Module 19

Question 1

What is the primary goal of the Defence Evasion tactic [TA0005]?

Answer 1

Adversaries attempt to avoid detection throughout all phases of their operation.

Question 2

What is the main purpose of the Cobalt Strike Artifact Kit?

Answer 2

To modify the source code for compiled payload templates (.exe, .dll, .svc.exe) to evade anti-virus signatures.

Question 3

In Cobalt Strike template naming, what does the suffix ‘big’ signify?

Answer 3

The template is for a stageless payload.

Question 4

In Cobalt Strike template naming, what does the suffix ‘svc’ signify?

Answer 4

The template is for a service binary payload.

Question 5

The Cobalt Strike payload templates are essentially _____ injectors, whose only role is to inject the Beacon shellcode into memory and execute it.

Answer 5

shellcode

Question 6

In the Artifact Kit, which C file is the entry point for .exe templates?

Answer 6

main.c in the src-main directory.

Question 7

In the Artifact Kit, which C file is the entry point for .dll templates?

Answer 7

dllmain.c in the src-main directory.

Question 8

What is the purpose of the bypass-*.c files in the src-common directory of the Artifact Kit?

Answer 8

They contain various anti-sandbox techniques that can be built into a payload template.

Question 9

What is the default anti-sandbox technique used by the built-in Cobalt Strike templates?

Answer 9

The dist-readfile technique.

Question 10

Which file in the Artifact Kit contains most of the main logic for performing shellcode injection?

Answer 10

patch.c.

Question 11

In the Artifact Kit’s build.sh script, what does the ‘Allocator’ parameter control?

Answer 11

It sets which API (e.g., HeapAlloc, VirtualAlloc) is used to allocate memory for the shellcode.

Question 12

When using the build.sh script in the Artifact Kit, setting the ‘Resource File’ parameter to true allows for changing what properties of the artifact?

Answer 12

Metadata such as CompanyName, FileDescription, and ProductName, as defined in src-main/resource.rc.

Question 13

What is the recommended first step when using ThreatCheck to find malicious code in an artifact?

Answer 13

Scan the unmodified, newly built artifact to identify the specific offset of the code block that is detected.

Question 14

After ThreatCheck identifies a malicious offset in an artifact, what tool can be used to disassemble and decompile the binary for further analysis?

Answer 14

Ghidra.

Question 15

In Ghidra, how do you navigate to a specific file offset identified by a tool like ThreatCheck?

Answer 15

Use the Navigation > Go To menu and enter file(0xOFFSET).

Question 16

What is an effective strategy to bypass a signature on a specific loop in the artifact source code?

Answer 16

Modify the loop’s structure (e.g., convert a for loop to a backwards while loop) to compile into different machine code.

Question 17

After building new templates with the Artifact Kit, which generated file must be loaded into the Cobalt Strike client to use them?

Answer 17

The Aggressor script, artifact.cna.

Question 18

What is the primary purpose of the Cobalt Strike Resource Kit?

Answer 18

To modify script-based payload templates, such as those for PowerShell.

Question 19

What is the primary security concern that the Resource Kit aims to address for PowerShell payloads?

Answer 19

Detection by the Antimalware Scan Interface (AMSI).

Question 20

In the default PowerShell template (template.x64.ps1), which .NET method is often flagged by AMSI for copying shellcode into memory?

Answer 20

System.Runtime.InteropServices.Marshal::Copy.

Question 21

What native API can be used as an alternative to Marshal.Copy in PowerShell to evade some AMSI signatures?

Answer 21

The WriteProcessMemory API.

Question 22

What is the function of the compress.ps1 script in the Resource Kit?

Answer 22

It serves as a template for Cobalt Strike’s Scripted Web Delivery, which GZIP compresses and Base64 encodes the main PowerShell payload.

Question 23

When obfuscating compress.ps1 for evasion, why must the %%DATA%% placeholder be left untouched?

Answer 23

Cobalt Strike uses this exact placeholder to patch the encoded payload into the script.

Question 24

What Malleable C2 technique overwrites a legitimate DLL in memory with Beacon to make the memory region appear backed by a file on disk?

Answer 24

Module stomping.

Question 25

Which Malleable C2 `stage` block option is used to enable module stomping?

Answer 25

`set module_x64 "SomeLegit.dll";`

Question 26

By default, Beacon's reflective loader allocates memory with what permissions, which can be suspicious in native applications?

Answer 26

RWX (read, write, and execute).

Question 27

Setting `stage.userwx` to `"false"` in a Malleable C2 profile causes the reflective loader to do what?

Answer 27

It sets granular permissions for each memory section (e.g., RX for .text, RW for .data) instead of a single RWX region.

Question 28

What is the purpose of setting `stage.copy_pe_header` to `"false"` in Malleable C2?

Answer 28

It instructs the reflective loader not to copy Beacon's PE headers into memory, slightly reducing its detection surface.

Question 29

In Cobalt Strike's 'fork and run' workflow, how does Beacon retrieve the output from a post-exploitation DLL running in another process?

Answer 29

The post-ex DLL writes its output to an SMB named pipe, which Beacon then connects to and reads from.

Question 30

What is a common Windows API used for thread injection that can be detected by security products via `PsSetCreateThreadNotifyRoutine`?

Answer 30

`CreateRemoteThread`.

Question 31

Which Malleable C2 block is used to configure alternative remote thread creation techniques for post-exploitation jobs?

Answer 31

The `process-inject { execute { ... } }` block.

Question 32

The _____ Malleable C2 option can be used to change the default post-exploitation named pipe names to avoid signature-based detection.

Answer 32

`post-ex.pipename`

Question 33

What is the purpose of the `spawnto` command in Beacon?

Answer 33

To change the process that the current Beacon will spawn for its fork-and-run commands, helping to blend in with parent-child process relationships.

Question 34

Which Malleable C2 option sets the default spawn-to process for all Beacons from that team server?

Answer 34

`post-ex.spawnto_x64` and `post-ex.spawnto_x86`.

Question 35

Why does the service binary used by `jump psexec` require a separate command, `ak-settings`, to configure its spawn-to process?

Answer 35

The service binary artifact cannot use a spawn-to value that contains environment variables like `%windir%`, so it needs a hardcoded path.

Question 36

What is Parent Process ID (PPID) spoofing used for in post-exploitation?

Answer 36

It allows a new process to be spawned with an arbitrary parent process, which can break anomalous parent-child relationships.

Question 37

Which Beacon command is used to set a spoofed parent process ID?

Answer 37

`ppid `.

Question 38

Setting `post-ex.amsi_disable` to `"true"` in Malleable C2 causes the post-ex reflective loader to do what?

Answer 38

It patches the AMSI DLL in memory before executing a .NET assembly or PowerShell script via powerpick/psinject.

Question 39

The `post-ex.amsi_disable` setting does NOT apply to which Beacon command for running PowerShell?

Answer 39

The `powershell` command; `powerpick` or `psinject` must be used instead.

Question 40

What does the `post-ex.obfuscate "true";` setting do for post-exploitation DLLs?

Answer 40

It scrambles the DLL content and settles it into memory in a more OPSEC-safe way, similar to `stage.userwx` for Beacon.

Question 41

What is the function of the `post-ex.cleanup "true";` Malleable C2 option?

Answer 41

It frees the memory occupied by the post-exploitation reflective loader after the post-ex DLL has been loaded.

Question 42

In Malleable C2, what is the difference between `strrep` and `strrepex` within the `transform-x64` block?

Answer 42

`strrep` replaces a string in all post-ex DLLs, while `strrepex` replaces a string in a single, specified post-ex DLL.

Question 43

AppLocker is a Windows technology that prevents users from running unapproved applications based on rules with a permission and a _____.

Answer 43

condition

Question 44

What are the three types of conditions an AppLocker rule can be based on?

Answer 44

Publisher, Path, and File hash.

Question 45

Where in the Windows Registry are local AppLocker policies stored?

Answer 45

`HKLM\Software\Policies\Microsoft\Windows\SrpV2`

Question 46

Which native PowerShell cmdlet can be used to parse and display the effective AppLocker policy on a local machine?

Answer 46

`Get-AppLockerPolicy -Effective`

Question 47

When enumerating GPOs for AppLocker policies, which file within the GPO's `Machine` directory contains the policy data?

Answer 47

`Registry.pol`

Question 48

How can an AppLocker path rule like `` be bypassed?

Answer 48

By placing an executable in any user-creatable directory named `App-V`, because the start of the path is not anchored.

Question 49

Name two directories within `C:\Windows` that are often writable by standard users and can be used to bypass default AppLocker path rules.

Answer 49

Any two of: `C:\Windows\Tasks`, `C:\Windows\Temp`, `C:\windows\tracing`, or various subdirectories under `C:\Windows\System32\spool`.

Question 50

What is a LOLBAS that can be used to bypass AppLocker by executing arbitrary C# code from a `.csproj` file?

Answer 50

MSBuild.exe.

Question 51

When AppLocker is enforced, it typically changes PowerShell's language mode to what?

Answer 51

ConstrainedLanguage mode.

Question 52

How can PowerShell's Constrained Language Mode be bypassed to execute arbitrary code?

Answer 52

By creating and loading a custom COM object that points to a malicious DLL, since `New-Object -ComObject` is not restricted.

Question 53

If AppLocker DLL rules are not enabled, what common Windows utility can be used to execute a Beacon payload DLL?

Answer 53

`rundll32.exe`.

Question 54

The Beacon DLL payload exports a function specifically for use with `rundll32`. What is the name of this function?

Answer 54

`StartW`.