Both those tricks will provide us with a good amount of stealth and will hide our presence on the compromised host. To do that we can the "spawnto" module to specify which binary our child processes will use to execute post exploitation actions, also we can use the "ppid" module to spoof the parent process that our child processes will spawn under. Session Prepping: Before engaging in any post-exploitation action after we have compromised a host, we should prepare our beacon to match the environments behaviour, that way we will generate the less amount of IOCs (Indicators Of Compromise) we can.Timestomp C:\Users\S1ckB0y1337\Desktop\logins.xlsx C:\Users\S1ckB0y1337\Desktop\notmalicious.xlsx sleep: Set the interval and jitter of beacon's call back.powerpick: Execute powershell commands without spawning "powershell.exe", using only.powershell-import: Import a local powershell module in the current beacon process.powershell: Execute commands by spawning "powershell.exe".shell: Execute OS commands by spawning "cmd.exe /c".run: Execute OS commands using Win32 API calls.help : Show the help menu of the selected module.help: Listing of the available commands.These scripts can add additional functions on existing modules or create new ones.Īggressor Script Tutorial Common Commands Aggresor Script allows you to modify and extend the Cobalt Strike client. Aggressor ScriptsĪggressor Script is the scripting language built into Cobalt Strike, version 3.0, and later. The big advantage of custom malleable c2 profiles, is that we can configure and customize our payload to match our situation and target environment, that way we make our selves more stealthy as we can blend with the environment's traffic. Not only that, but it configures how the payload's traffic will look like on a pcap, the communication interval and jitter etc. In simple words a malleable c2 profile is a configuration file that defines how beacon will communicate and behave when executes modules, spawns processes and threads, injects dlls or touches disk and memory. External C2: This is a special type of listener that gives the option to 3rd party applications to act as a communication medium for beacon.A useful example is to execute an exploit module from metasploit and gain a beacon session on cobalt strike. Foreign HTTP/HTTPS: These type of listeners give us the option to pass a session from the metasploit framework to cobalt strike using either http or https payloads.SMB: An amazing option for internal spread and lateral move, this payload uses named pipes over the smb protocol and is the best approach to bypass firewalls when even default ports like 80 and 443 are black listed.TCP: A basic tcp listener that bound on a spesific port.The best situation to use this type of listener is in a really locked down environment that blocks even common traffic like port 80 and 443. DNS: A very stealthy payload options, provides stealthier traffic over the dns protocol, you need to specify the DNS server to connect to.You have the options to set proxy settings, customize the HTTP header or specify a bind port to redirect beacon's traffic if the infrastructure uses redirector servers for the payload callbacks. HTTP/HTTPS: The most basic payloads for beacon, by default the listeners will listen on ports 80 and 443 with always the option to set custom ports.Reporting: It provides an easy way to generate pdf or spreadsheet files containing information about the execution of an attack, this way it assists you on organizing small reports, making the final report writing process easier.Also provides numerous ways to generate your beacon payloads or just generate shellcode and save it for later use on another obfuscation tool. Attacks: This menu contains numerous client side attack generating methods like phishing mails, website cloning and file hosting.The main purpose of it is to provide an easy way to access the output of many modules, manage your loots and domain targets. View: The view menu consists of elements that manages targets, logs, harvested credentials, screenshots, keystrokes etc.Cobalt Strike: The first and most basic menu, it contains the functionality for connecting to a team server, set your preferences, change the view of beacon sessions, manage listeners and aggressor scripts.General notes and advices for cobalt strike C2 framework.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |