cobalt.txt

1. Create a Test DLL Loader
Simulate a benign Cobalt Strike-style DLL loader. Save this as test_loader.c:

c
Copy
#include <windows.h>
// Export a function (common in Cobalt Strike loaders)
__declspec(dllexport) void Run(void) {
    // Benign test action: create a temporary file
    HANDLE hFile = CreateFileA("C:\\Windows\\Temp\\test_ttp_success.txt", 
                              GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 
                              FILE_ATTRIBUTE_NORMAL, NULL);
    if (hFile != INVALID_HANDLE_VALUE) {
        const char *data = "Purple team test successful.";
        DWORD bytesWritten;
        WriteFile(hFile, data, (DWORD)strlen(data), &bytesWritten, NULL);
        CloseHandle(hFile);
    }
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) {
    return TRUE;
}
Compile the DLL (use MinGW on Linux or Windows):

bash
Copy
x86_64-w64-mingw32-gcc -shared -o test_ttp_loader.dll test_loader.c
2. Transfer the DLL to the Target Windows System
Move test_ttp_loader.dll to the Windows machine (e.g., C:\Temp\).

3. Execute the Test via rundll32
Run these commands in a Windows Command Prompt (adjust paths as needed):

cmd
Copy
:: Load the DLL via rundll32 (common Cobalt Strike technique)
rundll32.exe C:\Temp\test_ttp_loader.dll,Run

:: Alternative: Use without an explicit export (rundll32 defaults to #1 export)
rundll32.exe C:\Temp\test_ttp_loader.dll,#1
4. Verify Execution
Check for the test file to confirm execution:

cmd
Copy
type C:\Windows\Temp\test_ttp_success.txt