This blog post is a collection of articles and links Cobalt Strike users may find interesting. Let’s jump into it:
Redirectors are a popular offensive technique to obscure a C2 server’s actual source. They’re also nice because you can create and remove redirectors much easier than tearing down and standing up new C2 servers. I’ve written about HTTP redirectors in the past, but I’ve never had a good solution for DNS Beacons. rvrsh3ll to the rescue! Redirecting Cobalt Strike DNS Beacons shows how to stand up DNS redirectors for Cobalt Strike’s DNS Beacon.
Using NetShell to Execute Evil DLLs and Persist on a Host describes how to load a “Helper DLL” into NetShell for persistence and code execution. Marc Smeets from Outflank B.V. adapted the post’s concepts into a POC to kick off Cobalt Strike’s Beacon with this technique.
Optiv has a blog post that describes how to (ab)use MSSQL Agent Jobs to execute a payload. The payload in this post? Cobalt Strike’s Beacon. Here’s a demo of the attack:
Cobalt Strike has reverse port forwards. Cobalt Strike also has SOCKS pivoting. Why not port forwards? Who knows! Fortunately, it’s easy enough to script a portfwd [target] [port] command with Aggressor Script. This command opens up [port] on the team server and forwards it through through the Beacon’s C2 path to the specified [host]:[port]. Unfortunately, the primitives exposed by CS’s team server don’t account for port bending. Maybe a future improvement?
I’ve slowed down on my blogging since this year’s BlackHat and DEF CON. I’m hard at work on the 3.5 release and haven’t had spare cycles to put into blogging. That said, Cobalt Strike’s users have more than picked up the slack. Here’s a collection of recent links that Cobalt Strike users may find interesting.
SPARTAN-001 has a post on /r/HowToHack that describes his use of Responder, Cobalt Strike, mimikatz, and Bloodhound to go from zero to domain admin in a few short hours. These first hand accounts are always fun to read.
Chris Truncer has a blog post on how to receive a text message when a new Beacon comes into a team server. A few of these scripts were written for Cobalt Strike 2.x, but I haven’t seen a public example for Cobalt Strike 3.0 and later yet. Thanks Chris!
Alex Rymdeko-harvey has posted a script that builds a ready-to-use HTTPS certificate for Cobalt Strike with LetsEncrypt. I’d love to see a blog post on this 🙂 *nudge* *nudge*. I’ve had multiple folks ask about how to use LetsEncrypt with Cobalt Strike. This script is a good place to start.
This script from Jeff (just Jeff) shows how to use Eclipse to build Java/SWING GUIs and port these to the Aggressor Script language. This is actually easier than you might think. Cobalt Strike’s Aggressor Script can call Java APIs directly. If you’d like to build some GUIs to go with your scripts, take a look at this post.