White Knight Labs, a leading provider of cutting-edge cybersecurity solutions, is proud to announce its latest breakthrough in EDR (Endpoint Detection and Response) evasion techniques. In a recent blog post titled “Unleashing the Unseen: Harnessing the Power of Cobalt Strike Profiles for EDR Evasion,” White Knight Labs explores the importance of Cobalt Strike profiles and their role in enhancing the versatility of the Cobalt Strike framework.
The article delves into the differences between default and customized Malleable C2 profiles, providing invaluable insights into the intricacies of profile options. By leveraging these profiles, White Knight Labs demonstrates how organizations can improve their Red-Team engagements and enhance OPSEC (Operational Security) by making them more safe from detection.
To assist the cybersecurity community, White Knight Labs has made all the scripts and final profiles used for bypasses available in their Github repository. This open-source approach empowers security professionals to develop and improve their Malleable C2 profiles, ensuring optimal performance in evading EDR solutions and antivirus products.
With the ever-increasing sophistication of memory scanners like BeaconEye and Hunt-Sleeping-Beacons, White Knight Labs presents a groundbreaking technique to bypass these detection mechanisms. By enabling the “sleep_mask” option, Cobalt Strike XORs the beacon’s memory, rendering it undetectable by these scanners.
White Knight Labs also addresses the challenge of bypassing static signature scanners. By enabling the “obfuscate” option, most of the strings stored in the beacon’s heap are removed, enhancing the evasion capabilities. However, the article emphasizes that removing strings alone is not sufficient. To overcome this limitation, White Knight Labs introduces the use of different compilers, such as Clang++ and GCC, to tailor the compiled code and achieve better performance in bypassing AV/EDR systems.
Furthermore, the article provides valuable insights into bypassing YARA rules, a commonly used detection mechanism. White Knight Labs presents techniques to evade YARA rules, including the use of the “sleep_mask” option, modifying the PE header with the “magic_mz_x64” option, and utilizing the Arsenal Kit’s Sleep Mask for enhanced obfuscation.
“We are thrilled to share our latest findings in EDR evasion techniques,” said Greg Hatcher, CEO of White Knight Labs. “At White Knight Labs, we are dedicated to staying at the forefront of cybersecurity innovation and equipping organizations with the tools and knowledge to protect their digital assets effectively. By harnessing the power of Cobalt Strike profiles, our clients can enhance their defensive capabilities and strengthen their overall security posture.”
For more information about White Knight Labs and its cutting-edge cybersecurity solutions, visitwww.whiteknightlabs.com.
Know what you need already, request a quote HERE.
About White Knight Labs
White Knight Labs is a leading cybersecurity company specializing in providing state-of-the-art solutions to protect organizations from advanced cyber threats. With a team of experienced security experts, White Knight Labs offers a comprehensive range of services, including penetration testing, vulnerability assessments, incident response, and managed security services. Their innovative approach and deep expertise enable organizations to mitigate risks, secure their networks, and safeguard their critical assets.