search
githubEdit

Windows Executable

hashtag
Windows Executable

hashtag
This package generates a Windows executable artifact that delivers a payload stager.

hashtag
Navigate to Payloads -> Windows Stager Payload.

hashtag
This package provides the following output options:

hashtag
Parameters

hashtag
1) Listener

  • Press the ... button to select a Cobalt Strike listener you would like to output a payload for.

hashtag
2) Output

  • Use the drop-down to select one of the following output types. *

    1. Windows EXE: A Windows executable

      1. Windows Service EXE: A Windows executable that responds to Service Control Manager commands. You may use this executable to create a Windows service with sc or as a custom executable with the Metasploit Framework’s PsExec modules.

      1. Windows DLL: A Windows DLL that exports a StartW function that is compatible with rundll32.exe. Use rundll32.exe to load your DLL from the command line. (rundll32 MALICIOUS.dll,StartW)

hashtag
3) x64

  • Check the box to generate x64 artifacts that pair with an x64 stager. By default, this dialog exports x64 payload stagers.

hashtag
4) sign

    • Check the box to sign an EXE or DLL artifact with a code-signing certificate. You must specify a certificate in a Malleable C2 profile.

hashtag
Press Generate to create a payload stager artifact.

hashtag
Cobalt Strike uses its Artifact Kit to generate this output.

hashtag
Windows Executable (Stageless)

hashtag
This package exports Beacon, without a stager, as an executable, service executable, 32-bit DLL, or 64-bit DLL. A payload artifact that does not use a stager is called a stageless artifact. This package also has a PowerShell option to export Beacon as a PowerShell script and a raw option to export Beacon as a blob of position independent code.

hashtag
Navigate to Payloads -> Windows Stageless Payload.

hashtag
This package provides the following output options:

hashtag
Parameters

hashtag
1) Listener

  • Press the ... button to select a Cobalt Strike listener you would like to output a payload for.

hashtag
2) Guardrails

    • If your listener has been configured with gauardrails, the value is displayed as the default. Use the ... button to override the settings for the beacon.

hashtag
3) Output

  • Use the drop-down to select one of the following output types

    1. PowerShell: A PowerShell script that injects a stageless Beacon into memory.

    1. Raw: A blob of position independent code that contains Beacon.

    1. Windows EXE: A Windows executable.

    1. Windows Service EXE: A Windows executable that responds to Service Control Manager commands. You may use this executable to create a Windows service with sc or as a custom executable with the Metasploit Framework's PsExec modules.

    1. Windows DLL: A Windows DLL that exports a StartW function that is compatible with rundll32.exe. Use rundll32.exe to load your DLL from the command line. (rundll32 MALICIOUS.dll,StartW)

hashtag
4) Exit Function

  • This function determines the method/behavior that Beacon uses when the exit command is executed.

1) Process: Terminates the whole process

2) Thread: Terminates only the current thread

hashtag
5) System Call

  • Select one of the following system call methods to use at execution time when generating a stageless beacon payload from the Cobalt Strike UI or a supported aggressor function:

    1. None: Use the standard Windows API function

    1. Direct: Use the Nt* version of the function

    1. Indirect: Jump to the appropriate instruction within the Nt* version of the function

hashtag
6) HTTP Library

  • Select the Microsoft library (WinINet or WinHTTP) for the generated payload.

hashtag
7) x64

  • Check the box to generate an x64 artifact that contains an x64 payload. By default, this dialog exports x64 payloads.

hashtag
8) sign

  • Check the box to sign an EXE or DLL artifact with a code-signing certificate. You must specify a certificate in a Malleable C2 profile.

hashtag
Press Generate to create a stageless artifact.

hashtag
Cobalt Strike uses its Artifact Kit to generate this output.

hashtag
Windows Executable (Stageless) Variants

hashtag
This option generates all of the stageless payloads (in x86 and x64) for all of the configured listeners.

hashtag
Navigate to Payloads -> Windows Stageless Generate All Payloads.

hashtag
Parameters

hashtag
1) Folder

  • Press the folder button to select a location to save the listener(s).

hashtag
2) System Call

  • Select one of the following system call methods to use at execution time when generating a stageless beacon payload from the Cobalt Strike UI or a supported aggressor function:

    1. None: Use the standard Windows API function

    1. Direct: Use the Nt* version of the function

    1. Indirect: Jump to the appropriate instruction within the Nt* version of the function

hashtag
3) HTTP Library

  • Select the Microsoft library (WinINet or WinHTTP) for the generated payload.

hashtag
4) sign

  • Check the box to sign an EXE or DLL artifact with a code-signing certificate. You must specify a certificate in a Malleable C2 profile.

hashtag
Press Generate to create a stageless artifact.

PreviousCobalt Strike Web ServicesNextUser-driven Attack Packages

Last updated