Cobalt Strike
TeamServer
TeamServer Overview
Cobalt Strike
is split into a server, named the teamserver
, and client components. The teamserver
is at the core of the Cobalt Strike
infrastructure, with the beacons
calling back (directly or through a redirector) to the teamserver
for actions.
The teamserver
expose the TCP
port 50050 for clients access (using the Cobalt Strike
client component). The port should not be publicly exposed on the Internet, notably because scans are conducted by blue teams to identify Internet-facing Cobalt Strike
teamservers
. A remote access service (SSH
, VPN
, etc.) should be used instead for collaborative access.
Additionally, the beacons
should not call back directly to the teamserver
, but should instead call back to a redirector (such as Azure CDN
for example). This greatly limit the exposure of the teamserver
, and reduce the risk of the teamserver
being identified by the blue team.
Note that exposure of the teamserver
(port TCP
50050) should be restricted at a network level (for example through a security group
in AWS
or a network security group
in Azure
). An Internet-facing teamserver
could be leveraged by blue teams to retrieve the beacons
configuration by emulating staged beacons
callbacks. This can be for instance achieved using melting-cobalt
. ssh
may be used, for example, to forward the teamserver
TCP
port on attacking systems:
Malleable C2 Profiles overview
The way Cobalt Strike
beacons interact with the teamserver
can be customized through an optional Malleable C2 profile
, chosen upon the start of the teamserver
. A custom Malleable C2 profile
should always be used for operations, in order to limit the risk of detection.
The Malleable C2 Profile
notably controls:
The default
beacons
sleep time and optional jitter (to randomize the effectivebeacons
sleep time).Staging process, which is recommended to keep disabled (
set host_stage "false"
) for OPSEC issues (identification ofteamserver
by simulating a staged beacons). If disabled, only stagelessbeacons
will be usable.The
SSL
/TLS
certificate used byHTTPS
listeners.The
HTTP
beacons
requestsURI
and parameters, theteam-server
HTTP
responses content, as well as headers (User-Agent
,Referer
,Server
, etc.).The
TCP
beacons
listening port,SMB
beacons
named pipe,SSH
beacons
banner and pipe name,DNS
beacons
parameters (subhost forA
,AAAA
,TXT
records, max query size, etc.).Post-exploitation jobs behavior, such as the program used to spawn process for injection, activation of automated
AMSI
bypass in PowerShell jobs, WindowsAPI
leveraged for process injection (memory allocation and code injection), etc.
Detailed information about Cobalt Strike
Malleable C2 profile
various options can be found on:
Public Malleable C2 profiles
A number of public Malleable C2 Profiles
can be used as templates / references for further customization (publicly shared profiles shouldn't be used as is, due to known markers being already defined by security products).
Malleable profile(s) | Description |
---|---|
Profiles attempting to mimic a jquery.js request. | |
A number of profiles to mimic various services (Gmail, OCSP, wikipedia, etc.) as well as attacker groups (based on mostly outdated threat intelligence however). |
Cobalt Strike
's c2lint
utility can be used to check the validity of the specified profile: c2lint <C2_PROFILE_PATH>
.
Beacons obfuscation
Arsenal kit overview
https://www.cobaltstrike.com/scripts
Artefact kit: custom beacons PE
Resource kit: custom beacons scripts
The resource kit
is part of Cobalt Strike
property Arsenal
and contains PowerShell
, Python
, and VBA
templates used by Cobalt Strike
for related operations. The resource kit
is notably used for:
Script based beacon stagers (
PowerShell
andPython
).VBA
macro for generatedOffice
documents.PowerShell operations (commands and download)
PowerShell command and download one-liner for operations related to PowerShell (
powershell
,winrm
,psexec_psh
, etc.) or requiring file download (powershell-import
,elevate
,spawnas
/spawnu
, etc.).
The resource kit
can be loaded / reloaded using the script manager:
File | Description |
---|---|
|
|
| PowerShell template to compress PowerShell scripts (by default using |
| PowerShell template for x86 PowerShell beacon stagers.
Affected components:
- Windows EXE x86 stage-less PowerShell payload.
- Scripted Web Delivery (PowerShell).
- beacons' |
| PowerShell template for x64 PowerShell beacon stagers. Affected components: - Windows EXE x64 stage-less PowerShell payload. |
| VBA template for x86 payloads.
Affected components:
- Microsoft Office Macro Attack.
- HTML Application ( |
|
|
|
|
|
|
| Python for x86 and x64 payloads. Affected components: - Scripted Web Delivery (Python). |
Sleep kit: custom obfuscation for beacons sleeps
TODO
Custom beacon shellcode generator
The Cobalt Strike Shellcode Generator
aggressor script can be used to generate and format beacon
shellcode. The generated shellcode can be encrypted using XOR
or AES-256-CBC
, as well as encoded in base64
or compressed (in gzip
).
Custom beacon shellcode loader
Refer to the [Windows] - Shellcode and PE loader
note for more information on shellcode loaders that can be leveraged to execute Cobalt Strike
beacons.
Beacons commands (built-in and with third party Aggressor script)
Numerous beacon
commands are available, allowing a number of actions to be performed through Cobalt Strike
's beacons
. The commands arguments and description were largely taken from Cobalt Strike
help message, while the OpSec considerations were established using the very comprehensive official Cobalt Strike documentation, public resources (referenced at the end of the present note), and tests done in DetectionLab
.
Beacon Object Files OpSec considerations
A number of beacon
commands are implemented as Beacon Object Files (BOF)
. BOF
are compiled C programs, with certain limitations, that execute within a beacon
process. After completion of the execution, BOF
are cleaned from memory. BOF
leverage by default RWX
memory, which is suspicious and may get flagged by security products. This behavior can be changed through the Malleable C2
's profile process-inject
section:
Additionally, the built-in commands can be overridden / supplemented with Aggressor
scripts and third-party BOFs
.
The commands build around an internal BOF
will be specified in the following sections (as Beacon Object Files OpSec considerations
).
Spawn and run pattern OpSec considerations
A number of beacon
commands (execute-assembly
, powerpick
, ...) spawn a sacrificial process and inject code in the newly created process to conduct their operations.
A number of considerations should be taken into account for commands using the spawn and run pattern:
By default,
rundll.exe
is spawned as the sacrificial process, which can (and should) be changed using thespawnto <x86 | x64> <BINARY_FULL_PATH>
command.By default, the sacrificial process will be spawned as a child of the
beacon
process. This behavior can (and in most case should) be changed using theppid <PID>
command.The spawned process may be monitored by security products through userland
DLL
hooking even if the parent process is in an "unhooked" state. Under certain circumstances, theblockdlls start
command can be used to prevent userland hooking by leveraging a signature policy that blocks non-MicrosoftDLLs
from loading in the child process memory space.
The commands build around the spawn / fork and run pattern will be specified in the following sections (as Spawn and run pattern OpSec considerations
).
Process injection OpSec considerations
Some commands will default to spawning a new process (fork and run pattern) but will allow for the specification of an existing target process to inject into. Limited commands will also require injection into a remote process (browserpivot
and psinject
) with no possible alternative.
A number of considerations should be taken into account for code injection (and the beacon
commands build around it):
Injection across process arch require the use of more visible / monitored Windows
APIs
. As some commands require to be executed in ax64
process on ax64
system, it is recommended to make use ofx64
beacons as much as possible (to avoidx86
->x64
noisy injections).Self-injection uses the much less scrutinized
CreateThread
API
(by default). Specifying the currentbeacon
process for commands allowing the specification of a target process will result in self-injection. The tradeoff of self-injection is a potentialbeacon
lose if the injected code crashes or get detected and induce a kill of the process.While having other OpSec tradeoffs, the
spawnu
andrunu
commands can be used to avoid code injection by spawning, respectively, a newbeacon
or binary under another parent process. The child process created will inherit the security context of the parent process.
The Windows API
leveraged for the code injection are defined in the Malleable C2
's profile process-inject->execute
section:
The commands build around process injection (both optional or required) will be specified in the following sections (as Process injection OpSec considerations
).
PowerShell OpSec considerations
As specified in the "Resource kit: custom beacons scripts" section above, a number of commands rely on executing powershell.exe
.
Opsec Aggressor Profiles
A number of Opsec Aggressor Profiles can be loaded to overwrite and disable some of the built-in beacon
commands. Each profile disable a class of commands relying an a (potentially) dangerous / expensive OpSec pattern (such as execution of cmd.exe
or process injection). Note that these Aggressor
scripts do NOT limit the operations that are conducted through the Cobalt Strike
GUI client.
The following profiles are available:
cmd-execution.cna
: prevents commands that rely oncmd.exe
.powershell.cna
: prevents commands that rely onpowershell.exe
process-execution.cna
: prevents commands that spawn a new process.process-injection.cna
: prevents commands that rely on process injection.service-creation.cna
: prevents commands that create new services.template.cna
: template that may be used for any custom commands enabling / disabling.
The Aggressor
scripts also had a opsec
command that can be used to list all the beacon
commands and their activation status.
Community Aggressor scripts and BOFs
The Community Kit
is repository of extensions, including Aggressor scripts and BOFs, written by the community to extend Cobalt Strike
capabilities.
Repository | Description |
---|---|
Collection of | |
Complementary collection of | |
A .NET XOR encrypted aggressor script to execute in-memory | |
Binary and aggressor script to dump a process memory. Refer -to the | |
Adds the | |
Compress the specified file or folder (from local or |
General commands
Command | Description | OpSec considerations |
---|---|---|
| Print the help menu. | None (no communication with the |
| Call home and post data | |
| Set beacon sleep time | |
| Assign a note to this Beacon | |
| Show the command history | |
| List long-running post-exploitation tasks | |
| Kill a long-running post-exploitation task | |
| Kill a process | |
| Disconnect from parent Beacon | |
| Clear beacon queue | |
| Terminate the beacon session | |
| Take a single screenshot | Default to spawn and run pattern, supports explicit process injection. |
| Take a single screenshot via | Default to spawn and run pattern, supports explicit process injection. |
| Take periodic screenshots of desktop | Default to spawn and run pattern, supports explicit process injection. |
| Set the executable used to spawn processes into for spawn and run commands.
If spawning a process from |
Local system enumeration and interaction commands
Command | Description | OpSec considerations |
---|---|---|
| Show process list | |
| Network and host enumeration tool | Beacon Object Files OpSec considerations. Default to spawn and run pattern, supports explicit process injection. |
| Query the specified key in the registry registry. The | |
| Query, add, or delete keys/values in the registry. | Beacon Object Files OpSec considerations.
Specific OpSec considerations depending on the key modified (such as persistence operations through |
| Set an environment variable |
Filesystem interaction commands
Command | Description | OpSec considerations |
---|---|---|
| Print current directory | |
| List drives on target | |
| List files | |
| Change directory | |
| Make a directory | |
| Move a file | |
| Copy a file | |
| Remove a file or folder | |
| View and interact with target's desktop | |
| Upload a file to the current working directory.
The | |
| Download a file | |
| Lists file downloads in progress | |
| Cancel a download that's in-progress |
Command / code execution commands
New local beacon session
Command | Description | OpSec considerations |
---|---|---|
| Spawn a new process and inject a shellcode for a | |
| Similar to | While not fully following the spawn and run pattern, the process spawned will default to |
| Spawn a new |
Basic commands / programs execution
Command | Description | OpSec considerations |
---|---|---|
| Execute the specified command via | Not OpSec friendly and should generally be avoid.
The |
| Execute a program on target (no output) | |
| Execute a program under another PID |
PowerShell
Command | Description | OpSec considerations |
---|---|---|
| Execute a command via powershell.exe | |
| Execute a command via Unmanaged PowerShell | |
| Execute PowerShell command in specific process | |
| Import a PowerShell script |
In memory .NET assembly execution
Command | Description | OpSec considerations |
---|---|---|
| Execute a local | Spawn and run pattern OpSec considerations.
The |
| Execute a local |
|
Beacon Object File (BOF) execution
Command | Description | OpSec considerations |
---|---|---|
| Run a Beacon Object File in this session |
Shellcode / process injection
Command | Description | OpSec considerations |
---|---|---|
| Inject shellcode into a process | |
| Spawn process and inject shellcode into it | |
| Inject a Reflective DLL into a process | |
| Load DLL into a process with LoadLibrary() |
Defense evasion commands
Command | Description | OpSec considerations |
---|---|---|
| Apply timestamps from one file to another | |
| Set parent PID for spawned post-ex jobs | |
| Spoof arguments for matching processes | |
| Block non-Microsoft DLLs in child processes |
Credentials usage commands
Refer to [Windows] Lateral movement - Local credentials reuse
note for more information on Cobalt Strike
credentials usage capabilites (make_token
, runas
/ spawnas
, and runu
/ spawnu
commands).
Command | Description | OpSec considerations |
---|---|---|
| Replace the | |
beacon Windows | ||
| Execute a program as another user | |
| Execute a program in an elevated context | |
| Spawn a session as another user | |
| Pass-the-hash using Mimikatz | Default to spawn and run pattern, supports explicit process injection. |
| Apply Kerberos ticket from cache to this session | |
| Purge Kerberos tickets from this session | |
| Apply Kerberos ticket to this session |
Privileges and local privilege escalation commands
Command | Description | OpSec considerations |
---|---|---|
| Steal access token from a process | |
| Revert to original token | |
| Spawn a session in an elevated context |
Lateral movement commands
Command | Description | OpSec considerations |
---|---|---|
`portscan [<TARGET_PROCESS_PID>] [<TARGET_PROCESS_ARCH>] [] [] [<arp | icmp | none>]` |
| Execute a program on target (returns output) | |
| Spawn a session on a remote host using the current access token. | |
| Connect to a Beacon peer over a named pipe. SMB Beacon usage: https://www.youtube.com/watch?v=lelRK-SDubc | |
| Connect to a Beacon peer over TCP | |
| Run a command on a remote host |
Pivoting commands
Refer to [General] Pivoting - Cobalt Strike
for more information on Cobalt Strike
pivoting capabilites (rportfwd
/ rportfwd_local
, covertvpn
, and socks
commands).
Command | Description | OpSec considerations |
---|---|---|
| Setup a browser pivot session | |
| Setup a reverse port forward by redirecting requests on the compromised host's | |
| Setup a reverse port forward by redirecting requests on the compromised host's | |
| Deploy Covert VPN client | |
| Spawn and tunnel an agent via rportfwd | |
| Spawn and tunnel an agent via Cobalt Strike client rportfwd | |
| Use SSH to spawn an SSH session on a host | Default to spawn and run pattern, supports explicit process injection. |
| Use SSH to spawn an SSH session on a host | Default to spawn and run pattern, supports explicit process injection. |
| Start SOCKS4a server to relay traffic | |
| Stop SOCKS4a server |
Post-exploitation commands
Command | Description | OpSec considerations |
---|---|---|
| Start a keystroke logger | Default to spawn and run pattern, supports explicit process injection. |
| Recover credentials from Google Chrome | Default to spawn and run pattern, supports explicit process injection. |
| Dump password hashes | Default to spawn and run pattern, supports explicit process injection. |
| Dump credentials and hashes with mimikatz | Default to spawn and run pattern, supports explicit process injection. |
| Extract a password hash from a DC | Default to spawn and run pattern, supports explicit process injection. |
| Runs a mimikatz command | Default to spawn and run pattern, supports explicit process injection. |
mode dns
Use DNS A as data channel (DNS beacon only)
mode dns-txt
Use DNS TXT as data channel (DNS beacon only)
mode dns6
Use DNS AAAA as data channel (DNS beacon only)
References
https://www.cobaltstrike.com/help-start-cobaltstrike
https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/welcome_main.htm
https://www.ired.team/offensive-security/red-team-infrastructure/cobalt-strike-101-installation-and-interesting-commands
https://www.cobaltstrike.com/help-malleable-c2
https://github.com/threatexpress/malleable-c2
https://posts.specterops.io/a-deep-dive-into-cobalt-strike-malleable-c2-6660e33b0e0b
https://github.com/S1ckB0y1337/Cobalt-Strike-CheatSheet
https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/
Last updated