{ "id": "d55e12ee-2b4a-4de5-b0ae-cf760fb531cb", "created_at": "2026-04-06T00:10:39.66362Z", "updated_at": "2026-04-10T03:24:23.958168Z", "deleted_at": null, "sha1_hash": "6cf0e446abda0816caa7142ed88f8c77995a2f91", "title": "Cobalt Strike’s Deployment with Hardware Breakpoint for AMSI Bypass", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 749581, "plain_text": "Cobalt Strike’s Deployment with Hardware Breakpoint for AMSI\r\nBypass\r\nPublished: 2023-06-30 · Archived: 2026-04-05 20:39:35 UTC\r\nRecently came across a tweet regarding a LNK file creating a hardware breakpoint in the Antimalware Scan\r\nInterface (AMSI).\r\nFigure 1: Tweet\r\n In this blog, we will get into the dig a little deeper into Cobalt Strike’s New TTP for bypassing the AMSI using\r\nhardware breakpoint.\r\nInitial access\r\nLECmd tool was used to extract LNK file’s argument, which invokes a PowerShell to get the code from the\r\nmalicious site.\r\nFigure 2: lnk File \r\nhttps://labs.k7computing.com/index.php/cobalt-strikes-deployment-with-hardware-breakpoint-for-amsi-bypass/\r\nPage 1 of 4\n\nIn this code a hardware breakpoint (Dr0) was enabled in the address of AMSI scan buffer.\r\n Figure 3: Hardware breakpoint in AMSI\r\nIn order to bypass AMSI, an exception handler for the AMSI scan buffer’s breakpoint is registered using \r\nAddVectoredExceptionHandler API. In the Handler Code it collects the exception records and the Exception\r\nAddress. Then proceeds further only if the exception has occurred in the address of AMSI Scan Buffer. Then it\r\nstores the Stack pointer value in the return address, it sets return address in the instruction pointer and return value\r\nas 0.[1].\r\nFigure 4: Exception Handler code\r\nThis code contains a PowerShell script to create persistence using the startup folder and download a GZIP\r\ncompressed Base64 String . It targets only Domain logon users who have connected in the mentioned domain list.\r\nhttps://labs.k7computing.com/index.php/cobalt-strikes-deployment-with-hardware-breakpoint-for-amsi-bypass/\r\nPage 2 of 4\n\nFigure 5: Targeted domain and next payload\r\nBy decompressing this Base64 String with GUnZip, there is another code as shown in Figure 6.\r\n   Figure 6: XOR encoded Base64 string\r\nThis code contains Base64 String which when decoded and XORed int(35) gives out the final Cobalt Strike\r\nPayload as shown in Figure 7 and 8.\r\n Figure 7: XOR key\r\nhttps://labs.k7computing.com/index.php/cobalt-strikes-deployment-with-hardware-breakpoint-for-amsi-bypass/\r\nPage 3 of 4\n\nFigure 8: Cobalt Strike\r\nHere the Cobalt Strike C2 Config extracted using this tool is as shown below.\r\n      Figure 9: C2 Config\r\nWe at K7 Labs have detection against such threats. Users are requested to secure their devices by installing a\r\nreputed security product like “K7 Total Security” and keep it updated to stay protected from the latest threats.\r\nIOCs\r\nHash K7 Detection Name\r\neb08d873d27b94833e738f0df1d6ed26 Trojan ( 0001140e1 )\r\n6302a90a342db9f2159d8f20f19ebb2e Trojan ( 0001140e1 )\r\n3c9c1be6bdd39820ae3ba34ca7a36f1f Trojan ( 0001140e1 )\r\nSource: https://labs.k7computing.com/index.php/cobalt-strikes-deployment-with-hardware-breakpoint-for-amsi-bypass/\r\nhttps://labs.k7computing.com/index.php/cobalt-strikes-deployment-with-hardware-breakpoint-for-amsi-bypass/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://labs.k7computing.com/index.php/cobalt-strikes-deployment-with-hardware-breakpoint-for-amsi-bypass/" ], "report_names": [ "cobalt-strikes-deployment-with-hardware-breakpoint-for-amsi-bypass" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434239, "ts_updated_at": 1775791463, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6cf0e446abda0816caa7142ed88f8c77995a2f91.pdf", "text": "https://archive.orkl.eu/6cf0e446abda0816caa7142ed88f8c77995a2f91.txt", "img": "https://archive.orkl.eu/6cf0e446abda0816caa7142ed88f8c77995a2f91.jpg" } }