Beacon is Cobalt Strike’s payload for red team actions. Beacon is a stable lifeline that can serve as a communication layer. Meterpreter is a fantastic post-exploitation agent with a lot of features. Used together, Beacon and Meterpreter give you a lot of options for stealth and indirection. In this post, I’ll take you through different ways to use […]
Read More… from Four Levels of Hacking Sophistication with Beacon
The Java Signed Applet Attack is a staple social engineering option. This attack presents the user with a signed Java Applet. If the user allows this applet to run, the attacker gets access to their system. Val Smith’s 2009 Meta-Phish paper made this attack popular in the penetration testing community. Last week’s Java 1.7 update […]
Read More… from Obituary: Java Self-Signed Applet (Age: 1.7u51)
A common trait among persistent attackers is their distributed infrastructure. A serious attacker doesn’t use one system to launch attacks and catch shells from. Rather, they register many domains and setup several systems to act as redirectors (pivot points) back to their command and control server. As of last week, Cobalt Strike now has full […]
Read More… from Cloud-based Redirectors for Distributed Hacking
Cobalt Strike has always exposed the Metasploit Framework’s tool to generate executables. Unfortunately, these executables are caught by anti-virus products. I’ve had a lot of feedback about this and I know it’s annoying. The latest release of Cobalt Strike now generates artifacts from its own Artifact Kit. The Artifact Kit is a proprietary source code […]
Read More… from Cobalt Strike 01.08.14 – EXE Artifacts: A New Hope
Malware like Zeus and its variants inject themselves into a user’s browser to steal banking information. This is a man-in-the-browser attack. So-called, because the attacker is injecting malware into the target’s browser. Man-in-the-browser malware uses two approaches to steal banking information. They either capture form data as it’s sent to a server. For example, malware […]
Yesterday, one of my customers asked about x64 payloads in Cobalt Strike. Specifically, he wanted to know why Cobalt Strike doesn’t expose them. I’ve already replied to the question, but I think it makes an interesting blog post. Cobalt Strike’s listener management feature pretends that 64-bit payloads don’t exist. Beacon is a 32-bit payload with […]
Beacon is my payload for low and slow control of a compromised system. Recently, I added peer-to-peer communication to Beacon. When two Beacons are linked, the child Beacon will get its tasks from and send its output through its parent. Linked Beacons use SMB pipes to communicate. This is a big win for stealth. If a workstation […]
<update 03:30pm> I’ve had some feedback that this post describes a concept that is too basic to put into blog form. I can see where this confusion may occur. Most literature that describes pivoting through Meterpreter, shows how to setup a payload connection that goes through Meterpreter (e.g., a bind payload). What isn’t well known or documented, […]
Read More… from Reverse Meterpreter Connect-backs through a Compromised Host
I’m pleased to announce Cobalt Strike 1.48. This release introduces a peer-to-peer data channel for Beacon, improves browser pivoting, and updates the signed applet attack with options the latest Java 1.7 updates require. Peer-to-Peer Beacon It’s hard to stay hidden when many compromised systems call out to the internet. To solve this problem, Beacon now supports peer-to-peer command and […]
Sometimes, it’s easy to get code execution in a network, but very difficult to egress out of it. When you are an external actor trying to get a foothold, it’s important that your attack package use a payload that’s likely to leave your target’s network. If you can’t get out, all of your work is […]
Read More… from Evade Egress Restrictions with Staged Payloads