SourcePoint icon indicating copy to clipboard operation
SourcePoint copied to clipboard
verified publisher icon Tylous

Added BeaconGate Option - CS 4.10

Open 0xflagplz opened this issue 1 year ago • 1 comments

Added default beacon-gate option for cobalt strike 4.10

stage.beacon_gate

stage { beacon_gate { All; } }

Default/None specified - None; All Generic beacon gate options allowed API Specification Allowed, Example: -BeaconGate UnmapViewOfFile,VirtualAlloc,etc

Mistyped API's will be removed - not cancel profile generation

Modified Readme

Context - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/beacon-gate.htm?cshid=1007

0xflagplz avatar Aug 29 '24 16:08 0xflagplz

ill take a look at this.

Tylous avatar Dec 03 '24 17:12 Tylous

Added additional commit for CS Version 4.11 which implemented

  • stage.set eaf_bypass bool
  • stage.set rdll_use_syscalls bool
  • stage.copy_pe_header bool
  • stage.rdll_loader string (PrependLoader || StompLoader)
  • stage.transform-obfuscate {}

Each parameter can now be added to configuration file as such: EafBypass: True RdllUseSyscalls: True CopyPEHeader: True RdllLoader: "PrependLoader" TransformObfuscate: "lznt1,xor "32"" # Can make this as long and complex as your heart desires

ref- https://www.cobaltstrike.com/blog/cobalt-strike-411-shh-beacon-is-sleeping

Additional parameters are now configurable for stage {} generation SmartInject: bool SleepMask: bool

0xflagplz avatar Apr 11 '25 18:04 0xflagplz

This looks great you got one error which I will fix on my side as I add some new things as well

image

Other wise great work.

Tylous avatar Apr 16 '25 14:04 Tylous