Cobalt Strike!

Cobalt Strike!

Recently, I've gotten access to Cobalt Strike. This tool is used for Adversary Simulations and Red Team Operations. As I'm completely new to the tool, I thought it would be a good idea to share my learning experience here. I'm doing all of this from within a lab with only a single attacker and a single target machine (for now!), so all the screenshots and examples will reflect that. That said, lets dive in to some of the features of the tool.

Teamserver

The first step in using Cobalt Strike is setting up your teamserver. This is the "home base" for all the Red Team operators to connect to. It can also serve as the listener and delivery platform for exploits. To set it up, simply run ./teamserver <IP> <password from the Cobalt Strike directory.

Client

Once you have the teamserver up and running, you're ready to connect to it from your attacker machine. As previously noted, I'll be using the same machine for both the teamserver and the client, Run ./cobaltstrike and you'll be prompted with the connect window.

Fill in your host, the username you want for this machine, and the pre-defined password. Click connect, and you're in.

You'll be greeted with the above dashboard. Notice the Event Log on the bottom of the screen. It has indicated that a new client has joined. Throughout the engagement, several events will be populated here. This is great for keeping track of actions and what time they occurred.You can also use this window for chat between users.

Listeners

The next step you will want to take is setting up a listener. This will be the way Cobalt Strike can "catch" the sessions after you've executed an attack on a victim machine. To create one, click on the headphone icon or Cobalt Strike -> Listeners

Click the add button at the bottom of the screen, and we can configure our listener.

Fill in the name, host and port fields. We can also select one of many payloads.

Finally, click the Save button and the listener will start up.

Attacks

The attacks tab has several options.

For my example, I created a simple Windows Executable.

Configuration is quick and easy, just select which Listener you want to use and the output format. Clicking the Generate button will prompt you to save your payload, There are several ways you could get the payload on to the target machine. Maybe through some social engineering? For this example though, I used the quick and easy method. I simply ran python -m SimpleHTTPServer 80 and browsed to my IP address in the victim's browser.

I had the victim run the executable. Back on the attacker machine, we can see a new event.

Once you have a victim connected back to your teamserver, you can view them in this clean graph view. If you had more than one victim machine that you've pivoted through, this graph will show the connections.

Note that the victim machine has shown up twice. The red outline and lighting, as well as the asterisk, indicates that you have SYSTEM level privileges on that machine. To obtain this, we can run the elevate command from our original beacon.

Now that we have SYSTEM level privileges, we can run numerous commands. One such command is Dump Hashes. Pretty self-explanatory what this will do.

Once we have these hashes, they will automatically be saved within Cobalt Strike. We can view them under the Credentials tab (which can be found under the View tab at the top).

Beacons

Cobalt Strike refers to the sessions on victim machines as beacons. These beacons will call home every minute and run any commands you have instructed it to run. In the above example, I used Dump Hashes. Take a closer look at that screenshot and you will see a few things. First off, right below the command, it says Tasked beacon to dump hashes . On the bottom right it says last: 6s . This indicates the last time the beacon checked in. At 60 seconds, it will call home, run the command, and send the data back. From the beacons tab, we also have the option to run several commands. Enter ? to see the full list:



Reporting

A great feature of Cobalt Strike is the built in reporting. Select the Reporting tab at the top, and see the many options available to you.

For my demo, I decided to look at the "Indicators of Compromise" report. The report was generated nearly instantly (Having a single victim might have something to do with that).

This is the level of detail within the report:

The report also features which MITRE ATT&CK techniques were used!

Aresenal

The last piece of Cobalt Strike I'd like to talk about is the Arsenal.

It's "a collection of scripts and code to enhance your Cobalt Strike experience." It has several kits:

  • Applet Kit
  • Artifact Kit
  • Elevate Kit
  • Malleable C2 Profiles
  • Power Applet
  • Resource Kit

What's really cool about these is that there is an included video with most of these kits. Since these exist, I'm not going to go into too much detail about them.

These will definitely be something I look into as I get more comfortable with the tool!

Final Thoughts

I hope my little beginner's guide has been useful to you in some way. I have only just gotten started with the tool but am really excited to keep going with it. I'd already recommend it for Red Team engagements or maybe even an internal pen test. Check out the Cobalt Strike site for any other information I might have missed or to purchase the tool for yourself. Thanks for taking the time to look into this awesome tool with me!