0x01 * Environment introduction
This anti-kill is using the shellcode separation anti-kill technology
cobaltstrike4.3 client: Windows10 Professional Edition
cobaltstrike4.3 server: own VPS
CS version: 4.3
Locale: Golang, the plug-in needs to be installed locally in the Golang environment, and the compilation will be called when the Trojan is generated
For cobaltstrike4.3 download and use, see the previous article. CSDN should not be able to post cracking things. Post your own website link
http://www.digter8.com/391.html CS 4.3 download
http://www.digter8.com/394.html CS 4.3 tutorial
Plug-in: Project address:
https://github.com/hack2fun/BypassAV
0x02 Plug-in deployment
To use Go environment, directly download the .cna plug-in file in the author’s project, open CS——Cobalt Strike——Script Manager to import the plug-in.
Then load and import, before generating the exe Trojan horse, directly select Attacks - BypassAV instead of Packages
0x03 test result
Select the listener that has been set up and generate the exe. The 32-bit tester can pass Tencent Butler and 360. The 64-bit one can pass Tencent Butler, but not 360.
360 static scan and dynamic execution did not report virus
The same goes for Tencent Butler
Online scanning platform virscan results : 6% of anti-virus software (3/50) report finding viruses
Domestic anti-software did not report poison
0x04 Summary
As an anti-killing newcomer, record your learning. There are still many ways to avoid anti-killing, such as traffic confrontation, anti-reverse code countermeasures, threat intelligence, etc. There is still a long way to go. By the way, in a real environment, this kind of back-connection Trojan has to pass traffic detection equipment in addition to terminal defense. Currently, manufacturers' equipment is basically capable of detecting CS traffic of versions 3.14 and 4.0 (others have not been tested). However, if the characteristics of CS are modified, detection can still be avoided.