In June 2012, I announced Cobalt Strike to the world. Thanks to Cobalt Strike‘s users, I build and research offensive technologies, full-time, and have done so for the past two years. In this post, I’d like to show what has come from these two years of user-funded work.
The Beacon payload is THE threat emulation tool in Cobalt Strike. It speaks multiple protocols, it’s asynchronous [read: covert], and it has a complement of remote access tool features. With its communication sped up, Beacon may also tunnel traffic too. Beacon is compiled as a reflective DLL, which allows Cobalt Strike to deliver it directly into memory or fire it with a Metasploit Framework attack.
Several of the “threat emulation” features in Cobalt Strike (e.g., named pipe communication) are realized through Beacon. It’s the keystone feature of this whole toolset.
A lot of folks know Armitage for its red team collaboration capability. Cobalt Strike extends this red team collaboration model to multiple attack servers. The idea is this: team servers do not communicate with each other. Instead, a Cobalt Strike client may connect to one or more team servers. When a user is connected to multiple servers, the client will pool listeners from all of the servers. This allows any user to easily pass sessions between servers. I also took care to update Cobalt Strike’s reporting engine to merge data from all of the servers into one report.
This model of operations allows a red team to have many team servers, each with different purposes (e.g., post-exploitation, attack, and persistent callbacks). Members of the red team may connect to the sub-set of servers that meet their needs. I’ve exercised this model at almost twenty events since February 2013. It scales well to large teams and it’s natural to the end-user.
Under development, I have a domain-specific language to let the user redefine the indicators in Beacon’s communication. This technology will let you cloak your actions to look like an actor your customer is watching for. Think of this as a False Flag capability for penetration testers. It’s enough to go from engagements that exercise security controls to engagements that exercise intelligence support to computer network defense.
There are many demos and proof-of-concept tools that communicate over DNS. I wanted something weaponized. I consider a technology weaponized when it’s mature and it interoperates well with my existing attack kit. To do this, I had to build a DNS server into Cobalt Strike to support the server-side of DNS communication. I then added DNS TXT and DNS A record data channels to Cobalt Strike’s Beacon payload. Staging was a problem though. I modified Peter Van Eeckhoutte‘s DNS TXT record stager to build a DNS stager that tolerates failures and downloads a large payload over the internet. The end result? Cobalt Strike has a turn-key capability to deliver a DNS payload in an executable or user-driven attack package.
Several Advanced Threat payloads communicate, peer-to-peer, over named pipes (e.g., DUQU, Red October, and Uroburos). This traffic is wrapped in SMB and it blends in quite well. I opted to explore this communication channel and implemented it into Cobalt Strike’s Beacon. I’ve found named-pipe communication is a nice way to control systems that can’t reach the internet and to limit which compromised systems connect directly to my internet infrastructure.
Payloads in Cobalt Strike (and Metasploit) are staged. This process is brittle and it’s a weak point for the attacker. As an ongoing project, I look at ways a defense team can defeat an HTTP/S stager and try to design workarounds for it. Beacon’s HTTP stager dresses up its communication to look like Internet Explorer. This same HTTP stager now prompts the user for credentials when it encounters a proxy authentication error.
While DNS communication, named-pipe communication, and improved HTTP staging are Beacon technologies, Meterpreter benefits from these features too. With one command, you may stage and tunnel a Meterpreter session through a Beacon.
Artifact Kit is my strategy to evade anti-virus. It’s a source code framework to build executable and DLL artifacts that smuggle known shellcode past anti-virus. Cobalt Strike uses these artifacts when it needs to generate an executable or DLL. Artifact Kit gives users control over this process by allowing them to load new artifacts into Cobalt Strike, if needed. Each set of artifacts recover obfuscated shellcode by performing an action that most anti-virus products won’t emulate. If the base artifact is caught by a product, you can recompile it to change its signature. If the technique the base artifact uses doesn’t get past a product, then you have the option to use or build a base artifact with another technique.
The UAC bypass attack is an important privilege escalation option. I spent some quality time with the Metasploit Framework’s bypass UAC module and the original POC to understand its left and right bounds. I learned that this attack is “patched” on Windows 8.1 and I wanted to know why. I found the Windows 8.1 problem and a few other areas for improvement. Beacon gained a Bypass UAC attack that works on Windows 7 through the latest release of Windows 8.1.
Over the past two years, Cobalt Strike has gained new or updated implementations of common user-driven attacks. These attacks are popular in penetration tests because they do not rely on memory corruption and generally, they’re not patchable.
Cobalt Strike user-driven attacks include the venerable Java Signed Applet attack, the Microsoft Word and Excel macro, and the File dropper [popular in targeted attacks!].
Cobalt Strike’s applet and macro attacks inject payloads directly into memory, account for an x86 versus x64 host application, and auto-migrate the payload to protect it from the user closing the application.
Covert VPN is my implementation of VPN pivoting. It uses libpcap to capture frames from a target’s network and relay them to a tap interface on the attacker’s system. Likewise, it captures frames from a TAP interface on the attacker system and injects them into the target’s network, also via libpcap. Covert VPN communicates over UDP, TCP, and HTTP.
Since its first release, I asserted that Cobalt Strike is more than software. It’s documentation, online training, and a set of tools to replicate an advanced threat. Keeping with my commitment to this, I produced the Tradecraft course and made it available for free. Tradecraft is a 9-part course that covers how to get a foothold in a modern enterprise, conduct asynchronous and interactive post-exploitation, and abuse trust relationships to attack fully patched systems. I see tools and process as inseparable. Tradecraft is the process Cobalt Strike was built to support.
Browser Pivoting is a man-in-the-browser attack to hijack authenticated web sessions. It uses Internet Explorer’s communication API to fulfill [and re-authenticate] requests for an attacker’s browser. This technology can hijack sessions secured with cookies, session cookies, server authentication, and client SSL certificates.
One of my friends defined my business as outsourced research and development for red teams. This is a great example of this. Some organizations use smart card technology as a two-factor authentication mechanism for their web applications. Red teams who work in these environments need a way to demonstrate risk and work, even when this technology is present. Browser Pivoting is my look at this problem.
Everything on this page represents progress after Cobalt Strike’s initial release two years ago. I will continue to swing for the fences on one big idea per year. This year, my goal is help penetration testers cloak their activity to resemble another actor. Then we will have true “threat emulation”!
I will continue to build options to evade static defenses and get past tough egress restrictions. This work isn’t done yet!
In terms of the tactical successes, a lot of these are customer driven. This product has a pretty amazing user base. They won’t ask me to implement “check the box” compliance reports any time soon. Cobalt Strike’s users continue to make this work possible.