返回 Skill 列表
extension
分类: 其它无需 API Key

cobaltstrike

熟练部署与安全配置 Cobalt Strike C2,定制 Malleable C2 配置文件,高级后期渗透、杀软绕过、横向移动及 Aggressor 脚本。

person作者: named1esshubclawhub

Here is a professionally structured skill.md for Cobalt Strike, tailored to your background in Windows reverse engineering and security research.

Cobalt Strike Core Competencies (skill.md)

  1. Architecture & Command & Control (C2) Infrastructure Setup: Deploying and securing the Teamserver on Linux instances using customized ports and valid SSL certificates.

Malleable C2 Profiles: Expertly configuring .profile files to modify Beacon's network traffic patterns, successfully impersonating legitimate services (e.g., Cloudflare, jQuery, or Amazon) to evade Deep Packet Inspection (DPI) and EDR heuristics.

Beacon Communication: Deep understanding of egress protocols including HTTP/HTTPS, DNS (A/TXT records), and staged vs. stageless payloads.

  1. Advanced Post-Exploitation Process Injection: Leveraging Windows API knowledge to customize process injection techniques (e.g., CreateRemoteThread, NtCreateThreadEx) for better OpSec.

Memory Analysis: Using obfuscate-and-sleep and cleanup settings to minimize the Beacon's footprint in memory and bypass scanners like Moneta or PE-Sieve.

Privilege Escalation: Utilizing built-in modules (elevate) and integrating custom Aggressor Scripts to exploit local vulnerabilities (LPE).

  1. Defensive Evasion & Antivirus (AV) Bypass Artifact Kit Customization: Modifying the C source code of the Artifact Kit to bypass signature-based detection by altering the way the Beacon is loaded into memory.

Shellcode Obfuscation: Applying encryption and encoding techniques (XOR, AES, or custom ROR/ROL rotations) to raw shellcode before delivery.

User-Defined Reflective Loader (UDRL): Implementing custom reflective loaders to gain control over how the Beacon DLL is mapped into memory, a critical skill for bypassing modern EDR memory hooks.

  1. Lateral Movement & Pivoting Credential Harvesting: Executing hashdump and logonpasswords via Mimikatz integration while managing risk through selective memory access.

Pivoting: Establishing multi-hop C2 chains using SMB and TCP Beacons to navigate through isolated network segments (intranets) without direct internet access.

SOCKS Proxying: Setting up reverse SOCKS proxies to tunnel external tools (like Proxychains or Impacket) through the Beacon.

  1. Automation with Aggressor Script (CNA) UI Customization: Extending the Cobalt Strike GUI by adding custom popup menus and aliases for frequently used terminal commands.

Event Hooks: Scripting automated actions upon new Beacon check-ins, such as automatic system reconnaissance or persistent backdoor installation.

Bof Integration: Developing and executing Beacon Object Files (BOF)—small, C-compiled programs that run inside the Beacon process without spawning a new process (sacrificial process), significantly reducing the chance of detection.