Cobalt Strike
Last updated
Last updated
Cobalt Strike (CS) is an advanced c2 framework and adversary emulation toolkit that closes the gap between penetration testing tools and advanced threat malware.
HTTP/S or DNS to egress network
SMB or TCP for peer-to-peer C2
Network traffics
In-memory content, characteristics and behavior
Process injection behavior
Staging Server
Getting initial callbacks
Initial privilege escalation + install persistence
Expect these servers to get caught!
Long Haul Server
"Low and Slow" persistent callbacks
pass access to post-exploitation as needed
Post-Exploitation Server
Post-exploitation and lateral movement
HTTP Beacon
You can add IPv4, IPv6 or Domain (FQDN) for listeners
HTTPS Beacon
You can add valid SSL cert
DNS Beacon
Edit zone file for a domain you control
Create an A record for CS system
Create an NS record that points to your CS system FQDN
SMB/TCP Beacon
Peer-to-peer beacon
This creates a child process of your initial beacon
Control over SMB beacon
beacon> link [host] [pipe]
beacon> unlink [host] [pid]
Control over TCP beacon
beacon> connect [host] [port]
beacon> unlink [host] [pid]
External C2 Beacon
You can start an External C2 listener on your CS server
Use other External C2 to connect to the listener
Egress: Beacons out of a network
Peer-to-peer: Communicates through a parent payload
Alias: Reference to a payload handler
Stager
Download a payload --> pass it for execution
Less secure
More brittle (it can crash)
Easier to be detected
Stageless
No stager. Single file contains all.
Most of the CS payloads are now stageless
Use Iptables, Socat or other tools to forward traffics to your CS team server.
Use an Apache or Nginx reverse proxy config
Use a CDN as a redirector for HTTPS traffic
HTTP Redirector Example
Start a team server (main.bigb0ss.com)
On the redirector box (redir.bigb0ss.com)
apt-get update && apt-get install socat
screen -S socat_redir
socat TCP4-LISTEN:80,fork TCP4:main.bigb0ss.com:80
CDN Redirector Example
Use valid SSL certificate
Allows HTTP Post and HTTP GET verbs (*Malleable C2)
Consider using HTTP-GET only C2 (*Malleable C2)
Be aware of transformed requests (*Malleable C2)
Disable all cache options : This is because we want the CDN to not cache our contents and callback to us every time the target calls back to our C2.
Domain fronting is basically making the C2 traffic from the target system that looks like going into the highly trusted domain "T" but actually making it to our C2. Helps bypassing egress controls or making the C2 traffic blended into normal/legitimate traffics.
Reason for using CDN domains are that they are highly trusted, and it is hard to block all the trusted CDN domains. If blocked, people cannot access to some legitimate websites.
Network traffic modifications
In-memory content, characteristics and behaviors
Process injection behaviors
Testing Profile: ./c2lient [profile]
Don't use public example in production
Don't allow an empty http-get > server > output response.
Use 'prepend' to prepend junk data
Use 'transform' to mask/randomize data
Change URIs and use 'prepend' to mask IOCs in http-stager block. (If you are going to allow staging)
Use http-config block to standardize server headers and order of the header for all HTTP server responses.
Use plausible useragent value for target network.
Use HTTP Get-Only C2 for difficult egress situations.
CS's HTTP/S payloads are built with WinINet libraries, so it has default features of automatic NTLM authentication for domain users; however, if you are calling as SYSTEM this may fail. Be aware that WinINet library may have TLS limitation incompatible with your redirectors.
Use an Apache, Nginx or a CDN as a redirector, It smooths CS-specific indicators, better JA3S fingerprint, etc.
JA3 (JA3S - server) technology indicates the value of the applications; therefore, using a redirector as a legit software like Apache or Nginx is really important. (You don't want your redirector to be looking like a random Java on Debian running) -> One of the biggest reasons why you should use redirectors.
Host redirectors on different VPS providers. Domains are better with age and categorization.
Do not use IPv4 addresses for C2. Have a valid SSL certificate
Egress from plausible user processes on workstations
Use SMB Beacon from workstations to servers
Use built-in Windows tools and APIs to find targets
Servers should not egress
SMB beacon from server to workstations is weird
Scan to find targets
Use valid SSL cert
Use redirectors
Only allow HTTP/S connections from redirectors
Firewall port 50050 and access via SSH tunnel
Host content on your redirectors
Do not use DNS C2
Use DNS C2 as low&slow fallback option only
Set 'dns_stager_prepend' and 'dns_stager_subhost'
Change 'dns_idle' in profile. Avoid 'mode dns' as this will send bogon responses
Set 'dns_mas_txt' to limit TXT length. Set 'maxdns' to limit hostname length.
Check for CS default SSL cert
Check for port 50050 open
Use Split-Split DNS
Empty index page, 404, text/plain Content-Type
Monitor volume of DNS requests
Check for CS DNS C2 IOCs
Check for bogon IP (0.0.0.0)
Check for length of request hostnames
HTTP Traffic Considerations : For plain HTTP traffic, if the target organization is using a proxy server, it can inspect the HTTP GET request host and its "Host:" header value. If the request host and the header value are not matching, it will overwrite the "Host:" header to point it to the GET request host. This is called "Normalization." This will break the Domain Fronting.
HTTPS Traffic Considerations : For plain HTTPS traffic, the proxy server is only able to see the "CONNECT Domain:443" URL and unable to inspect the encrypted the headers. But many companies can do MitM-SSL between the proxy server and the SSL connection, so they may catch the domain fronting attempts. (However, consider that like finance and healthcare organizations would not do the MitM-SSL because they don't want to see people's PII date accidentally.)
Server Name Indication ("SNI") Considerations : Some CDN providers now check the "SIN:" value within the HTTP/S request, and if that is different than "Host:" header, it flags as malicious. It is one of the reasons why people say Domain Fronting is dead now, but not always.
Do:
Don't:
RED:
Blue:
