Skip to main content

Category: malware

C# Cobalt Strike stagers

Some time ago, I found an interesting Github repository StageStrike It contains sample C and C# code for Cobalt Strike stagers. In this post, I will use a C# version and add some features - that are useful during engagement - corporate proxy support, connection retries, basic environment keying, and virtual machine detection. How it works? First, let’s see how it works - the idea is pretty simple - the code needs to connect to the staging URL, download data returned by Cobalt Strike listener, and execute downloaded shellcode (preferably everything happens in-memory, without touching a disk to make AV detection harder).