Evasion & Artifact Kit
Cobalt Strike-specific evasion: detection surfaces, Artifact Kit customisation, and loading custom artifacts.
Detection Surfaces
Microsoft Defender (and similar AV) detects across three layers:
| Surface | What it scans | Kit/Mitigation |
|---|---|---|
| On-disk | Files written to disk — byte patterns, hashes, signatures | Artifact Kit |
| In-memory | Code loaded into process memory — AMSI, ETW | Sleep masks, AMSI bypass |
| Behavioural | API call sequences, process trees, network patterns | Malleable C2, sleep/jitter |
Artifact Kit helps with on-disk evasion only. It does not make Beacon resilient to in-memory detection.
Artifact Kit
Artifact Kit contains source code to build custom shellcode runners (artifacts) that inject Beacon shellcode in ways that cannot be emulated by AV engines.
Download & Install
In Cobalt Strike: Help > Arsenal (or https://download.cobaltstrike.com/scripts).
tar xzfv ./arsenal-kit*.tgz -C /opt/cobaltstrike/arsenal-kit
cd /opt/cobaltstrike/arsenal-kit
chmod +x ./build_arsenal_kit.sh
./build_arsenal_kit.sh
cd /kits/artifact
chmod +x build.shArsenal Kit bundles Artifact Kit + other kits (Mimikatz kit, Resource kit, etc.).
Source Structure
Entry points in src-main/:
dllmain.c— DLL artifactsmain.c— EXE artifactssvcmain.c— Service EXE artifacts
These call a start function whose implementation is in the bypass technique files.
Bypass Techniques
Located in src-common/bypass-<technique>.c:
| Technique | Description |
|---|---|
| mailslot | Reads shellcode over a mailslot |
| peek | Uses Sleep, PeekMessage, and GetTickCount |
| pipe | Reads shellcode over a named pipe |
| readfile | Reads itself from disk and seeks to find embedded shellcode |
Build Custom Artifacts
./build.sh <technique> <allocator> <stage_size> <rdll_size> <include_syscalls> <include_sleepmask> <syscall_method> <output_dir>Example:
./build.sh pipe VirtualAlloc 344564 5 false false none /opt/cobaltstrike/artifacts/
[Artifact kit] [+] You have a x86_64 mingw--I will recompile the artifacts
[Artifact kit] [*] Using allocator: VirtualAlloc
[Artifact kit] [*] Using STAGE size: 344564
[Artifact kit] [*] Using RDLL size: 5K
[Artifact kit] [*] Using system call method: none
[Artifact kit] [+] Artifact Kit: Building artifacts for technique: pipe
[Artifact kit] [*] Recompile artifact32.dll with src-common/bypass-pipe.c
...Loading Custom Artifacts
After building, load the artifact CNA script into Cobalt Strike:
- Cobalt Strike > Script Manager > Load
- Navigate to the build output directory
- Select the generated
.cnaaggressor script - All subsequently generated payloads will use the custom artifacts
See also: 3. Payload Generation, a. Defence Evasion Concepts