injector payload, sign an applet with your own certificate, or add new exploits to the smart applet attack. The supplied Cortana script integrates your modifications into the auto-exploit server and the Java attacks under the Attacks -> Web Drive-by menu.

Topaz - Topaz is a script to help bypass anti-virus when using Cobalt Strike's psexec and psexec (token) options. Topaz will generate shellcode and embed it into an anti-virus bypass executable for you.

Licensed Cobalt Strike users may access the arsenal through Help -> Arsenal.