This is just a very rough and quick walkthrough to give some high-level insight into how Cobalt Strike could help in red-teaming exercises.
Why use Cobalt Strike?
- commercial tool with maintenance and support
- the performance is stable
- very easy to deploy
- easy for team collaboration
- lots of community kit contributed by user community (https://cobalt-strike.github.io/community_kit/)
Disclaimer
All information mentioned in this post is just for educational purpose and all activities were conducted within the isolated virtual environment. DO NOT conduct any offensive testing without proper authorization.
Import Third-Party Script (.cna)
For example, assume we want to import third-party script, e.g. “ElusiveMice” (https://raw.githubusercontent.com/mgeeky/ElusiveMice/master/rdll_loader.cna) to attempt AV/EDR evasion:
1) Download the script file “rdll_loader.cna”
2) Import the download script
Cobalt Strike -> Script Manager -> Scripts -> Load
For this imported script, it will be executed automatically during generating “Windows Executable (stateless)” package and the debug information (if enabled) will be shown under “Script Console”.
Setup Listener
This should be done before generating the corresponding payload.
(“default” profile was used in this quick demo, but it should prevent using the “default” profile during actual operation to avoid the pattern be easily picked up by EDR/NDR signature)
Cobalt Strike -> Listeners -> Add
Beacon phone home (obtained initial access)
Once beacon phoned home, initial access was successfully obtained.
Depends on your current privilege level of the beacon, you could attemp to dump hashes for offline cracking if admin privilege is owned. If not, you may need to follow the Privilege Escalation techniques mentioned in the ATT&CK Matrix. “Upload” functions will be useful to upload your privilege escalation exploit and “shell” function will be useful for you to execute them.
Keylogger
Under the beacon console, run the command “keylogger” and the recorded keystrokes will be shown under View -> Keystrokes.
Port Scan
(Selective, not full) Port scan is useful to identify other live hosts within the network.
Click on the selected beacon host, Explore -> Port Scan -> Select the available network, input what ports should be checked and click “Scan”.
Discovered target(s) will be shown under View -> Targets
What Else?
“A fool with a tool is still a fool”
Cobalt Strike is a great tool in red-teaming, but it is still a tool and the success of the red team operation is still mainly relying on how can you think out of the box to get a new path from existing information / access.
Example scenario: Trigger a fake dialog box to ask for user credentials of current user
i) Using “powershell-import” to import “Invoke-CredentialsPhish.ps1” (https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Invoke-CredentialsPhish.ps1)
ii) Execute “powershell Invoke-CredentialsPhish”
Conclusion
This post is just a very basic introduction of Cobalt Strike.
I hope occasional skill/tool sharing could somehow help some of the beginners, also could encourage cybersecurity fellows to share knowledge.
Hope you enjoy reading this post.
Cheers
Henry
Cyber Security Corner 