My career is taking me in a new and exciting direction, and I am stepping down from my role on the Cobalt Strike team.
I’ve spent the last year helping Fortra (the new face of HelpSystems) integrate Cobalt Strike into their processes and shift from a single developer to a team effort. I can honestly say that “Cobalt Strike is in great hands.”
I’ve seen tremendous growth and support from the Cobalt Strike community in the last 12 months. Thank you all for the generous support and outstanding research. Keep pushing forward.
The team’s mantra will continue to focus on product stability and flexibility to the product’s attack chain. I’ve helped pack the roadmap with great features, many of which came directly from community requests.
I’ve been a user of Cobalt Strike for almost ten years now, and it has been an honor to be part of this team. I wish the team good luck and look forward to seeing their influence on professional security testing.
I may be moving on, but I will continue to be part of the security community. My career has been filled with great opportunities and great people. I am very thankful for the generous support shown by our community.
Make sure to follow @CoreAdvisories for Cobalt Strike related Twitter announcements.
The training web page lists free courses created by the Cobalt Strike team that provide an overview of the product. It also lists courses offered by trusted 3rd parties. The 3rd party courses use Cobalt Strike to some degree and can be a great way to practice and learn how Cobalt Strike can be used in a realistic environment.
The page will be updated as new courses are added.
Cobalt Strike Training
User Defined Reflective Loader (UDRL) Update in Cobalt Strike 4.5
The User Defined Reflective Loader (UDRL) was first introduced in Cobalt Strike 4.4. to allow the creation and use of a custom reflective loader. This quickly took off by the community and its limits were pushed. Updates were made in 4.5 to help address some of these limits.
Updates
Increased Size
A new hook BEACON_DLL_SIZE was added to specify either 5k or 100k for your custom loader. This increase will be reflected in your payloads.
Artifact Kit
The artifact kit has been updated to allow customization of sizes to ensure space is available for your loader.
UDRL and Malleable C2 Profile Consideration
When using the default reflective loader and generating Beacons there are a few settings that affect Beacon’s runtime configuration and the loader, which are automatically handled when the payload is generated. This ability allows an operator to change these settings in the profile which will modify how the payload is generated and how it looks like in memory.
When using a UDRL these settings are inserted into the Beacon’s runtime configuration. However, because the reflective loader is defined by the user it is not possible to modify the reflective loader as it does in the default case. It is on the user to modify their reflective loader accordingly.
For example, if you are using the example loader from the URDL kit, there is no code in the loader to do any conditional setup based on information stored in the header of the image. This could cause runtime issues with Beacon that you are not expecting because of the settings in your Malleable C2 profile. You will have to deal with the same type of issues when writing your own reflective loader from scratch.
Settings to be Considered
The following are settings to consider when the malleable C2 profile option stage.sleepmask is set to TRUE:
stage.userwx
This setting is a Boolean and informs the default loader to either use RWX or RX memory. At runtime Beacon will either include or not include the .text section for masking. If the setting is set to TRUE, your user defined loader needs to set the protection on the .text section as RWX otherwise Beacon will crash. If the setting is set to FALSE, your user defined loader should set the protection on the .text section as RX as the .text section will not be masked.
stage.obfuscate
This setting is a Boolean and informs the default loader to either copy the header or not copy the header into memory. At runtime Beacon will either include or not include the header section for masking. If the setting is set to TRUE, your UDRL should not copy the header into memory as Beacon will not mask the header section. If the setting is set to FALSE, your user defined loader should copy the header into memory as Beacon will mask the header section.
Depending on how sophisticated your reflective loader is you will need to make sure the settings in the Malleable C2 profile will work with how the Beacon payload is loaded into memory. With the BEACON_RDLL_GENERATE and BEACON_RDLL_GENERATE_LOCAL aggressor script hooks you do have the opportunity to modify your reflective loader by using the aggressor script pe_* functions.
Handling a UDRL over 5k
The following is an example error that indicates your loader is over 5k. You can use the BEACON_DLL_SIZE hook to increase this space to 100k.
Loader is over 5k
Artifact Kit Considerations
If you are using an artifact kit based on the kit provided by Cobalt Strike, but is using the default ‘stagesize‘ values, this error is logged indicating the larger patched Beacon will not fit in the standard artifacts generated for the kit. You will need to rebuild the artifact kit with larger ‘stagesize‘ environment variable definitions.
Artifact kit hook error when the stagesize value is too low
The Sleep Mask Kit was first introduced in Cobalt Strike 4.4 to allow users to modify how the sleep mask function looks in memory in order to defeat static signatures that identified Beacon. This quickly took off in the community and its limits were pushed. Updates were made in 4.5 to help address some of these limits.
The size of the sleep mask executable code has been increased to 769 bytes from 289 bytes.
Heap Memory
A list of heap memory addresses has been added to the input to the sleep mask function. This allows for the ability to mask and unmask Beacon’s heap memory, which could be used to identify Beacon.
Compatibility
Any sleep mask modifications for Cobalt Strike 4.4 will not be compatible with 4.5 because of the changes to the functions input. This also means the sleep mask modifications are also not backwards compatible. Users will need to have separate sleep mask versions for 4.4 and 4.5. An updated sleep mask kit is available through the Cobalt Strike UI Help -> Arsenal page.
Changes
Added a new HEAP_RECORDS data structure
Added a pointer to the HEAP_RECORDS data structure to the existing SLEEPMASKP structure
Added new loops to mask and unmask the heap memory identified by the HEAP_RECORDS structure.
Limitations
These are the current limitations to the sleep mask kit for Cobalt Strike 4.5:
The executable code size cannot exceed 769 bytes. If this occurs the default sleep mask function will be used.
Only one function can be defined in the source code file.
Use of external functions are not supported
Example
For this example, the Sleep Mask Kit for Cobalt Strike version 4.5 with a modification to the code to only mask and unmask when the sleep is larger than two seconds will be used. This allows for the ability to control the masking and unmasking of Beacon based on the current sleep time.
Generate a Beacon using the modified sleep mask and deploy it on your target system. The Beacon is now running and has a PID value of 5400 for this example.
Using a Yara rule based on the BeaconEye project, beacon will be detected. The rule shows the memory address that triggered the detection as the current sleep time is set 1 second.
Detected at 0x7c7290
Using Process Hacker, open the process (5400) and look at the contents of memory at the found location of 0x7c7290. This is determined by finding the base address 0x7b0000 and subtracting from 0x7c7290 to determine the offset within this block of heap memory.
Beacon’s configuration unmasked
The highlighted portion shows the signature that was used to identify Beacon, which represents Beacon’s configuration in the heap memory.
With the Cobalt Strike version 4.5 sleep mask this location in memory is provided as one of heap memory addresses in the HEAP_RECORDS list. Now, update the sleep time for this beacon to three seconds so it will mask itself while sleeping and then inspect this memory location again.
Beacon’s Configuration masked
Comparing this to the previous screenshot shows the heap memory is now masked. Running the Yara rule again shows that it does not detect the signature for Beacon’s configuration.
This is just one simple example of using the sleep mask to obfuscate Beacon in memory.
A complementary strategy to the Host Rotation Strategy was introduced to Cobalt Strike 4.5. The max retry strategy was added to HTTP, HTTPS, and DNS beacon listeners. A max retry strategy allows a beacon to exit after a specified failure count. As the failure count increases, sleep is adjusted to a specified value. By default, sleep is adjusted at 50% of the failure count.
A max retry can be selected from a list via the create listener GUI:
max retry option set as a listener option
The list can be updated with custom values using the aggressor hook LISTENER_MAX_RETRY_STRATEGIES.
The values in aggressor allow combination of options to be set vs. selecting from the default list.
# Use a hard coded list of strategies
set LISTENER_MAX_RETRY_STRATEGIES {
local('$out');
$out .= "exit-18-12-5m\n";
$out .= "exit-22-14-5m\n";
return $out;
}
# Use loops to build a list of strategies
set LISTENER_MAX_RETRY_STRATEGIES {
local('$out');
@attempts = @(50, 100);
@durations = @("5m", "15m");
$increase = 25;
foreach $attempt (@attempts)
{
foreach $duration (@durations)
{
$out .= "exit $+ - $+ $attempt $+ - $+ $increase $+ - $+ $duration\n";
}
}
return $out;
}
Understanding the Max Retry Syntax
Max Retry Strategy Syntax
The syntax is broken into four sections separated by a dash:
Column
Description
1
exit
2
Exit beacon after this number of failures
3
Number of failures to begin adjust sleep
4
Sleep time to set when sleep failures are met. Note: The jitter is kept to the current setting.
Using Aggressor to Create a Listener
If you use aggressor to create listeners, you can set the max retry using the max_retry option. This can be set to your custom max retry strategy without the need to be pre-defined.
Below is an example of the listener_create_ext function used to create a listener.
DLL attacks (hijacking, proxying, etc) are a challenge defenders must face. They can be leveraged in a Red Team engagement to help measure these defenses. Have you used this technique? In this post, I’ll walk through an example of adding a DLL proxy to beacon.dll for use in a DLL Proxy attack.
What is a DLL Proxying?
To begin with, this is not a new technique. I’ve seen it used some, but not always understood in practice. Other DLL hijacking attacks tend to be used more often, but Red Teams can benefit by adding this technique to their toolbox.
DLL proxying is an attack that falls in the DLL hijacking category.
Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program.
A common way this is abused is to find a process that loads a “ghost” DLL. This is a DLL that is called by the process, but doesn’t actually exist. The calling process ignores this and continues. An attacker can add their own DLL in place of this ghost DLL. This works great, but can be rare.
What if you could modify an existing DLL without breaking the application that depends on that functionality?
This is DLL proxying. It allows an attacker to hijack the execution flow of a process but keep the original functionality of the application. Let’s walk through the attack flow.
DLL Proxy Attack Flow Diagram
Let’s say some process uses math.dll to perform calculations. Someprocess.exe loads math.dll and makes calls to its exported functions as needed. This is why we use external libraries.
If we want to hijack this process, we could easily replace math.dll with something malicious, but this would break the application. We don’t want that. This may draw attention to what we are doing. We need to copy math.dll to original.dll. Replace math.dll with a version that will forward the the legitimate calls to the new original.dll. And finally, use math.dll to load whatever malicious function we want.
In order to do this we need…
The ability to create and write files
The ability to find a target DLL that is loaded by an application
The ability to extract the exports from a target DLL
The ability to create a DLL that will ‘proxy’ the original exports to a copy of the original DLL
The post is using one technique for DLL proxying to specifically show how to use artifact kit to create this proxy DLL. There are several projects that explore this concept. A quick search can yield a wealth of resources on the topic. One of particular interest is the DueDLLigence project. It is an interesting approach that uses a framework to easily allow the development malicious DLLs.
Let’s Start with a Simple DLL Proxy Example
Let’s walk through a simple example to help clear this up.
In this example we assume that the hello.dll is the DLL being call by our target process. It will become the target of our proxy attack. This is similar to math.dll in the diagram.
Steps to find, build, and use a proxy DLL
1) Understand the execution flow of a process to understand which DLLs are loaded.
We need to start by understanding which DLLs are loaded by a process. The sysinternals tool process explorer works great here.
Real World Tip
I won’t call out any vendor here. My examples simply use rundll32.exe as my ‘application’. Just consider rundll32.exe some real target (maybe a chat application) that uses hello.dll.
The AppData directory is a great place to find candidates for user level persistence. Unlike C:\Program Files, c:\users\USER\AppData is user controlled. Many applications are installed here. cough, cough, chat clients.
A quick tip on using process explorer is to filter out what you need before running. In this case, I only want to see Load Image from my target process.
Procmon Filter
To simulate an application starting up and making calls to its DLLs, I use:
rundll32.exe hello.dll, hello
to have rundll32 call the hello function.
rundll32 loads hello.dll and calls the hello function
In the process explorer output, we see that our application loads hello.dll
Procmon
Great, we found a candidate DLL in our target application.
Another option to search for targets is to use the DLL_Imports_BOF. This project allows you to search for target applications during an engagement.
This is a BOF to enumerate DLL files to-be-loaded by a given PE file. Depending on the number of arguments, this will allow an operator to either view a listing of anticipated imported DLL files, or to view the imported functions for an anticipated DLL.
No matter what you use, the goal is to understand what DLLs are in play and what exports those DLLs use.
2) Identify the DLL exports.
DLL exports are the functions that an external process can call to use that functionality. It is a core feature of a DLL.
There are several ways to get the exported function from a DLL.
I included a simple python script, get_exports.py, to extract the exports and format for use in a .def file.
python3 get_exports.py --target hello.dll
get_exports.py output
You can also use something like dumpbin from Visual Studio
dumpbin /exports hello.dll
dumpbin output
The point of this is to get a list of the legitimate exported functions from the target DLL. This will give us what we need to build our proxy.
3) Build the proxy.dll.
In this example, I’m writing a proxy in .C to be compiled with MinGW. This shows the process, but could be very different depending on how you build your DLL. No matter what you do, you will be generating a DLL that forward functions.
Add the exported functions to proxy.def:
proxy.def updated with the hello.dll functions
A module-definition or DEF file (*.def) is a text file containing one or more module statements that describe various attributes of a DLL. If you are not using the __declspec(dllexport) keyword to export the DLL’s functions, the DLL requires a DEF file.
Let’s break down the export hello=original.hello @1:
This is creating the “hello” export for proxy.dll. Calls made to this function are forwarded to the hello function in original.dll. The @1 is the ordinal. (Ordinals are another way a function may be called. It does not always need to match, but can help if ordinals are used.)
proxy.c
proxy.c is a very basic DLL. It will run the payload function and if a remote target calls a remote function, it will proxy based on the exports set in proxy.def. The payload function is blocking. This is just a simple example. You should create a thread or use some other non-blocking method.
rename the original dll (hello.dll) to original.dll or what you set in the proxy.def file.
rename proxy.dll to the original file name (hello.dll)
Output after moving and naming the files on the target system.
Directory of Y:\temp\proxydll
10/28/2021 01:53 PM <DIR> .
10/28/2021 01:37 PM <DIR> ..
10/28/2021 01:37 PM 280,185 hello.dll <- This was proxy.dll
10/28/2021 01:23 PM 280,167 original.dll <- This was hello.dll
5) Test the proxy.
Let’s simulate some process following its normal process of loading hello.dll and calling the hello function by using rundll32.exe.
The following command acts more or less the same as an application starting, loading a DLL, and calling a function from that DLL.
rundll32 hello.dll, hello
The payload function from the proxy DLL
The hello function from the original DLL
We called the proxy DLL (hello.dll) using rundll32 as an example target for a DLL loading attack. It executed our payload function and the original function.
That’s it. There really isn’t much to this attack, but it can be very effective. A proxy DLL is just a DLL that proxies legitimate calls and runs your own payload. Proxy attacks allow an attacker to hijack execution flow but keep the original functionality of the application.
Let’s extend this to the Cobalt Strike Artifact Kit
Licensed users of Cobalt Strike have access to the artifact kit. This kit provide a way to modify several aspects of the .exe or .dll beacon payloads. Think of this as a beacon ‘loader’. The kit can be loaded by Cobalt Strike as an aggressor script to update how .exe or .dll payloads are built.
Now that we know the primitives from our example, we can easily update kit with the changes needed to convert beacon.dll into a proxy.
Modify the file src-main/dllmain.def by adding hello=original.hello @1 as an export option. This is the same as what was done in the example.
Build the kit using the build.sh script. By default, this will compile all kit techniques. Let it build them all. We will pick one to load.
Load the artifact kit aggressor script to tell Cobalt Strike to use the newly create template when building a payload. In this case we will use the ‘pipe’ technique. The aggressor script can be found in dist-pipe/artifact.cna after the build is complete.
Listener: Choose Your listener
Output: Windows DLL
x64: X
Click Generate and save as hello.dll.
Remember, this is the proxy DLL. It will replace the target DLL and the the target DLL will be renamed to original.dll.
Modified version of artifact.cna to output messages to the script console when the artifact kit is used
Let’s take a look at this beacon DLL payload (hello.dll):
dumpbin /exports hello.dll
exports of hello.dll (proxy)
We see the DLL has the default exports for beacon.dll and the new forwarding export.
Let’s test as we did before by using rundll32 as the target process that we want to attack.
rundll32 hello.dll, hello
Received a new beacon
hello.dll runs the beacon payload, and the hello function call was successfully proxied.
At this point, we turned beacon.dll in a proxy.
What Next?
This example only shows how to make beacon a DLL proxy. The artifact kit is a way to customize beacon.exe or beacon.dll. It can be used to help bypass AV/EDR. Consider exploring the possibilities of using the kit. Or, forget the artifact kit altogether and write your own beacon loader as a proxy DLL.
Using rundll32 isn’t exciting, but the attack technique itself is a great method for persistence. Many applications are installed in
c:\users\USER\AppData
This directory is writable by the user (vs something like c:\program files). This means an attacker with control over a target can find a target process and create a proxy DLL for that target. Take a look at the application installed in AppData, you may find a nice target.
Defensive Considerations
A great preventative control for this attack is for applications to validate the DLLs it loads. If a rouge/untrusted DLL is used, the application will not allow it to execute. During the writing of this post, I tested by targeting a popular chat application. It used digital signatures to validate the loaded DLLs. This worked great, except the user was presented with a popup asking if they would like to run the “untrusted” code. Clicking OK allowed my payload to run (partial win?). Prevention is great, be we need to ensure we can detect attacks when it fails.
Do not allow user controlled applications to be installed in user controlled directories. Install applications in directories the user can use but not modify (i.e., C:\Program Files).
File integrity monitoring may help.
Fortunately, the payloads executed from this attack the same. The proxy DLL is just a loader. The payloads executed by this loader may be detected through the normal means of a robust security operations program.
Before I get too far, I’ll touch on Aggressor scripting and the Sleep language. Remember that Cobalt Strike is a framework and is extensible by design using the Aggressor script language. It allows users to modify or control the framework with a script that is loaded through the GUI or headless client. Aggressor provides a great deal of flexibility, but the Sleep language at the heart of Aggressor is how these extensions must be written.
What is this Sleep-Python Bridge?
This project is an experiment on extending Cobalt Strike with python instead of Aggressor or Sleep.
NOTE: This project is very much in BETA. The goal is to provide a playground for testing and is in no way an officially supported feature. Perhaps this could be something added in the future to the core product.
How does this work?
The heart of this bridge is a python implementation of a headless Cobalt Strike client. This is achieved by using the Aggressor Script Console, provided by agscript, as the engine. Agscript allows for headless interaction with Cobalt Strike. The “bridge” works by using python helper functions in sleepy.py to generate the needed Sleep commands expected by the agscript console. Instead of writing the Sleep functions, striker.py provides helper functions that abstract Sleep and allows the use of python. In other words, this is a python wrapper to the console provided by agscript.
Notable changes from the original project
Because the PayloadAutomation project inspired this, it started with much of the same code, but I wanted to tweak to use the components needed to act as an agscript wrapper. This included:
Renaming from Payload_Automation to sleep_python_bridge. This project is more than payload generation.
Changing from a PyPI library to local modules. This was done for testing and may be a good candidate for a python library after extensive testing.
Updating and adding helpers to match Aggressor versions.
Adding ability to load external script.
What can you do with this “bridge?”
In short, anything you can do with Aggressor, you can do with this bridge via python: extract data, make operation decisions, automate beacon tasks, etc.
The best way to show what can be done is with a few examples.
Beacon logs are available at runtime in a teamserver or through the Beacon log files saved on the teamserver. The data is always there, but may not be presented in a way you would like. This is an example of log tracker that uses an HTML data grid to quickly view Beacon logs.
beaconlogtracker.py is a script that connects to a teamserver, extracts the running Beacon logs every 30 seconds, saves to beaconlogs.json, and displays in a searchable and sortable HTML data grid.
Beacon logs are always saved to the logs directory, but this is an alternate way to track the in memory logs with an alternate viewer. If the teamserver is restarted the in-memory logs are lost and you must refer to the logs stored in the logs directory on the teamserver. This script keeps in-memory logs synced to the file beaconlogs.json. This way you have a quick and easy way to visualize all data without digging through the logs directory even if Cobalt Strike is restarted.
Start the script by having it connect to your teamserver to sync logs every 30 seconds:
beaconlogtracker.py
Although the GUI is not needed, you can see the client logged on and that it provides feedback as it collects logs:
Log tracker event logs
Video Demo
This demo shows the HTML data grid view. It uses the beaconlogs.json file created by the log tracker script as its data source. The data grid allows for quick sorting or filtering or Beacon logs. The output from long commands is truncated and can be expanded. This could be a nice alternate view for a Red Team operator or a Red Team lead.
Demo of the HTML log viewer
Payload Generator
A feature often requested by Red Team operators is the ability to create payloads programmatically without the need for the Cobalt Strike GUI. The project referenced at the beginning of the blog did this with a payload generator. This was great, but there is a unique challenge. Aggressor provides several hooks to influence how a payload is built. These hooks are used by the various kits (i.e., artifact kit, sleep mask kit, or UDRL kit). They are normally used by loading an Aggressor Script through the GUI. This project was extended to allow the loading of external scripts. Without this, using this payload hooks would be difficult. This code could easily be extended to pass the payloads to external functions to add custom obfuscation, embed in a customer loader, or any other modification.
The payload generator script connects to the teamserver, loads the additional scripts, and creates payloads.
payloadgenerator.py
Using the event log for output, the payload generator script displays its progress as it loads the various scripts.
Event log output
To keep this somewhat modular, the payload generator script uses a base payload_scripts.cna file as a script loader. This points to all the modules that should be loaded.
payload_scripts.cna used as an ‘init’ script to load other modules
Beacon Grapher
The script beacongrapher.py connects to a teamserver, extracts Beacon metadata, and creates a JSON file that is used to display a javascript directed graph. The connection and extraction of data is functional, but the directed graph is a simple example. It could be refined to be more useful in a production environment.
The Beacon grapher script connects to the teamserver and extracts the Beacon metadata as a python object to save to JSON.
beacongrapher.py
Here’s an HTML directed graph view of the Beacon log:
I’m providing this as an idea. Feel free to take this and expand upon it. I only ask the your share your work or ideas. Perhaps we can make this an official part of the product at some point in the future.
Cobalt Strike is a post-exploitation framework designed to be extended and customized by the user community. Several excellent tools and scripts have been written and published, but they can be challenging to locate. Community Kit is a central repository of extensions written by the user community to extend the capabilities of Cobalt Strike. The Cobalt Strike team acts as the curator and provides this kit to showcase this fantastic work.
Initially, the kit will be a maintained list of community created projects hosted on GitHub. It will highlight projects updated in the last 30 days and uses GitHub stars as an optional popularity ranking.
The community kit is hosted on the Cobalt Strike GitHub account
I want to thank the security community for creating great projects. Keep up the good work!
A word of caution (trust but verify)
The links in this resource point to public resources. Use caution before using. Review the source code and compile binaries yourself.
Disclaimer
These links are being provided as a convenience and for informational purposes only; they do not constitute an endorsement or an approval by Fortra of any of the products, services or opinions of the corporation or organization or individual. Fortra bears no responsibility for the accuracy, legality or content of the external site or for that of subsequent links. Contact the external site owner for answers to questions regarding its content.
Cobalt Strike DoS Vulnerability (CVE-2021-36798)
SentinelOne discovered a denial of service (DoS) vulnerability in Cobalt Strike. The bug (aka Hotcobalt) can cause a denial of service on a teamserver by using a fake beacon sending abnormally large screenshots.
This bug has been fixed in Cobalt Strike 4.4
Consider mitigating this risk to a teamserver by hardening your C2 infrastructure.
Update to Cobalt Strike 4.4
Disable staging on versions of Cobalt Strike prior to 4.4
Limit access to your teamserver infrastructure to only trusted sources
Thank you, SentinelOne working with us and responsibly disclosing this bug.
You can now update Mimikatz between Cobalt Strike releases. Updates will periodically be made available to licensed users via the Arsenal as the Mimikatz Kit.
Usage:
Download and extract the .tgz from the Arsenal (Note: The version uses the Mimikatz release version naming (i.e., 2.2.0.20210724)
Load the mimikatz.cna aggressor script
Use mimikatz functions as normal
Using a mimikatz command will show output in the Script Console indicating a custom version is being used.
