Skip to content
/ CobaltStrike-YARA-Bypass-f0b627fc Public

Repository of scripts from my blog post on bypassing the YARA rule Windows_Trojan_CobaltStrike_f0b627fc by generating alternative shellcode sequences.

wafflesexploits.github.io/posts/Bypass-YARA-Rule-Windows_Trojan_CobaltStrike_f0b627fc-to-Evade-EDRs/

License

Apache-2.0 license
27 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

WafflesExploits/CobaltStrike-YARA-Bypass-f0b627fc

BranchesTags

Repository files navigation

Repository of scripts from my blog post

The blog post teaches how to bypass the YARA rule Windows_Trojan_CobaltStrike_f0b627fc.

random_replace_bytes.py - Made by me

-> Generates alternative shellcode sequences with NOPs bytes to replace signature bytes in Cobalt Strike's .bin file, bypassing the YARA rule Windows_Trojan_CobaltStrike_f0b627fc.

Usage Example

generate_rich_header.py - Made by White Knight Labs with minor improvements by me

-> Generates Rich header with junk assembly code.

rich header usage example

generate_prepend_headers.py - Made by White Knight Labs with minor improvements by me

-> Generates prepend headers with random NOP assembly code.

prepend header usage example

About

Repository of scripts from my blog post on bypassing the YARA rule Windows_Trojan_CobaltStrike_f0b627fc by generating alternative shellcode sequences.

wafflesexploits.github.io/posts/Bypass-YARA-Rule-Windows_Trojan_CobaltStrike_f0b627fc-to-Evade-EDRs/

Topics

python cobalt-strike yara-rules automatization edr-bypass edr-evasion

Resources

Readme

License

Apache-2.0 license
Activity

Stars

27 stars

Watchers

1 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages