Advanced Threat Tactics - Course and Notes - Cobalt Strike Research and Development

The release of Cobalt Strike 3.0 also saw the release of Advanced Threat Tactics, a nine-part course on red team operations and adversary simulations. This course is nearly six hours of material with an emphasis on process, concepts, and tradecraft.

If you’d like to jump into the course, it’s on YouTube:

The YouTube ID of https://www.youtube.com/playlist?list=PL9HO6M_MU2nf8Fa5bVefBW-9bg5Rx94_c is invalid.

Here are a few notes to explore each topic in the course with more depth.

0. Introduction

This is a course on red team operations and adversary simulations.

To learn more about Adversary Simulations and Red Team Operations:

Watch Red vs. Blue – Internal security penetration testing of Microsoft Azure. This short video is a plain language [read: management friendly] discussion of red team operations, metrics, and how an internal red team may benefit security operations.
Read Microsoft’s Enterprise Cloud Red Teaming whitepaper. Here Microsoft explains the “Assume Breach” philosophy. I’m a big believer in assume breach. This is an engagement philosophy where a red team is given access and focuses on the post-exploitation steps of a long-term embedded adversary to exercise detection and response.
Read Chris Gates’ Purple Teaming – Lessons Learned post for a peek into how Facebook does red and purple exercises.
Read Raphael’s Magic Quadrant. Here I summarize the shifts in our industry driving the development of Adversary Simulations as a service.
Browse the Red + Blue = PURPLE slides from 2015’s FIRST Technical Colloquium in the Netherlands. Here Stan Hegt from KPMG covers Adversary Simulations vs. Penetration Testing and goes through a case study working with a Dutch Bank.
Read Models for Red Team Operations. There is more to red team operations than “kick down the door and seduce the security guard” type assessments. In this post I try to point out some of the different uses of red teams.

Advanced Threat Actors:

Kiran Blanda maintains a GitHub repository with copies of public threat intelligence reports. Some companies put out material that shows their analysts know how to use IDA and take screenshots. Others provide some depth and speculate on the actor’s tradecraft. I really like the reports from Kaspersky and CrowdStrike.
Watch Michael Daly’s 2009 USENIX talk, The Advanced Persistent Threat. This talk pre-dates the marketing bonanza over APT actors and their work. This is a common sense discussion of the topic without an agenda. Even though it’s from 2009, the material is spot on.

Tools used in this course:

The primary operating platform in this course is Kali Linux 2.0.
While Cobalt Strike 3.0 no longer depends on Rapid7’s Metasploit Framework, it’s still an amazing collection of capability. This course demonstrates the synergy between Cobalt Strike and the Metasploit Framework in several places. Read Raffi’s Abridged Guide to Cobalt Strike for a quick primer on Cobalt Strike 3.0 and how it’s organized.
This course also uses PowerSploit, a powerful collection of PowerShell post-exploitation capability.
We also take advantage of PowerView and PowerUp (both are included with PowerSploit).
Later on, this course demonstrates how to use the Veil Evasion Framework to generate executables that evade most anti-virus products.

1. Operations

Advanced Threat Tactics starts with a high-level overview of Cobalt Strike’s model for distributed operations and red team collaboration.

To learn more about Cobalt Strike’s model for collaboration and operations:

Watch Force Multipliers for Red Team Operations. This is my favorite talk I’ve given. Here, I summarize my work and insights on the red team collaboration problem. Today, I consider this a completed research project with the following blog posts capturing lessons learned on how to build infrastructure and organize a large red team to support operations (primarily in an exercise context).
Read A Vision for Distributed Red Team Operations to learn more about Cobalt Strike’s model for distributed operations with multiple team servers.
Read The Access Management Team [Shell Sherpas]. This blog post discusses the Access Manager role in depth.
Read about The Post Exploitation Team. These are my notes on the folks who interact with targets to complete objectives and find interesting information.
Read Infrastructure for Red Team Operations. Infrastructure is the foundation of any engagement. This post is my best practices for organizing infrastructure to support a long-term op with multiple targets.
Consult The Red Team Infrastructure Wiki. This page is a collection of best practices for setting up, organizing, and securing red team infrastructure.

2. Infrastructure

Infrastructure is the collection of domains, servers, and software that support your operation. One of Cobalt Strike’s strengths is its variety of communication channels and the flexibility you have to configure them. This lecture goes through the HTTP/HTTPS, DNS, and named pipe channels and shows you how to use special features with each. I also take you through how to stand up redirectors and test your infrastructure before an engagement.

To learn more about payload staging:

Read OJ Reeve’s Deep Dive into Stageless Meterpreter Payloads on the Metasploit blog. This post provides depth on the staging process for Meterpreter and explains stageless Meterpreter payloads.
I also wrote Staged Payloads – What Penetration Testers Should Know. These are my thoughts on the subject if any of the above is unclear. 🙂 Understanding staging is very important to understand the behavior and design decisions in tools like Cobalt Strike.
Cobalt Strike’s payload staging does not have any security features built into it. I discuss this in Talk to your children about payload staging. This blog post also details how to change your operations to limit payload staging over hostile networks.

Beacon Communication:

Read Cloud-based Redirectors for Distributed Hacking. This post describes redirectors, why you would want to use them, and how to set them up with socat. Very similar to the model discussed in this course.
Read How to use a Valid SSL certificate with the HTTPS Beacon.
The introduction of the DNS data channels in Cobalt Strike led to several folks claiming, That’ll never work–we don’t allow port 53 out. This post calmly answers these claims with an explanation of how the DNS Beacon communicates.
DNS Communication is a pain in the rear to get right. Ron Bowes (author of DnsCat 2) goes through his lessons learned in the Secrets of DNS talk from DerbyCon 2014. His blog at skullsecurity.org is worth a read as well.
Read Stealthy Peer-to-peer C&C over SMB pipes. I added a named pipe channel to Cobalt Strike in late-2013. This feature wasn’t well understood, so I wrote this blog post to explain it better.

3. Targeted Attacks

This lecture goes through a process to execute a targeted spear phishing attack to get a foothold in a modern enterprise.

To learn more about this material:

Read What’s the go to phishing technique or exploit? This blog post summarizes the process I use to get a foothold in a modern enterprise.
Read the MetaPhish paper and watch the MetaPhish presentation. This talk greatly influenced my work.
Go deeper with the System Profiler in phishing system profiles without phone calls.
Go to BrowerSpy.dk to learn which information your browser tells others about you.

User-Driven Attacks:

Read User-driven Attacks. This blog post details the user-driven attacks available in Cobalt Strike 2.5. Most made it over to 3.0. 🙂
Read about why Cobalt Strike exposes x86 payloads over x64 payloads. There’s a valid(?) reason behind it.
The Microsoft Office Macro is one of my favorite user-driven attacks. Matt Weeks‘ has a great blog post on Direct Shellcode Execution in MS Office Macros.
Watch the Java Applet Code Signing Tutorial to learn how to extend the life of Cobalt Strike’s Signed Applet Attack. The Java Applet attack was popular for a long time. January 2014 really changed things for this attack. Obituary for the Java Signed Applet Attack provides some details on this.
Cobalt Strike’s Aggressor Script makes it easy to add new attacks to Cobalt Strike. CACTUS TORCH is a framework for payload generation which works well with Cobalt Strike. It has options to deliver x64 payloads and to operate stageless as well. DDEAutoCS sets up a macro-less code execution attack within Microsoft Office documents.

4. Post Exploitation

This lecture shows how to use Beacon for post-exploitation. If you have to operate with Beacon, this is good core material to know.

To learn more about this material:

Read Evolution of a Modern Hacking Payload. Beacon started life as an asynchronous lifeline to spawn Meterpreter sessions as needed. Over time Beacon gained features to allow an operator to use Beacon when Meterpreter was not an option. This post tells that story.
Read Beacon: An Operator’s Guide. This post discusses the concepts to know when using Beacon.
Browser Pivoting is a Cobalt Strike technique for man-in-the-browser session stealing with Internet Explorer. I wrote about this technique previously and presented it at DerbyCon 2013.
The Beacon Cheat Sheet by Will Schroeder is a useful Beacon reference.
Read OPSEC Considerations for Beacon Commands. It’s important to know your post-exploitation tools and what they do under the hood. This blog post documents which Beacon commands launch processes, which commands inject into other processes, etc.

Post-Exploitation:

Buy the Red Team Field Manual. This is a must-own for anyone working in this space. The tips and tricks here are quite applicable for all Beacon operators.
Watch Flying a Cylon Raider. This talk is a platform agnostic look at how to conduct post-exploitation and lateral movement without the Metasploit Framework. Understanding the concepts in this talk will help you get the most from the material in this course.
Interoperability with different offensive platforms is important. Read Session Passing from Cobalt Strike to learn how to pass sessions to the Metasploit Framework, PowerShell Empire, and other tools from Cobalt Strike.

5. Privilege Escalation

Think of this lecture as post exploitation, part 2. We dive into how to elevate privileges and use these privileges to harvest credentials and password hashes.

To learn more about User Account Control and the Bypass UAC attack:

Read User Account Control — What Penetration Tester’s Should Know. This blog post dives deep into user account control and different methods to elevate from a medium integrity context to a high integrity context.
Read Windows 7 UAC Whitelist: Code-injection Issue (and more) by Leo Davidson. This is the original reference on the UAC bypass attack.

Privilege Escalation:

Read Windows Privilege Escalation Fundamentals. This tutorial has a number of command-line recipes to find files with credentials and other things you should look for when trying to elevate your rights.
Read What you know about ’bout GPP? This blog post offers a look at the Group Policy Preferences privilege escalation vector. This is one of those issues that, while patched, remains an issue because the patch does not cleanup the problems created by this feature when it was last used. I didn’t have time to cover this problem in the course [six hours is enough!]; but this is a staple thing you should always check for.
Download the Elevate Kit to add new exploits to Beacon’s elevate command. The Elevate Kit is a good example of how to bring exploits from PowerShell Empire, the Metasploit Framework, and other sources into Cobalt Strike.

PowerUp:

Read PowerUp: A Usage Guide by its author Will Schroeder. This blog post will give you some ideas of other things PowerUp can do. Will’s presentation PowerUp – Automating Windows Privilege Escalation is worth a quick flip through as well.
Print the PowerUp cheat sheet.
Also read, Utilizing PowerUp.ps1 to Escalate Privileges on Windows 7 using an Unquoted Path Vulnerability. This blog post is a look at another one of PowerUp’s elevation vectors.

Mimikatz:

Study the Mimikatz Wiki to start your journey understanding what this tool can do. To get the most from mimikatz, you’ll really need to read its source code to really understand a feature.
Read Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest by Sean Metcalf. This post describes the mimikatz command misc::skeleton which applies an in-memory patch on a DC to allow a second password to work for any user in the domain. This is an advanced threat tactic described by Dell Secureworks CTU in their Skeleton Key Malware Analysis paper.
Sean Metcalf regularly blogs about Mimikatz at adsecurity.org. His Unofficial Guide to Mimikatz and Command Reference is a great place to start.

6. Lateral Movement

This lecture is the use and abuse of native Windows capability and behavior to trade-up privileges and move around a network.

To learn more about enumeration and reconnaissance in a Windows Active Directory network:

Watch Passing the Torch: Old School Red Teaming, New School Tactics? Here David McGuire and Will Schroeder go through their tricks to understand a Windows enterprise network the old school way (net view /DOMAIN and friends) vs. the new school way (with PowerShell).
Read PowerView: A Usage Guide to understand this wonderful tool from Will Schroeder to automate enumerating trusts, users, and hosts in an active directory environment.
Read the PowerView 2.0 post to understand the changes made to PowerView since this course was made. For example, Invoke-Netview no longer exists.
Print the PowerView 2.0 cheat sheet. It’s a handy reference.
Check out Netview by Rob Fuller. This tool enumerates systems using the Win32 Network Management API. I believe it was one of the original inspirations for PowerView and it certainly inspired Beacon’s net module as well.
Also, read I Hunt Sys Admins by Will Schroeder (him, again!) to learn different ways to find where a particular user lives on the network. This is important for targeting systems that may have trust material that gets you closer to the data you want or to DA rights on the network.
Read Attack Methods for Gaining Domain Admin Rights in Active Directory by Sean Metcalf. This post is a survey of different techniques used to gain Domain Admin rights in Active Directory.

Analysis of Trust Relationships

Read A Guide to Attacking Domain Trusts by Will Schroeder. This is the ultimate red teamer’s reference to this topic. You’ll really want to go through all of Will’s blog to understand this topic fully. He posts a lot about domain trusts and user hunting. Too much for me to keep up with here.
Read Derivative Local Admin by Justin Warner. This post discusses how you may understand and chain trust relationships (e.g., Bob is an admin on X, Joe is logged onto X, Joe is a domain admin) to elevate privileges in a network or attack a desired target.
Spend time with BloodHound, a JavaScript application that ingests data from a PowerShell script and identifies Active Directory trust-paths to reach a target of interest. This application automates a lot of the analysis that is necessary to identify lateral movement opportunities. My First Go with BloodHound shows how to setup and use this tool at a basic level.

Remote Management without Malware:

Read WinRM is my Remote Access Tool to learn about how to use WinRM to control a remote system from Beacon.
pHEAR the Invoke-WmiCommand cmdlet added to PowerSploit by Matt Graeber. This cmdlet uses WMI as a C2 channel to post commands AND get output back.
Read Malware Free Intrusions: Adversary Tricks and Treats on the CrowdStrike blog. This post goes over how the actor, Deep Panda, uses wmic to enable a backdoor that allows them to access a SYSTEM-level shell via RDP.
Watch Agentless Post-exploitation. This lecture is a survey of techniques to meet post-exploitation objectives without the use of malware on a target.

Pass-the-Hash:

Read How to Pass-the-Hash with Mimikatz. This blog post documents how to use mimikatz to pass-the-hash from Beacon
Read Pass-the-Hash is Dead: Long Live Pass-the-Hash by Will Schroeder. This blog post covers the May 2014 patch to Windows that puts restrictions around pass-the-hash.
Also, consult Pass-the-Hash is Dead: Long Live LocalAccountTokenFilterPolicy. This post is Will Schroeder’s March 2017 follow up to the his first post on this topic. This post documents how the restrictions around pass-the-hash really work and it explains the situations where these restrictions are not present.
Read Windows Access Tokens and Alternate Credentials. This post sheds light on how the pth and make_token commands in Beacon work.

Kerberos:

Read Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory by Sean Metcalf. This blog post provides an overview of how Kerberos works, the Golden Ticket, the Silver Ticket, and ms14-068.
Watch The Secret Life of Krbtgt by Chris Campbell to understand the Golden Ticket and its significance.
Read MS14-068 to DA by the mysterious idzer0. This one was patched awhile ago, but I had fun with it a few times. This exploit was an immediate elevation to DA. This blog post uses the Python Kerberos Exploitation Kit to kick off the attack. MWR InfoSecurity has a good write-up on this attack on their blog too. *nudge* *nudge* Beacon has a kerberos_ccache_use command now.

Remote Code Execution:

Read Authenticated Remote Code Execution in Windows by Matt Weeks for more ways to schedule or run a process on a remote system.
Read Covert Lateral Movement with High-Latency C&C to see my recipes for (manual) lateral movement with Beacon.
Read Phishing, Lateral Movement, SCADA, Oh My! by idzer0 goes through a case study of using SMB Beacon, PowerView, and WMI to pivot five levels deep and reach a SCADA controller.
Watch Lateral Movement given by Harlan Carvey at B-Sides Cincinnati. This talk describes several manual methods for lateral movement and indicators they leave behind.

7. Pivoting

SOCKS, SOCKS, SOCKS! This lecture is about how to pivot with Beacon. You could also think about it as using and abusing SOCKS forwards, backwards, and any other way you want it.

More on this topic:

Read the SOCKS protocol specification. SOCKS is a simple (1 page) protocol that allows a SOCKS-aware application to connect to a SOCKS server and ask that server to initiate a connection on the client’s behalf.
Read Pivoting through SSH. This blog post describes the Proxies option in the Metasploit Framework.
Read Hacking through a Straw: Pivoting over DNS. This post talks about the SOCKS pivoting capability in Beacon.
Take a look at Cobalt Strike’s VPN Pivoting feature. I don’t talk about it much, because I don’t use it often. If you’d like to learn about layer-2 pivoting, I wrote a blog post on how this technology works with source code. It’s simpler than you might think.
Cobalt Strike 3.5 added SSH sessions. If you want to control UNIX targets, it’s worth your time to read up on these. You can pivot through SSH sessions the same way you pivot through Beacon sessions.

8. Malleable C2

Malleable C2 is Cobalt Strike’s domain specific language to change indicators in the Beacon payload. This ability to make Beacon look like other malware is arguably what makes it a threat emulation tool.

More on this topic:

Go to the Malleable C2 Profiles collection on Github. These are example profiles you may use as-is or as a base to build your own profiles.
Watch the Puttering my Panda and Other Threat Replication Case Studies videos. These three case studies show how to use Cobalt Strike and Malleable C2 to emulate various advanced threat actors.
Digging in deeper, How to Write Malleable C2 Profiles for Cobalt Strike, by Jeff Dimmock, is a good introduction to the topic of profile writing.
Read the Malleable C2 documentation. There’s no substitute for reading the documentation on this feature. The documentation will take you through all of the concepts in this video. The documentation also has the latest information on what Malleable C2 can do. Since this video was made, Malleable C2 gained control of: DNS and named pipe indicators, code-signing certificates, payload staging, Beacon memory indicators, and it’s now possible to configure a profile to eliminate HTTP POST requests.
Read A Deep Dive into Cobalt Strike Malleable C2. This blog post, by Joe Vest, walks through a well-documented profile and discusses OPSEC best practices for each section.

9. Evasion

The Advanced Threat Tactics course concludes with a deep dive into evasion. This video is my to-the-minute notes on this topic.

To learn more about phishing and e-mail delivery:

Read E-mail Delivery – What Penetration Testers Should Know. This is a long blog post on the inner workings of email, SPF, DKIM, and DMARC.
Read SPF, DKIM, and DMARC Demystified by McAfee. This whitepaper summarizes the why and what of these technologies.
Watch Spoof my SMTP from This Week in Enterprise Tech, Episode 71. Here, I practice what I preach, and show how to deliver a carefully crafted phish to a webmail account I setup for testing purposes.

Anti-virus evasion:

Read Facts and myths about antivirus evasion with Metasploit by Michael Schierl.
Read the Artifact Kit documentation. This is Cobalt Strike’s source code framework to build executables and DLLs to get past some anti-virus products.

Application Whitelisting:

Read How to Inject Shellcode from Java. This blog post details how Cobalt Strike’s default applet attacks inject shellcode into memory from Java.

Egress Restrictions:

Read An Unnecessary Addiction to DNS Communication. I often hear from folks who insist that DNS is the only way out of their network and the only way to reach servers that are otherwise isolated from the network. This post goes into depth on the evasion options with Cobalt Strike’s DNS communication scheme and it digs into the capability available in Cobalt Strike’s other Beacon variants.
Read HTTP Proxy Authentication for Malware to understand how Beacon’s HTTP/S stagers react to proxy authentication failures.
Read about Domain Fronting, a collection of techniques to use high-reputation domains as callbacks for your HTTPS (and sometimes, HTTP) Beacons. This is an interesting tactic to obfuscate your controller, defeat site categorization, and blend in with legitimate traffic.

Active Defenders:

Watch Operating in the Shadows given by Carlos Perez at DerbyCon 2015. In this talk, Carlos goes over the different advancements in blue’s ability to instrument Windows and the impact it will have on red teams and penetration testers who need to challenge them. This is a sign of things to come.
Take a look at Microsoft’s Advanced Threat Analytics technology. This defense tracks which systems/users pull which active directory objects, when, and how often. It’s designed to catch that awesome stuff discussed in part 6 of this course.
Also, check out UpRoot, an agentless host-based IDS written in PowerShell that leverages WMI subscriptions. UpRoot reports process creates, new network connections, and other host activity. Tools like UpRoot show the scrutiny red operators will need to learn to cope with when working with a mature hunt team.
Watch Infocyte‘s video on Enterprise Hunt Operations. While this is a product advertisement, listen closely for the information it collects. As a red operator, you need to understand what your actions look like to analysts who use these hunt platforms. Your job is to figure out how to craft your activity to grow and challenge these analysts.

PowerShell and Anti-virus:

Read Advances in Scripting Security and Protection in Windows 10 and PowerShell V5. Windows 10 changed the security game in a big way. This post from Microsoft goes through the new logging hooks to understand PowerShell activity on a system and the hooks that allow anti-virus engines to look for malicious PowerShell.
After you’ve decided that offense PowerShell is dead, go read Exploring PowerShell AMSI and Logging Evasion by Adam Chester to learn about options to push back on this instrumentation. Maybe one of those options will work with Cobalt Strike 3.12’s POWERSHELL_DOWNLOAD_CRADLE hook?
If it’s difficult to use PowerShell in your environment, consider a move to .NET. Will Schroeder released Ghostpack, a collection of offense automation written in C#. These tools work well with Cobalt Strike 3.11’s execute-assembly command.

In-memory Evasion:

Become familiar with the Malleable PE options introduced in Cobalt Strike 3.7. These options let you influence how Beacon lives in memory and change some indicators.
Go through In-memory Evasion, a four-part (+ bonus addendum) course on the cat and mouse game related to memory detections. This course introduces common heuristics to detect memory-injected DLLs, where and why these heuristics work, and options to defeat these heuristics.

Modern Defenses:

Cobalt Strike is a flexible platform. This flexibility is a boon for working in mature and well-defended environments. Read Kits, Profiles, and Scripts… Oh my! to understand your options to customize Cobalt Strike and its indicators to your needs.
Read Modern Defenses and YOU! for hints on how to adapt your use of Cobalt Strike to keep pace with the modern defender’s arsenal of capability.
Watch Fighting the Toolset to understand the risk vs. reward trade-off of different offense techniques in Cobalt Strike. More importantly, this lecture discusses how to work-around Cobalt Strike’s default workflows to defeat defenses that target “advanced evasions”.
Go through Choose Your Own Red Team Adventure. This collection of blog posts allows you to make different choices and experience the different outcomes working with a mature network defense organization.