Resource Kit

C:\Tools\cobaltstrike\arsenal-kit\kits\resource

The portion catched by ThreatCheck is the for loop, but HelpSystems have already provided a template with different variable names (template.x64.ps1). This will bypass Defender as it is, so we don't actually need to modify it. As with Artifact Kit, we have to use the included build script and specify an output directory, then load resources.cna into Cobalt Strike.

Then we regenerate all the payloads and we can test them:

C:\Tools\ThreatCheck\ThreatCheck\bin\Debug\ThreatCheck.exe -f C:\Payloads\http_x64.ps1 -e AMSI

PreviousArtifact Kit NextBehavioural Detections

Last updated 1 year ago