Cobalt Strike

Launching the Team Server

The standard location to place Cobalt Strike is /opt/cobaltstrike follow the provided default installation instructions. 1. Launch a tmux session or open a screen in order to keep the teamserver alive. tmux new -s teamserver or screen -S teamserver .

2. Launch the teamserver binary providing both your hosts IP and the password you'd like to use for the teamserver ./teamserver 10.10.10.100 YourPassw0rd! when the stdout displays the SHA256 hash of the SSL cert you know it's started successfully. If no port is provided the teamserver will run on it's default 50050. It's also important to note that since there is no user attached to the password it's less of a password and more of a preshared secret. If you'd like to use a specific c2-profile it can be passed as an argument ~/cobaltstrike> sudo ./teamserver 10.10.5.50 YourPassw0rd! c2-profiles/normal/webbug.profile

3. Successful execution of the team server can be validated by interacting with it through the Cobalt Strike Connect binary. Pick a user/alias it doesn't matter what it is so long as it's unique and you have the correct preshared password.

First Listener

When the shellcode in your payload executes it reaches back to a listener in order to establish a reverse shell. The Metasploit equivalent would be the exploit/multi/handler module that most offensive security engineers would be familiar. Cobalt Strike has two primary types of listeners. The egress listener will sit somewhere in the DMZ of the attackers infrastructure. This will typically be an HTTP listener acting as a web server. The structure of the HTTP packets can be controlled using Cobalt Strikes Malleable C2 Profiles.

The other type is the peer-to-peer listener. These are used in situation where the host can't or shouldn't directly reach out to the internet. Instead peer-to-peer listeners will allow for beacons to communicate with one another over either SMB and or TCP.

A new listener can be created by going to Cobalt Strike > Listeners and clicking the add button. Name the listener something descriptive and pick the type of payload this listener should expect to receive. The HTTP Host field will be the same as the team server until more sophisticated infrastructure is built out.

First Payload

To generate an executable payload go to Attacks > Packages > Windows Executable (S) an operations security consideration is to ensure that stageless payloads are used when possible. While staged payloads might have a smaller initial disk footprint the execution flow followed as a payload stages the rest of it's body is starting to be detected by EDR solutions. Also make sure to match the architecture type x64 / x86. Now that the payload has been generated deliver it to your target host through your preferred delivery method and execute it.

First Beacon

Beacons typically don't keep established connections with their listener. They are designed to mimic web traffic in order to blend in with the environments noise. Due to this constraint commands are sent asynchronously to the beacon. The rate at which the beacon checks in with the listener can be modified using the sleep command by default it's every 60 seconds but when actively interacting with the beacon it can be useful to modify it to 10 seconds sleep 10 this can be lowered further but remember if it get's left at too low of a value it can be an opsec violation. For a list of additional commands use the help command help or for instructions on how to use a command follow the following format help command.