The release of Cobalt Strike 3.0 also saw the release of Advanced Threat Tactics, a nine-part course on red team operations and adversary simulations. This course is nearly six hours of material with an emphasis on process, concepts, and tradecraft.
If you’d like to jump into the course, it’s on YouTube:
Here are a few notes to explore each topic in the course with more depth.
0. Introduction
This is a course on red team operations and adversary simulations.
To learn more about Adversary Simulations and Red Team Operations:
Read Microsoft’s Enterprise Cloud Red Teaming whitepaper. Here Microsoft explains the “Assume Breach” philosophy. I’m a big believer in assume breach. This is an engagement philosophy where a red team is given access and focuses on the post-exploitation steps of a long-term embedded adversary to exercise detection and response.
Read Raphael’s Magic Quadrant. Here I summarize the shifts in our industry driving the development of Adversary Simulations as a service. I write a lot about this topic and my thoughts are in the Adversary Simulations category on this blog.
Read Models for Red Team Operations. There is more to red team operations than “kick down the door and seduce the security guard” type assessments. In this post I try to point out some of the different uses of red teams.
Watch Michael Daly’s 2009 USENIX talk, The Advanced Persistent Threat. This talk pre-dates the marketing bonanza over APT actors and their work. This is a common sense discussion of the topic without an agenda. Even though it’s from 2009, the material is spot on.
Tools used in this course:
The primary operating platform in this course is Kali Linux 2.0.
This course also uses PowerSploit, a powerful collection of PowerShell post-exploitation capability.
We also take advantage of PowerView and PowerUp (both are included with PowerSploit).
Later on, this course demonstrates how to use the Veil Evasion Framework to generate executables that evade most anti-virus products.
1. Operations
Advanced Threat Tactics starts with a high-level overview of Cobalt Strike’s model for distributed operations and red team collaboration.
To learn more about Cobalt Strike’s model for collaboration and operations:
Watch Force Multipliers for Red Team Operations. This is my favorite talk I’ve given. Here, I summarize my work and insights on the red team collaboration problem. Today, I consider this a completed research project with the following blog posts capturing lessons learned on how to build infrastructure and organize a large red team to support operations (primarily in an exercise context).
Read about The Post Exploitation Team. These are my notes on the folks who interact with targets to complete objectives and find interesting information.
Read Infrastructure for Red Team Operations. Infrastructure is the foundation of any engagement. This post is my best practices for organizing infrastructure to support a long-term op with multiple targets.
Consult The Red Team Infrastructure Wiki. This page is a collection of best practices for setting up, organizing, and securing red team infrastructure.
2. Infrastructure
Infrastructure is the collection of domains, servers, and software that support your operation. One of Cobalt Strike’s strengths is its variety of communication channels and the flexibility you have to configure them. This lecture goes through the HTTP/HTTPS, DNS, and named pipe channels and shows you how to use special features with each. I also take you through how to stand up redirectors and test your infrastructure before an engagement.
I also wrote Staged Payloads – What Penetration Testers Should Know. These are my thoughts on the subject if any of the above is unclear. 🙂 Understanding staging is very important to understand the behavior and design decisions in tools like Cobalt Strike.
Cobalt Strike’s payload staging does not have any security features built into it. I discuss this in Talk to your children about payload staging. This blog post also details how to change your operations to limit payload staging over hostile networks.
Beacon Communication:
Read Cloud-based Redirectors for Distributed Hacking. This post describes redirectors, why you would want to use them, and how to set them up with socat. Very similar to the model discussed in this course.
The introduction of the DNS data channels in Cobalt Strike led to several folks claiming, That’ll never work–we don’t allow port 53 out. This post calmly answers these claims with an explanation of how the DNS Beacon communicates.
Read Stealthy Peer-to-peer C&C over SMB pipes. I added a named pipe channel to Cobalt Strike in late-2013. This feature wasn’t well understood, so I wrote this blog post to explain it better.
3. Targeted Attacks
This lecture goes through a process to execute a targeted spear phishing attack to get a foothold in a modern enterprise.
Cobalt Strike’s Aggressor Script makes it easy to add new attacks to Cobalt Strike. CACTUS TORCH is a framework for payload generation which works well with Cobalt Strike. It has options to deliver x64 payloads and to operate stageless as well. DDEAutoCS sets up a macro-less code execution attack within Microsoft Office documents.
4. Post Exploitation
This lecture shows how to use Beacon for post-exploitation. If you have to operate with Beacon, this is good core material to know.
To learn more about this material:
Read Evolution of a Modern Hacking Payload. Beacon started life as an asynchronous lifeline to spawn Meterpreter sessions as needed. Over time Beacon gained features to allow an operator to use Beacon when Meterpreter was not an option. This post tells that story.
Read OPSEC Considerations for Beacon Commands. It’s important to know your post-exploitation tools and what they do under the hood. This blog post documents which Beacon commands launch processes, which commands inject into other processes, etc.
Post-Exploitation:
Buy the Red Team Field Manual. This is a must-own for anyone working in this space. The tips and tricks here are quite applicable for all Beacon operators.
Watch Flying a Cylon Raider. This talk is a platform agnostic look at how to conduct post-exploitation and lateral movement without the Metasploit Framework. Understanding the concepts in this talk will help you get the most from the material in this course.
Interoperability with different offensive platforms is important. Read Session Passing from Cobalt Strike to learn how to pass sessions to the Metasploit Framework, PowerShell Empire, and other tools from Cobalt Strike.
5. Privilege Escalation
Think of this lecture as post exploitation, part 2. We dive into how to elevate privileges and use these privileges to harvest credentials and password hashes.
To learn more about User Account Control and the Bypass UAC attack:
Read Windows Privilege Escalation Fundamentals. This tutorial has a number of command-line recipes to find files with credentials and other things you should look for when trying to elevate your rights.
Read What you know about ’bout GPP? This blog post offers a look at the Group Policy Preferences privilege escalation vector. This is one of those issues that, while patched, remains an issue because the patch does not cleanup the problems created by this feature when it was last used. I didn’t have time to cover this problem in the course [six hours is enough!]; but this is a staple thing you should always check for.
Download the Elevate Kit to add new exploits to Beacon’s elevate command. The Elevate Kit is a good example of how to bring exploits from PowerShell Empire, the Metasploit Framework, and other sources into Cobalt Strike.
Study the Mimikatz Wiki to start your journey understanding what this tool can do. To get the most from mimikatz, you’ll really need to read its source code to really understand a feature.
Read PowerView: A Usage Guide to understand this wonderful tool from Will Schroeder to automate enumerating trusts, users, and hosts in an active directory environment.
Read the PowerView 2.0 post to understand the changes made to PowerView since this course was made. For example, Invoke-Netview no longer exists.
Check out Netview by Rob Fuller. This tool enumerates systems using the Win32 Network Management API. I believe it was one of the original inspirations for PowerView and it certainly inspired Beacon’s net module as well.
Also, read I Hunt Sys Admins by Will Schroeder (him, again!) to learn different ways to find where a particular user lives on the network. This is important for targeting systems that may have trust material that gets you closer to the data you want or to DA rights on the network.
Read A Guide to Attacking Domain Trusts by Will Schroeder. This is the ultimate red teamer’s reference to this topic. You’ll really want to go through all of Will’s blog to understand this topic fully. He posts a lot about domain trusts and user hunting. Too much for me to keep up with here.
Read Derivative Local Admin by Justin Warner. This post discusses how you may understand and chain trust relationships (e.g., Bob is an admin on X, Joe is logged onto X, Joe is a domain admin) to elevate privileges in a network or attack a desired target.
Spend time with BloodHound, a JavaScript application that ingests data from a PowerShell script and identifies Active Directory trust-paths to reach a target of interest. This application automates a lot of the analysis that is necessary to identify lateral movement opportunities. My First Go with BloodHound shows how to setup and use this tool at a basic level.
Also, consult Pass-the-Hash is Dead: Long Live LocalAccountTokenFilterPolicy. This post is Will Schroeder’s March 2017 follow up to the his first post on this topic. This post documents how the restrictions around pass-the-hash really work and it explains the situations where these restrictions are not present.
Read MS14-068 to DA by the mysterious idzer0. This one was patched awhile ago, but I had fun with it a few times. This exploit was an immediate elevation to DA. This blog post uses the Python Kerberos Exploitation Kit to kick off the attack. MWR InfoSecurity has a good write-up on this attack on their blog too. *nudge* *nudge* Beacon has a kerberos_ccache_use command now.
Read Phishing, Lateral Movement, SCADA, Oh My! by idzer0 goes through a case study of using SMB Beacon, PowerView, and WMI to pivot five levels deep and reach a SCADA controller.
Watch Lateral Movement given by Harlan Carvey at B-Sides Cincinnati. This talk describes several manual methods for lateral movement and indicators they leave behind.
7. Pivoting
SOCKS, SOCKS, SOCKS! This lecture is about how to pivot with Beacon. You could also think about it as using and abusing SOCKS forwards, backwards, and any other way you want it.
More on this topic:
Read the SOCKS protocol specification. SOCKS is a simple (1 page) protocol that allows a SOCKS-aware application to connect to a SOCKS server and ask that server to initiate a connection on the client’s behalf.
Read Pivoting through SSH. This blog post describes the Proxies option in the Metasploit Framework.
Take a look at Cobalt Strike’s VPN Pivoting feature. I don’t talk about it much, because I don’t use it often. If you’d like to learn about layer-2 pivoting, I wrote a blog post on how this technology works with source code. It’s simpler than you might think.
Cobalt Strike 3.5 added SSH sessions. If you want to control UNIX targets, it’s worth your time to read up on these. You can pivot through SSH sessions the same way you pivot through Beacon sessions.
8. Malleable C2
Malleable C2 is Cobalt Strike’s domain specific language to change indicators in the Beacon payload. This ability to make Beacon look like other malware is arguably what makes it a threat emulation tool.
More on this topic:
Go to the Malleable C2 Profiles collection on Github. These are example profiles you may use as-is or as a base to build your own profiles.
Watch Spoof my SMTP from This Week in Enterprise Tech, Episode 71. Here, I practice what I preach, and show how to deliver a carefully crafted phish to a webmail account I setup for testing purposes.
Read How to Inject Shellcode from Java. This blog post details how Cobalt Strike’s default applet attacks inject shellcode into memory from Java.
Egress Restrictions:
Read An Unnecessary Addiction to DNS Communication. I often hear from folks who insist that DNS is the only way out of their network and the only way to reach servers that are otherwise isolated from the network. This post goes into depth on the evasion options with Cobalt Strike’s DNS communication scheme and it digs into the capability available in Cobalt Strike’s other Beacon variants.
Read about Domain Fronting, a collection of techniques to use high-reputation domains as callbacks for your HTTPS (and sometimes, HTTP) Beacons. This is an interesting tactic to obfuscate your controller, defeat site categorization, and blend in with legitimate traffic.
Active Defenders:
Watch Operating in the Shadows given by Carlos Perez at DerbyCon 2015. In this talk, Carlos goes over the different advancements in blue’s ability to instrument Windows and the impact it will have on red teams and penetration testers who need to challenge them. This is a sign of things to come.
Take a look at Microsoft’s Advanced Threat Analytics technology. This defense tracks which systems/users pull which active directory objects, when, and how often. It’s designed to catch that awesome stuff discussed in part 6 of this course.
Also, check out UpRoot, an agentless host-based IDS written in PowerShell that leverages WMI subscriptions. UpRoot reports process creates, new network connections, and other host activity. Tools like UpRoot show the scrutiny red operators will need to learn to cope with when working with a mature hunt team.
Watch Infocyte‘s video on Enterprise Hunt Operations. While this is a product advertisement, listen closely for the information it collects. As a red operator, you need to understand what your actions look like to analysts who use these hunt platforms. Your job is to figure out how to craft your activity to grow and challenge these analysts.
PowerShell and Anti-virus:
Read Advances in Scripting Security and Protection in Windows 10 and PowerShell V5. Windows 10 changed the security game in a big way. This post from Microsoft goes through the new logging hooks to understand PowerShell activity on a system and the hooks that allow anti-virus engines to look for malicious PowerShell.
If it’s difficult to use PowerShell in your environment, consider a move to .NET. Will Schroeder released Ghostpack, a collection of offense automation written in C#. These tools work well with Cobalt Strike 3.11’s execute-assembly command.
In-memory Evasion:
Become familiar with the Malleable PE options introduced in Cobalt Strike 3.7. These options let you influence how Beacon lives in memory and change some indicators.
Go through In-memory Evasion, a four-part (+ bonus addendum) course on the cat and mouse game related to memory detections. This course introduces common heuristics to detect memory-injected DLLs, where and why these heuristics work, and options to defeat these heuristics.
Modern Defenses:
Cobalt Strike is a flexible platform. This flexibility is a boon for working in mature and well-defended environments. Read Kits, Profiles, and Scripts… Oh my! to understand your options to customize Cobalt Strike and its indicators to your needs.
Read Modern Defenses and YOU! for hints on how to adapt your use of Cobalt Strike to keep pace with the modern defender’s arsenal of capability.
Watch Fighting the Toolset to understand the risk vs. reward trade-off of different offense techniques in Cobalt Strike. More importantly, this lecture discusses how to work-around Cobalt Strike’s default workflows to defeat defenses that target “advanced evasions”.