Rachit Arora

Cobalt Strike - Operations

Oct 10, 2023

Notes from “Red Team Operations with Cobalt Strike (2019)” by Raphael Mudge on Youtube here

https://media.discordapp.net/attachments/928373179003600907/1161604293552504914/image.png?ex=6538e74d&is=6526724d&hm=53cf4c43dcba8f94edc95e3196e292350488209a9139525051eef0e99000e02c&=&width=1074&height=816

General Overview of a Red Team Operation

There are four goals of a typical attack

https://media.discordapp.net/attachments/928373179003600907/1161602009657524285/image.png?ex=6538e52c&is=6526702c&hm=2c2959deae86fe7807c5964a95ed2bd6878c68884b3b81af3c1a551a341a1a38&=&width=1074&height=769

The screenshot provided outlines the four objectives and the difficulties associated with each of them.

Challenges in Email Delivery:

  1. We face obstacles when sending emails, such as antivirus gateways or sandbox technology that dynamically inspect attachments to check for malicious content.
  2. Dealing with various anti-spam and filtering mechanisms.
  3. Implementing security protocols like SPF, DKIM, and DMARC can make it more challenging to ensure the email successfully reaches its destination.

Challenges Before Code Execution:

  1. Endpoint security products can interfere before the malicious code is executed.
  2. Both static and dynamic analysis are conducted on our content and payload to determine potential threats.
  3. Everything in our environment is monitored, including antivirus software and EDR (Endpoint Detection and Response) systems.
  4. Events generate telemetry, which is then sent to the Security Operations Center (SOC) for analysis by individuals looking for signs of security breaches.

Challenges Before Establishing Command and Control (C2):

  1. Communicating with a domain that is not categorized, making it difficult to establish a connection.
  2. Coping with network security monitoring, like detecting unusual user agents, which could trigger investigations.

Challenges in Post-Exploitation:

  1. Evaluating the risk versus reward for each action taken.
  2. Every action generates observable events that are monitored by a local agent or produce telemetry data sent to the SOC for analysis.

Cobalt Strike and its functionalities

Mission: Minimize the gap between penetration testing and advanced threat malware. Vision: Attain adversary simulation that is pertinent and trustworthy.

Beacon

Malleable C2

Aggressor Script

  1. Customization: It’s possible to incorporate pop-up menus, introduce additional commands, and enable scripts to react to emerging events within the tool.
  2. Enhanced Privilege Escalation and Lateral Movement: We can implement new methods for privilege escalation and lateral movement automation.
  3. Versatile Scripting: These scripts have the capability to modify the tool’s behavior, resulting in the creation of various file types, including executables (exe), dynamic link libraries (DLLs), and even PowerShell scripts.

Collaboration Features in Cobalt Strike

https://media.discordapp.net/attachments/928373179003600907/1161607418288033802/image.png?ex=6538ea36&is=65267536&hm=139746ed5b94e77e20a107b0aa3df9da117e309d78615170ce8eeb52e54d5caf&=&width=1074&height=654

The “team server” functions as the command center for the tool, coordinating offensive actions. It serves as the controller, hosts a web server, and is instrumental in facilitating spear phishing. The Cobalt Strike graphical user interface (GUI) client connects to this server.

Starting a Team Server

https://media.discordapp.net/attachments/928373179003600907/1161608391731466300/image.png?ex=6538eb1e&is=6526761e&hm=c75ab79450b8f99b5c9a9db9f87b35e5b08d264d2dc7d2797eec53cd4b357792&=&width=1074&height=679

https://media.discordapp.net/attachments/928373179003600907/1161608725015052288/image.png?ex=6538eb6d&is=6526766d&hm=f2b057d552fa7e53f7b7a6d501ea8e4c79008aa2a1c2ac4a55e98a04c69b10ee&=&width=1074&height=129

Starting a team server screenshot

https://media.discordapp.net/attachments/928373179003600907/1161608965961039924/image.png?ex=6538eba7&is=652676a7&hm=3aa11bae518da2632fb54a660d63af252a890e2d001018210f928fd197c68d2e&=&width=1074&height=127

Connecting to a team Server

https://media.discordapp.net/attachments/928373179003600907/1161609312653803590/image.png?ex=6538ebf9&is=652676f9&hm=1dca8b356cae33fc17ac9a39ecf3686ae718aa6147ff0e666cfe6cf062d1ce73&=&width=1074&height=660

username: leet hacker nickname

we can match the sha256 hash

https://media.discordapp.net/attachments/928373179003600907/1161609331167465533/image.png?ex=6538ebfe&is=652676fe&hm=c9e6717c38f6ae1e6f6ca6529a6e132b9cb35c7be39ba12390a49426df0d1d39&=&width=1074&height=360

Basic Interface of Cobalt Strike

https://media.discordapp.net/attachments/928373179003600907/1161609347877572668/image.png?ex=6538ec02&is=65267702&hm=4ad21a8d192e4c0bee82fbece574cbeef2680d0a8a77379cae88b9934b474dd0&=&width=1074&height=631

Three elements of a collaborative red team tool include:

  1. Sharing Sessions: Collaborators can jointly access and control sessions.
  2. Data Collaboration: Both parties have access to the same data model for shared information.
  3. Instant Communication: Real-time communication akin to an event log, functioning similar to an internet relay chat.

/sc to show channel

/me to display an action

/msg to message our teammates

https://media.discordapp.net/attachments/928373179003600907/1161610241344028702/image.png?ex=6538ecd7&is=652677d7&hm=f4c3574c30fc15f559dfb7749c03c4422ec1b560ac17cd65545bd1bb1c1df62a&=&width=724&height=232

Distributed Operations

https://media.discordapp.net/attachments/928373179003600907/1161610572773728266/image.png?ex=6538ed26&is=65267826&hm=d51c63fac0f640406405823a3a64cac74338a513955a31ed3dc37494ad9f669c&=&width=1074&height=841

Employing distributed operations to prevent dependence on a single vulnerable point.

https://media.discordapp.net/attachments/928373179003600907/1161610608513396776/image.png?ex=6538ed2e&is=6526782e&hm=bb9ad42971339feb8e341b12c042ba81312264e5cde752bec8207aab41a66414&=&width=1074&height=612

Team Infrastructure:

Team Roles:

Logging & Reporting

https://media.discordapp.net/attachments/928373179003600907/1161611872601120828/image.png?ex=6538ee5c&is=6526795c&hm=5491218917f132c2c0493fae8b02f94c1952c3336a1ab9fcd0e6d9e8f292db34&=&width=1074&height=745

https://media.discordapp.net/attachments/928373179003600907/1161611888266850314/image.png?ex=6538ee5f&is=6526795f&hm=bdd44706c0dade6e2ac2b2d85aeb74b99e26c33d4662edc109b7b9dd3b86c97c&=&width=1074&height=612

Reporting:

https://cdn.discordapp.com/attachments/928373179003600907/1161612435816452207/image.png?ex=6538eee2&is=652679e2&hm=645c46d2d00c9714501e62cdc155c3b98921982e0a4435c1b5bf058b81fee18d&

https://cdn.discordapp.com/attachments/928373179003600907/1161612473225457776/image.png?ex=6538eeeb&is=652679eb&hm=ee3ca29d5e27c7bb85bb6ccc6cb6772bc431a65e2732b37ca0be62dbee721b5e&

https://cdn.discordapp.com/attachments/928373179003600907/1161612488656297984/image.png?ex=6538eeef&is=652679ef&hm=5412e0a85851427ad08ad7acaa9f22698493977167d68876eef18239f7f7b66e&

https://media.discordapp.net/attachments/928373179003600907/1161612504242327603/image.png?ex=6538eef2&is=652679f2&hm=e340330bfad9e7ad1ba4ee048367f32fad411301f37462e8b2f522555ade4f18&=&width=1074&height=697

More information about Cobalt Strike in the upcoming blogs

Have any questions

Do you have any questions? Feel free to reach out to me on twitter or on LinkedIn.