Red Team infrastructure is a detail-heavy subject. Take the case of domain fronting through a CDN like CloudFront. You have to setup the CloudFront distribution, have a valid SSL configuration, and configure your profile properly. If any of these items is wrong, your C2 will not work. Many folks take “configure your profile properly” for granted. A profile that passes […]
CTA Type: Resource
PowerShell Shellcode Injection on Win 10 (v1803)
Cobalt Strike’s process to inject shellcode, via PowerShell, does not work with the latest Windows 10 update (v1803). While it’s possible to work without this capability, a lot of CS automation uses PowerShell. I’ve pushed an out-of-band update to Cobalt Strike 3.11 with a fix for this issue. What happened? The PowerShell shellcode injection scripts […]
Read More… from PowerShell Shellcode Injection on Win 10 (v1803)
Fighting the Toolset
What happens when your advantages become a disadvantage? That’s the theme of Fighting the Toolset. This lecture discusses Offensive PowerShell, staging, memory-injected DLLs, and remote process injection as technologies that deliver(ed) a universal advantage to attackers. Today, that’s not always the case. In some contexts, these technologies are the tell that gives you away. In […]
Cobalt Strike 3.11 – The snake that eats its tail
Cobalt Strike 3.11 is now available. This release adds to Cobalt Strike’s in-memory threat emulation and evasion capabilities, adds a means to run .NET executable assemblies without touching disk, and implements the Token Duplication UAC bypass attack. In-Memory Threat Emulation One of the things that makes Cobalt Strike different is its ability to emulate multiple […]
Read More… from Cobalt Strike 3.11 – The snake that eats its tail
Beware of Slow Downloads
I often receive emails that ask about slow file downloads with the Beacon payload. Here are the symptoms: When I get these emails, I usually ask the user about their Malleable C2 profile. Malleable C2 is a technology to change the network and memory indicators for Cobalt Strike’s Beacon payload. In some cases, it can alter the […]
In-Memory Evasion
Many analysts and automated solutions take advantage of various memory detections to find injected DLLs in memory. Memory detections look at the properties (and content) of processes, threads, and memory to find indicators of malicious activity in the current process. In-memory Evasion is a four-part mini course on the cat and mouse game related to […]
Cobalt Strike 3.10 – Хакер vs. 肉雞
Cobalt Strike 3.10 is now available. This release adds Unicode support to the Beacon payload, introduces a built-in report based on MITRE’s ATT&CK matrix, and performs endodontics on the Beacon payload. A Strategy for Unicode One of Cobalt Strike’s limitations is its ham-fisted handling of text. Cobalt Strike treats everything sent to and received from Beacon as binary […]
Modern Defenses and YOU!
Part 9 of Advanced Threat Tactics covers a lot of my thoughts on evasion. The ideas in that lecture are still relevant, the defenses discussed there didn’t go away! That said, there are other defenses and realities offensive operators must contend with today. This blog post discusses some of these and provides tips for adjusting […]
Kits, Profiles, and Scripts… Oh my!
If I had to describe Cobalt Strike in one word, I’d say ‘flexible’. There are a lot of options to control Cobalt Strike’s features and indicators. In this post, I’ll introduce these options, explain the rationale for each, and point you to resources to explore them further. Aggressor Script Aggressor Script is Cobalt Strike’s built-in […]
Cobalt Strike 3.9 – Livin’ in a Stager’s Paradise
Cobalt Strike 3.9 is now available. This release brings several additions to Malleable C2 with an emphasis on staging flexibility. Malleable HTTP/S Staging Stagers are tiny programs that download the Beacon payload and pass control to it. Stagers are a way to use a size-constrained attack to deliver a large payload like Beacon. While I recommend […]
Read More… from Cobalt Strike 3.9 – Livin’ in a Stager’s Paradise