The release of Cobalt Strike 3.0 also saw the release of Advanced Threat Tactics, a nine-part course on red team operations and adversary simulations. This course is nearly six hours of material with an emphasis on process, concepts, and tradecraft.
If you’d like to jump into the course, it’s on YouTube:
The YouTube ID of https://www.youtube.com/playlist?list=PL9HO6M_MU2nf8Fa5bVefBW-9bg5Rx94_c is invalid.
Here are a few notes to explore each topic in the course with more depth.
This is a course on red team operations and adversary simulations.
To learn more about Adversary Simulations and Red Team Operations:
Advanced Threat Actors:
Tools used in this course:
Advanced Threat Tactics starts with a high-level overview of Cobalt Strike’s model for distributed operations and red team collaboration.
To learn more about Cobalt Strike’s model for collaboration and operations:
- Watch Force Multipliers for Red Team Operations. This is my favorite talk I’ve given. Here, I summarize my work and insights on the red team collaboration problem. Today, I consider this a completed research project with the following blog posts capturing lessons learned on how to build infrastructure and organize a large red team to support operations (primarily in an exercise context).
- Read A Vision for Distributed Red Team Operations to learn more about Cobalt Strike’s model for distributed operations with multiple team servers.
- Read The Access Management Team [Shell Sherpas]. This blog post discusses the Access Manager role in depth.
- Read about The Post Exploitation Team. These are my notes on the folks who interact with targets to complete objectives and find interesting information.
- Read Infrastructure for Red Team Operations. Infrastructure is the foundation of any engagement. This post is my best practices for organizing infrastructure to support a long-term op with multiple targets.
- Consult The Red Team Infrastructure Wiki. This page is a collection of best practices for setting up, organizing, and securing red team infrastructure.
Infrastructure is the collection of domains, servers, and software that support your operation. One of Cobalt Strike’s strengths is its variety of communication channels and the flexibility you have to configure them. This lecture goes through the HTTP/HTTPS, DNS, and named pipe channels and shows you how to use special features with each. I also take you through how to stand up redirectors and test your infrastructure before an engagement.
To learn more about payload staging:
3. Targeted Attacks
This lecture goes through a process to execute a targeted spear phishing attack to get a foothold in a modern enterprise.
To learn more about this material:
4. Post Exploitation
This lecture shows how to use Beacon for post-exploitation. If you have to operate with Beacon, this is good core material to know.
To learn more about this material:
- Buy the Red Team Field Manual. This is a must-own for anyone working in this space. The tips and tricks here are quite applicable for all Beacon operators.
- Watch Flying a Cylon Raider. This talk is a platform agnostic look at how to conduct post-exploitation and lateral movement without the Metasploit Framework. Understanding the concepts in this talk will help you get the most from the material in this course.
- Interoperability with different offensive platforms is important. Read Session Passing from Cobalt Strike to learn how to pass sessions to the Metasploit Framework, PowerShell Empire, and other tools from Cobalt Strike.
5. Privilege Escalation
Think of this lecture as post exploitation, part 2. We dive into how to elevate privileges and use these privileges to harvest credentials and password hashes.
To learn more about User Account Control and the Bypass UAC attack:
- Read Windows Privilege Escalation Fundamentals. This tutorial has a number of command-line recipes to find files with credentials and other things you should look for when trying to elevate your rights.
- Read What you know about ’bout GPP? This blog post offers a look at the Group Policy Preferences privilege escalation vector. This is one of those issues that, while patched, remains an issue because the patch does not cleanup the problems created by this feature when it was last used. I didn’t have time to cover this problem in the course [six hours is enough!]; but this is a staple thing you should always check for.
- Download the Elevate Kit to add new exploits to Beacon’s elevate command. The Elevate Kit is a good example of how to bring exploits from PowerShell Empire, the Metasploit Framework, and other sources into Cobalt Strike.
6. Lateral Movement
This lecture is the use and abuse of native Windows capability and behavior to trade-up privileges and move around a network.
To learn more about enumeration and reconnaissance in a Windows Active Directory network:
Analysis of Trust Relationships
- Read A Guide to Attacking Domain Trusts by Will Schroeder. This is the ultimate red teamer’s reference to this topic. You’ll really want to go through all of Will’s blog to understand this topic fully. He posts a lot about domain trusts and user hunting. Too much for me to keep up with here.
- Read Derivative Local Admin by Justin Warner. This post discusses how you may understand and chain trust relationships (e.g., Bob is an admin on X, Joe is logged onto X, Joe is a domain admin) to elevate privileges in a network or attack a desired target.
Remote Management without Malware:
Remote Code Execution:
SOCKS, SOCKS, SOCKS! This lecture is about how to pivot with Beacon. You could also think about it as using and abusing SOCKS forwards, backwards, and any other way you want it.
More on this topic:
- Read the SOCKS protocol specification. SOCKS is a simple (1 page) protocol that allows a SOCKS-aware application to connect to a SOCKS server and ask that server to initiate a connection on the client’s behalf.
- Read Pivoting through SSH. This blog post describes the Proxies option in the Metasploit Framework.
- Read Hacking through a Straw: Pivoting over DNS. This post talks about the SOCKS pivoting capability in Beacon.
- Take a look at Cobalt Strike’s VPN Pivoting feature. I don’t talk about it much, because I don’t use it often. If you’d like to learn about layer-2 pivoting, I wrote a blog post on how this technology works with source code. It’s simpler than you might think.
- Cobalt Strike 3.5 added SSH sessions. If you want to control UNIX targets, it’s worth your time to read up on these. You can pivot through SSH sessions the same way you pivot through Beacon sessions.
8. Malleable C2
Malleable C2 is Cobalt Strike’s domain specific language to change indicators in the Beacon payload. This ability to make Beacon look like other malware is arguably what makes it a threat emulation tool.
More on this topic:
- Go to the Malleable C2 Profiles collection on Github. These are example profiles you may use as-is or as a base to build your own profiles.
- Watch the Puttering my Panda and Other Threat Replication Case Studies videos. These three case studies show how to use Cobalt Strike and Malleable C2 to emulate various advanced threat actors.
- Digging in deeper, How to Write Malleable C2 Profiles for Cobalt Strike, by Jeff Dimmock, is a good introduction to the topic of profile writing.
- Read the Malleable C2 documentation. There’s no substitute for reading the documentation on this feature. The documentation will take you through all of the concepts in this video. The documentation also has the latest information on what Malleable C2 can do. Since this video was made, Malleable C2 gained control of: DNS and named pipe indicators, code-signing certificates, payload staging, Beacon memory indicators, and it’s now possible to configure a profile to eliminate HTTP POST requests.
- Read A Deep Dive into Cobalt Strike Malleable C2. This blog post, by Joe Vest, walks through a well-documented profile and discusses OPSEC best practices for each section.
The Advanced Threat Tactics course concludes with a deep dive into evasion. This video is my to-the-minute notes on this topic.
To learn more about phishing and e-mail delivery:
- Read An Unnecessary Addiction to DNS Communication. I often hear from folks who insist that DNS is the only way out of their network and the only way to reach servers that are otherwise isolated from the network. This post goes into depth on the evasion options with Cobalt Strike’s DNS communication scheme and it digs into the capability available in Cobalt Strike’s other Beacon variants.
- Read HTTP Proxy Authentication for Malware to understand how Beacon’s HTTP/S stagers react to proxy authentication failures.
- Read about Domain Fronting, a collection of techniques to use high-reputation domains as callbacks for your HTTPS (and sometimes, HTTP) Beacons. This is an interesting tactic to obfuscate your controller, defeat site categorization, and blend in with legitimate traffic.
- Watch Operating in the Shadows given by Carlos Perez at DerbyCon 2015. In this talk, Carlos goes over the different advancements in blue’s ability to instrument Windows and the impact it will have on red teams and penetration testers who need to challenge them. This is a sign of things to come.
- Take a look at Microsoft’s Advanced Threat Analytics technology. This defense tracks which systems/users pull which active directory objects, when, and how often. It’s designed to catch that awesome stuff discussed in part 6 of this course.
- Also, check out UpRoot, an agentless host-based IDS written in PowerShell that leverages WMI subscriptions. UpRoot reports process creates, new network connections, and other host activity. Tools like UpRoot show the scrutiny red operators will need to learn to cope with when working with a mature hunt team.
- Watch Infocyte‘s video on Enterprise Hunt Operations. While this is a product advertisement, listen closely for the information it collects. As a red operator, you need to understand what your actions look like to analysts who use these hunt platforms. Your job is to figure out how to craft your activity to grow and challenge these analysts.
PowerShell and Anti-virus:
- Become familiar with the Malleable PE options introduced in Cobalt Strike 3.7. These options let you influence how Beacon lives in memory and change some indicators.
- Go through In-memory Evasion, a four-part (+ bonus addendum) course on the cat and mouse game related to memory detections. This course introduces common heuristics to detect memory-injected DLLs, where and why these heuristics work, and options to defeat these heuristics.
- Cobalt Strike is a flexible platform. This flexibility is a boon for working in mature and well-defended environments. Read Kits, Profiles, and Scripts… Oh my! to understand your options to customize Cobalt Strike and its indicators to your needs.
- Read Modern Defenses and YOU! for hints on how to adapt your use of Cobalt Strike to keep pace with the modern defender’s arsenal of capability.
- Watch Fighting the Toolset to understand the risk vs. reward trade-off of different offense techniques in Cobalt Strike. More importantly, this lecture discusses how to work-around Cobalt Strike’s default workflows to defeat defenses that target “advanced evasions”.
- Go through Choose Your Own Red Team Adventure. This collection of blog posts allows you to make different choices and experience the different outcomes working with a mature network defense organization.