Cobalt Strike

TeamServer

TeamServer Overview

Cobalt Strike is split into a server, named the teamserver, and client components. The teamserver is at the core of the Cobalt Strike infrastructure, with the beacons calling back (directly or through a redirector) to the teamserver for actions.

The teamserver expose the TCP port 50050 for clients access (using the Cobalt Strike client component). The port should not be publicly exposed on the Internet, notably because scans are conducted by blue teams to identify Internet-facing Cobalt Strike teamservers. A remote access service (SSH, VPN, etc.) should be used instead for collaborative access.

Additionally, the beacons should not call back directly to the teamserver, but should instead call back to a redirector (such as Azure CDN for example). This greatly limit the exposure of the teamserver, and reduce the risk of the teamserver being identified by the blue team.

# Starts the teamserver over the given IP and with the specified shared password (for clients access).

./teamserver <LISTENING_IP> <PASSWORD> [<C2_PROFILE_PATH>] [<BEACON_KILL_DATE_YYYY-MM-DD>]

Note that exposure of the teamserver (port TCP 50050) should be restricted at a network level (for example through a security group in AWS or a network security group in Azure). An Internet-facing teamserver could be leveraged by blue teams to retrieve the beacons configuration by emulating staged beacons callbacks. This can be for instance achieved using melting-cobalt. ssh may be used, for example, to forward the teamserver TCP port on attacking systems:

# forwards locally the Cobalt Strike teamserver on port TCP 50050.
# The Cobalt Strike client can then be used on attacking systems to connect to the teamserver (at 127.0.0.1).
ssh [-i <PRIVATE_KEY>] -nNT -L 50050:127.0.0.1:50050 <USERNAME>@<TEAMSERVER_PUBLIC_IP>

Malleable C2 Profiles overview

The way Cobalt Strike beacons interact with the teamserver can be customized through an optional Malleable C2 profile, chosen upon the start of the teamserver. A custom Malleable C2 profile should always be used for operations, in order to limit the risk of detection.

The Malleable C2 Profile notably controls:

• The default beacons sleep time and optional jitter (to randomize the effective beacons sleep time).

• Staging process, which is recommended to keep disabled (set host_stage "false") for OPSEC issues (identification of teamserver by simulating a staged beacons). If disabled, only stageless beacons will be usable.

• The SSL / TLS certificate used by HTTPS listeners.

• The HTTP beacons requests URI and parameters, the team-server HTTP responses content, as well as headers (User-Agent, Referer, Server, etc.).

• The TCP beacons listening port, SMB beacons named pipe, SSH beacons banner and pipe name, DNS beacons parameters (subhost for A, AAAA, TXT records, max query size, etc.).

• Post-exploitation jobs behavior, such as the program used to spawn process for injection, activation of automated AMSI bypass in PowerShell jobs, Windows API leveraged for process injection (memory allocation and code injection), etc.

Detailed information about Cobalt Strike Malleable C2 profile various options can be found on:

• threatexpress's malleable-c2 GitHub repository

• SpecterOps's A Deep Dive into Cobalt Strike Malleable C2 blog post

Public Malleable C2 profiles

A number of public Malleable C2 Profiles can be used as templates / references for further customization (publicly shared profiles shouldn't be used as is, due to known markers being already defined by security products).

Cobalt Strike's c2lint utility can be used to check the validity of the specified profile: c2lint <C2_PROFILE_PATH>.

Beacons obfuscation

Arsenal kit overview

https://www.cobaltstrike.com/scripts

Artefact kit: custom beacons PE

Resource kit: custom beacons scripts

The resource kit is part of Cobalt Strike property Arsenal and contains PowerShell, Python, and VBA templates used by Cobalt Strike for related operations. The resource kit is notably used for:

• Script based beacon stagers (PowerShell and Python).

• VBA macro for generated Office documents.

• PowerShell operations (commands and download)

• PowerShell command and download one-liner for operations related to PowerShell (powershell, winrm, psexec_psh, etc.) or requiring file download (powershell-import, elevate, spawnas / spawnu, etc.).

The resource kit can be loaded / reloaded using the script manager:

Cobalt Strike -> Script Manager -> Load / Reload -> resources.cna

Sleep kit: custom obfuscation for beacons sleeps

TODO

Custom beacon shellcode generator

The Cobalt Strike Shellcode Generator aggressor script can be used to generate and format beacon shellcode. The generated shellcode can be encrypted using XOR or AES-256-CBC, as well as encoded in base64 or compressed (in gzip).

Custom beacon shellcode loader

Refer to the [Windows] - Shellcode and PE loader note for more information on shellcode loaders that can be leveraged to execute Cobalt Strike beacons.

Beacons commands (built-in and with third party Aggressor script)

Numerous beacon commands are available, allowing a number of actions to be performed through Cobalt Strike's beacons. The commands arguments and description were largely taken from Cobalt Strike help message, while the OpSec considerations were established using the very comprehensive official Cobalt Strike documentation, public resources (referenced at the end of the present note), and tests done in DetectionLab.

Beacon Object Files OpSec considerations

A number of beacon commands are implemented as Beacon Object Files (BOF). BOF are compiled C programs, with certain limitations, that execute within a beacon process. After completion of the execution, BOF are cleaned from memory. BOF leverage by default RWX memory, which is suspicious and may get flagged by security products. This behavior can be changed through the Malleable C2's profile process-inject section:

process-inject {
     # [...]
     set startrwx "false";
     set userwx    "false";
     # [...]
}

Additionally, the built-in commands can be overridden / supplemented with Aggressor scripts and third-party BOFs.

The commands build around an internal BOF will be specified in the following sections (as Beacon Object Files OpSec considerations).

Spawn and run pattern OpSec considerations

A number of beacon commands (execute-assembly, powerpick, ...) spawn a sacrificial process and inject code in the newly created process to conduct their operations.

A number of considerations should be taken into account for commands using the spawn and run pattern:

• By default, rundll.exe is spawned as the sacrificial process, which can (and should) be changed using the spawnto <x86 | x64> <BINARY_FULL_PATH> command.

• By default, the sacrificial process will be spawned as a child of the beacon process. This behavior can (and in most case should) be changed using the ppid <PID> command.

• The spawned process may be monitored by security products through userland DLL hooking even if the parent process is in an "unhooked" state. Under certain circumstances, the blockdlls start command can be used to prevent userland hooking by leveraging a signature policy that blocks non-Microsoft DLLs from loading in the child process memory space.

The commands build around the spawn / fork and run pattern will be specified in the following sections (as Spawn and run pattern OpSec considerations).

Process injection OpSec considerations

Some commands will default to spawning a new process (fork and run pattern) but will allow for the specification of an existing target process to inject into. Limited commands will also require injection into a remote process (browserpivot and psinject) with no possible alternative.

A number of considerations should be taken into account for code injection (and the beacon commands build around it):

• Injection across process arch require the use of more visible / monitored Windows APIs. As some commands require to be executed in a x64 process on a x64 system, it is recommended to make use of x64 beacons as much as possible (to avoid x86 -> x64 noisy injections).

• Self-injection uses the much less scrutinized CreateThread API (by default). Specifying the current beacon process for commands allowing the specification of a target process will result in self-injection. The tradeoff of self-injection is a potential beacon lose if the injected code crashes or get detected and induce a kill of the process.

• While having other OpSec tradeoffs, the spawnu and runu commands can be used to avoid code injection by spawning, respectively, a new beacon or binary under another parent process. The child process created will inherit the security context of the parent process.

The Windows API leveraged for the code injection are defined in the Malleable C2's profile process-inject->execute section:

# More information on the configuration can be found in the official Cobalt Strike documentation at:
# https://www.cobaltstrike.com/blog/cobalt-strikes-process-injection-the-details-cobalt-strike/
process-inject {
    # Set the remote memory allocation API.
    set allocator "NtMapViewOfSection";

    # Set the content and properties of the injected memory section.
    set min_alloc "16384";
    set startrwx "false";
    set userwx    "false";

    # Set padding instructions, used if needed to reach minimal allocation size.
    transform-x86 {
        prepend "\x90";
    }

    transform-x64 {
        prepend "\x90";
    }

    # Specify the Windows API used for starting the code execution.
    # The API will be used in order if prerequisites are matched.
    # The execute section should cover the following cases: self injection, injection into suspended temporary processes, cross-session remote process injection, x86 -> x64 / x64 -> x86 injection, and injection with or without passing an argument.
    execute {

        # Self injection attempted only if the target process is equal to the current process.
        CreateThread "ntdll!RtlUserThreadStart";
        CreateThread;

        # Only called if the targeted process is suspended.
        # Process arch limitations: x86 -> x86, x64 -> x64, or x64 -> x86.
        # Can be choosen over NtQueueApcThread-s.
        # SetThreadContext

        # Only called if the targeted process is suspended.
        # Current and targeted process should be of the same arch (x86 -> x86 or x64 -> x64).
        NtQueueApcThread-s;

        # Creates a RWX stub and register it to the APC queue of every thread in the remote process.
        # If a thread enters an "alertable" state, the stub will execute and call CreateThread on the injected code (to quickly let the original thread continue its normal execution).
        # Current and targeted process should be of the same arch (x86 -> x86 or x64 -> x64).
        # NtQueueApcThread

        # Very visible / monitored API.
        # Process arch limitations: x86 -> x86, x64 -> x64, or x64 -> x86.
        CreateRemoteThread;

        # Very visible / monitored API.
        # No process arch limitation (covers x86 -> x86, x86 -> x64, x64 -> x64, and x64 -> x86).
        # Uses RWX memory for x86 -> x64 injection.
        # Allows code injection across session boundaries.
        RtlCreateUserThread;
    }
}

The commands build around process injection (both optional or required) will be specified in the following sections (as Process injection OpSec considerations).

PowerShell OpSec considerations

As specified in the "Resource kit: custom beacons scripts" section above, a number of commands rely on executing powershell.exe.

Opsec Aggressor Profiles

A number of Opsec Aggressor Profiles can be loaded to overwrite and disable some of the built-in beacon commands. Each profile disable a class of commands relying an a (potentially) dangerous / expensive OpSec pattern (such as execution of cmd.exe or process injection). Note that these Aggressor scripts do NOT limit the operations that are conducted through the Cobalt Strike GUI client.

The following profiles are available:

• cmd-execution.cna: prevents commands that rely on cmd.exe.

• powershell.cna: prevents commands that rely on powershell.exe

• process-execution.cna: prevents commands that spawn a new process.

• process-injection.cna: prevents commands that rely on process injection.

• service-creation.cna: prevents commands that create new services.

• template.cna: template that may be used for any custom commands enabling / disabling.

The Aggressor scripts also had a opsec command that can be used to list all the beacon commands and their activation status.

Community Aggressor scripts and BOFs

The Community Kit is repository of extensions, including Aggressor scripts and BOFs, written by the community to extend Cobalt Strike capabilities.

General commands

Local system enumeration and interaction commands

Filesystem interaction commands

Command / code execution commands

New local beacon session

Basic commands / programs execution

PowerShell

In memory .NET assembly execution

Beacon Object File (BOF) execution

Shellcode / process injection

Defense evasion commands

Credentials usage commands

Refer to [Windows] Lateral movement - Local credentials reuse note for more information on Cobalt Strike credentials usage capabilites (make_token, runas / spawnas, and runu / spawnu commands).

Privileges and local privilege escalation commands

Lateral movement commands

Pivoting commands

Refer to [General] Pivoting - Cobalt Strike for more information on Cobalt Strike pivoting capabilites (rportfwd / rportfwd_local, covertvpn, and socks commands).

Post-exploitation commands

mode dns Use DNS A as data channel (DNS beacon only)

mode dns-txt Use DNS TXT as data channel (DNS beacon only)

mode dns6 Use DNS AAAA as data channel (DNS beacon only)

References

https://www.cobaltstrike.com/help-start-cobaltstrike

https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/welcome_main.htm

https://www.ired.team/offensive-security/red-team-infrastructure/cobalt-strike-101-installation-and-interesting-commands

https://www.cobaltstrike.com/help-malleable-c2

https://github.com/threatexpress/malleable-c2

https://posts.specterops.io/a-deep-dive-into-cobalt-strike-malleable-c2-6660e33b0e0b

https://github.com/S1ckB0y1337/Cobalt-Strike-CheatSheet

https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/