Cobalt-Strike/Attacks/Packages/Windows-Executable

From aldeid
Jump to navigation Jump to search
You are here
Executable / Executable (S)

Attack

Description

Executable
This package generates a Windows executable artifact that delivers a payload stager. This package gives you several output options.
Executable (S)
S = Stageless
This package exports Beacon, without a stager, as an executable, service executable, 32-bit DLL, or 64-bit DLL.
A payload artifact that does not use a stager is called a stageless artifact. This package also has a PowerShell option to export Beacon as a PowerShell script and a raw option to export Beacon as a blob of position independent code.

Options

Output
  • Windows EXE is a Windows executable.
  • Windows Service EXE is a Windows executable that responds to Service Control Manager commands. You may use this executable to create a Windows service with sc or as a custom executable with the Metasploit Framework’s PsExec modules.
  • Windows DLL (32-bit) is an x86 Windows DLL.
  • Windows DLL (64-bit) is an x64 Windows DLL. This DLL will spawn a 32-bit process and migrate your listener to it. Both DLL options export a Start function that is compatible with rundll32.exe. Use rundll32.exe to load your DLL from the command line.
rundll32 foo.dll,Start
x64
Check the Use x64 payload box to generate x64 artifacts that pair with an x64 stager.
Sign
Check the Sign executable file box to sign an EXE or DLL artifact with a code-signing certificate. You must specify a certificate in a Malleable C2 profile.