Search the Community

Adversary Simulations and Red Team Operations are security assessments that replicate the tactics and techniques of an advanced adversary in a network. While penetration tests focus on unpatched vulnerabilities and misconfigurations, these assessments benefit security operations and incident response. [Hidden Content] [Hidden Content]

Software for Adversary Simulations and Red Team Operations Why Cobalt Strike? Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer’s network. Malleable C2 lets you change your network indicators to look like different malware each time. These tools complement Cobalt Strike’s solid social engineering process, its robust collaboration capability, and unique reports designed to aid blue team training. Cobalt Strike - Version with client and ts In order to start team-server, give seven permissions to these files chmod 777 source-common.sh chmod 777 teamserver chmod 777 TeamServerImage Next, in Client, we give the rights to such files as chmod 777 cobaltstrike chmod 777 cobaltstrike.cmd To start team server: ./teamserver ip password To start the client ./cobaltstrike [Hidden Content] [hide][Hidden Content]]

Features Easy to Use Import a single CNA script before generating shellcode. Dynamic Memory Encryption Creates a new heap for any allocations from Beacon and encrypts entries before sleep. Code Obfuscation and Encryption Changes the memory containing CS executable code to non-executable and encrypts it (FOLIAGE). Return Address Spoofing at Execution Certain WinAPI calls are executed with a spoofed return address (InternetConnectA, NtWaitForSingleObject, RtlAllocateHeap). Sleep Without Sleep Delayed execution using WaitForSingleObjectEx. RC4 Encryption All encryption performed with SystemFunction032. [hide][Hidden Content]]

ScreenshotBOF An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. The screenshot was downloaded in memory. Why did I make this? Cobalt Strike uses a technique known as fork & run for many of its post-ex capabilities, including the screenshot command. While this behavior provides stability, it is now well-known and heavily monitored. This BOF is meant to provide a more OPSEC-safe version of the screenshot capability. Self Compilation git clone the repo: git clone open the solution in Visual Studio Build project BOF Save methods: drop file to disk download file over beacon (Cobalt Strike only) [hide][Hidden Content]]

A position-independent reflective loader for Cobalt Strike. Zero results from Hunt-Sleeping-Beacons, BeaconHunter, BeaconEye, Patriot, Moneta, PE-sieve, or MalMemDetect. Features Easy to Use Import a single CNA script before generating shellcode. Dynamic Memory Encryption Creates a new heap for any allocations from Beacon and encrypts entries before sleep. Code Obfuscation and Encryption Changes the memory containing CS executable code to non-executable and encrypts it (FOLIAGE). Return Address Spoofing at Execution Certain WinAPI calls are executed with a spoofed return address (InternetConnectA, NtWaitForSingleObject, RtlAllocateHeap). Sleep Without Sleep Delayed execution using WaitForSingleObjectEx. RC4 Encryption All encryption is performed with SystemFunction032. Known Issues Not compatible with loaders that rely on the shellcode thread staying alive. [hide][Hidden Content]]

Software for Adversary Simulations and Red Team Operations Adversary Simulations and Red Team Operations are security assessments that replicate the tactics and techniques of an advanced adversary in a network. While penetration tests focus on unpatched vulnerabilities and misconfigurations, these assessments benefit security operations and incident response. CobaltStrike character Why Cobalt Strike? Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer’s network. Malleable C2 lets you change your network indicators to look like different malware each time. These tools complement Cobalt Strike’s solid social engineering process, its robust collaboration capability, and unique reports designed to aid blue team training. [Hidden Content] [hide][Hidden Content]]

pyCobaltHound is an Aggressor script extension for Cobalt Strike which aims to provide deep integration between Cobalt Strike and Bloodhound. pyCobaltHound strives to assist red team operators by: Automatically querying the BloodHound database to discover escalation paths opened up by newly collected credentials. Automatically marking compromised users and computers as owned. Allowing operators to quickly and easily investigate the escalation potential of beacon sessions and users. To accomplish this, pyCobaltHound uses a set of built-in queries. Operators are also able to add/remove their own queries to fine tune pyCobaltHound’s monitoring capabilities. This grants them the flexibility to adapt pyCobaltHound on the fly during engagements to account for engagement-specific targets (users, hosts, etc..). Tips & tricks PyCobalt comes with some Script Console commands to manage the running Python scripts. When you reload your Aggressor script you should explicitly stop the Python scripts first. Otherwise, they’ll run forever doing nothing. During pyCobaltHound’s development we noticed that this can also lead to undefined behavior. Reloading pyCobaltHound can be done as follows: aggressor> python-stop-all` [pycobalt] Asking script to stop: /root/pycobalthound/pycobalthound.py [pycobalt] Script process exited: /root/pycobalthound/pycobalthound.py aggressor> reload example.cna` [pycobalt] Executing script /root/pycobalthound/pycobalthound.py For PyCobalt to work properly you can only call PyCobalt in one Aggressor script. Keep this in mind if you want to use pyCobaltHound together with other Aggressor scripts that usePyCobalt. Our approach is to have an Aggressor script with a call to python() and include() for every PyCobalt-based tool. [hide][Hidden Content]]

Cobalt Strike External C2 Integration With Azure Servicebus, C2 traffic via Azure Servicebus. How does it work? Then CobaltBus DotNetCore binary that integrates with CobaltStrikes ExternalC2, will create a local SqliteDB in order to keep track of multiple beacons. The messages inbound to CobaltBus will be captured and written to the database. The database names “CobaltBus.db” and “CobaltBus-log.db” will be created in the directory CobaltBus.dll is running from. Once a Beacon binary runs, it will push an “INITIALIZE” message to the baseQueueName queue, with a randomly generated BeaconId and Pipename. The CobaltBus handler will then capture this, create and move into the two new queues based on the BeaconId sent, request stager shellcode from the CobaltStrike, and push it back down the new queue as an “INJECT” message. From here, the Beacon project injects the captured shellcode into memory and establishes a connection with the CobaltStrike beacon over the generated pipe name. When a command is issued from CobaltBus, it is pushed down the beacon respective queue and into the beacon pipe name. [hide][Hidden Content]]

Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer’s network. Malleable C2 lets you change your network indicators to look like different malware each time. These tools complement Cobalt Strike’s solid social engineering process, its robust collaboration capability, and unique reports designed to aid blue team training. Cobalt Strike 4.5 is now available. This release sees new options for process injection, updates to the sleep mask and UDRL kits, evasion improvements and a command history update along with other, smaller changes. Security Updates Before getting into the details of the release, I just wanted to impress upon you how seriously we take product security. We dedicated a significant portion of this release to improving controls around product licensing. We are fully committed to improving the security of the product and will continue to make product security enhancements a priority in future releases. Process Injection Until now, Cobalt Strike’s only process injection option was the built-in fork&run technique. While this is good for stability, it limits OPSEC options. We have added two new Aggressor Script hooks (PROCESS_INJECT_SPAWN and PROCESS_INJECT_EXPLICIT) to allow you to define how the fork&run and explicit injection techniques are implemented when executing post exploitation commands. A new BOF along with an Aggressor Script function implements both of these new techniques. You will now have the option of using the built-in fork&run technique or creating your own process injection technique. [Hidden Content]

StayKit is an extension for Cobalt Strike persistence by leveraging the execute_assembly function with the SharpStay .NET assembly. The aggressor script handles payload creation by reading the template files for a specific execution type. IMPORTANT: To use the script a user will only need to load the StayKit.cna aggressor script. Additionally, the SharpStay assembly will need to be compiled and placed into the directory where StayKit.cna is located. Finally, if selecting a template for the payload some may require dynamic compiling which will uses Mono. The persistence menu will be added to the beacon. Due to the nature of how each technique is different there is only a GUI menu and no beacon commands. [Hidden Content] [Hidden Content]

SourcePoint is a polymorphic C2 profile generator for Cobalt Strike C2s, written in Go. SourcePoint allows unique C2 profiles to be generated on the fly that helps reduce our Indicators of Compromise (“IoCs”) and allows the operator to spin up complex profiles with minimal effort. This was done by extensively reviewing Articles as well as Patch Notes to identify key functions and modifiable features. SourcePoint was designed with the intent of addressing the issue of how to make our C2 activity harder to detect, focusing on moving away from malicious IoCs to suspicious ones. The goal here is that it is harder to detect our C2 if our IoCs are not malicious in nature and require additional research to discover the suspicious nature. SourcePoint contains numerous different configurable options to choose from to modify your profile (in most cases if left blank SourcePoint will randomly choose them for you). The generated profiles modify all aspects of your C2. The goal of this project is to not only aid in circumventing detection-based controls but also help blend C2 traffic and activity into the environment, making said activity hard to detect. Changelog v2.2 Huge shout out to Xenov-X for helping with these new features New Features Added customuriGET and customuriPOST arguments Made valid SSL optional for custom profiles Added support for custom user agent Bug Fixes Fixed some missing quotes in Peclone_list Fixed numerous errors with Custom Profiles Fixed missing quotes on struct variable Fixed issue with Spawnto option “pcaui.exe” Update the README [hide][Hidden Content]]

Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. Based on Stephen Fewer’s incredible Reflective Loader project Created while working through Renz0h’s Reflective DLL videos from the Sektor7 Malware Developer Intermediate (MDI) Course Initial Project Goals Learn how Reflective Loader works. Write a Reflective Loader in Assembly. Compatible with Cobalt Strike. Cross compile from macOS/Linux. Implement Inline-Assembly into a C project. Future Project Goals Use the initial project as a template for more advanced evasion techniques leveraging the flexibility of Assembly. Implement Cobalt Strike options such as no RWX, stompPE, module stomping, changing the MZ header, etc. Write a decent Aggressor script. Support x86. Have different versions of the reflective loader to choose from. Implement HellsGate/HalosGate for the initial calls that reflective loader uses (pNtFlushInstructionCache, VirtualAlloc, GetProcAddress, LoadLibraryA, etc). Optimize the assembly code. Hash/obfuscate strings. Some kind of template language overlay that can modify/randomize the registers/methods. [hide][Hidden Content]]

Cobalt Strike User-Defined Reflective Loader Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. Based on Stephen Fewer’s incredible Reflective Loader project Created while working through Renz0h’s Reflective DLL videos from the Sektor7 Malware Developer Intermediate (MDI) Course Initial Project Goals Learn how Reflective Loader works. Write a Reflective Loader in Assembly. Compatible with Cobalt Strike. Cross compile from macOS/Linux. Implement Inline-Assembly into a C project. Future Project Goals Use the initial project as a template for more advanced evasion techniques leveraging the flexibility of Assembly. Implement Cobalt Strike options such as no RWX, stompPE, module stomping, changing the MZ header, etc. Write a decent Aggressor script. Support x86. Have different versions of the reflective loader to choose from. Implement HellsGate/HalosGate for the initial calls that reflective loader uses (pNtFlushInstructionCache, VirtualAlloc, GetProcAddress, LoadLibraryA, etc). Optimize the assembly code. Hash/obfuscate strings. Some kind of template language overlay that can modify/randomize the registers/methods. [hide][Hidden Content]]

melting-cobalt A tool to hunt/mine for Cobalt Strike beacons and “reduce” their beacon configuration for later indexing. Hunts can either be expansive and internet-wide using services like SecurityTrails, Shodan, or ZoomEye or a list of IPs. [hide][Hidden Content]]

Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. Initial Project Goals Learn how Reflective Loader works. Write a Reflective Loader in Assembly. Compatible with Cobalt Strike. Cross compile from macOS/Linux. Implement Inline-Assembly into a C project. Future Project Goals Use the initial project as a template for more advanced evasion techniques leveraging the flexibility of Assembly. Implement Cobalt Strike options such as no RWX, stompPE, module stomping, changing the MZ header, etc. Write a decent Aggressor script. Support x86. Have different versions of reflective loader to choose from. Implement HellsGate/HalosGate for the initial calls that reflective loader uses (pNtFlushInstructionCache, VirtualAlloc, GetProcAddress, LoadLibraryA, etc). Optimize the assembly code. Hash/obfuscate strings. Some kind of template language overlay that can modify/randomize the registers/methods. [hide][Hidden Content]]

Cobalt Strike BOF – Inject AMSI Bypass Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. [hide][Hidden Content]]

Beaconator Beaconator is an aggressor script for Cobalt Strike used to generate a raw stageless shellcode and packing the generated shellcode using PEzor. Changelog v1.1 Fixed error check with the use of x86 arch & syscalls Fixed the “null value error” due to missing output folder Fixed issue with options persisting to subsequent payload generations Added PEzor’s BOF format Added the -cleanup option for BOFs Added the -sleep option Added more error checks Cleaned up the code [hide][Hidden Content]]

Cobalt Strike ------------- Welcome to Cobalt Strike 4.x. Here are a few things you'll want to know, right away: 1. Cobalt Strike 4.x is not compatible with Cobalt Strike 3.x. Stand up new infrastructure and migrate accesses to it. Do not update 3.x infrastructure to Cobalt Strike 4.x. 2. Do not move a cobaltstrike.auth file from Cobalt Strike 3.x to 4.x. The two file formats are not compatible. 3. Aggressor Scripts written for Cobalt Strike 3.x may require changes to work with Cobalt Strike 4.x. Please refer to this guide to update your scripts: [Hidden Content] March 17, 2021 - Cobalt Strike 4.3 ------------- + Fix NullPointerException starting profiler (missing resources). + Fix DNS Resolver appearing as null string for legacy listener definition. March 3, 2021 - Cobalt Strike 4.3 ------------- + Added support for dns-beacon Malleable C2 group. Added options for DNS Host Indicators: beacon,get_A,get_AAAA,get_TXT,put_metadata,put_output Malleable C2 Lint changes to support dns-beacon group. + Allow DNS Beacons to egress directly through a specified DNS Resolver, rather than using the default resolver from the target server. + Host Rotation Strategy for customizing host selection for DNS/HTTP/HTTPS beacons. + Allow HTTP/HTTPS configuration of blocked useragent (previously curl/lynx/wget). Added .http-config.block_useragents to Malleable C2. + Add support for responding to NS request from specific DNS resolvers. Added .dns-beacon.ns_response Malleable C2 option. + Add timestamp to beacon console messages. The timestamp option can be enabled/disabled in Preferences (Console tab). The timestamp format can be modified with aggressor script. See BEACON_CONSOLE_TIMESTAMP and SSH_CONSOLE_TIMESTAMP in default.cna. + Add a PowerShell IEX option in Scripted Web Delivery + Fixed sleep command after exit causing beacons not to exit. + Malleable C2 lint was incorrectly showing jitter data in staging preview. + Fixed invalid help link (attacks->packages->Windows Executable) + Setting sleep to 0 in Malleable C2 caused beacons to fail. Add C2 Lint range for sleep values. + Fix data_jitter issue not using any jitter when it was longer than limit (921600). Added minimum data_jitter (10) and performance warning for over 10000. Show data_jitter marker in C2 Lint preview data rather than actual jitter data. [Hidden Content] [hide][Hidden Content]]

pyMalleableC2 A Python interpreter for Cobalt Strike Malleable C2 profiles that allows you to parse, modify, build them programmatically and validate syntax. Supports all of the Cobalt Strike Malleable C2 Profile grammar starting from Cobalt Strike version 4.3. It’s not backwards compatible with previous Cobalt Strike releases. What are the differences between pyMalleableC2 and other projects of this nature? Parses profiles with Lark using eBNF notation. This approach is a lot more robust then user-defined regexes, templating engines, or similar methods. Turns profiles into an Abstract Syntax Tree (AST) which can then be reconstructed back into source code. Because of the above, pyMalleableC2 allows you to build profiles programmatically or modify them on the fly. Allows you to validate the syntax of Malleable C2 profiles (Does not perform runtime checks, see the warning below.) It has AI in the form of a lot of if statements. [hide][Hidden Content]]

Cobalt Strike Shellcode Generator Adds Shellcode – Shellcode Generator to the Cobalt Strike top menu bar CSSG is an aggressor and python script used to more easily generate and format beacon shellcode Generates beacon stageless shellcode with exposed exit method, additional formatting, encryption, encoding, compression, multiline output, etc shellcode transforms are generally performed in descending menu order Options for the shellcode generator are: Listener: Select a valid listener with the “…” button. Shellcode will be generated form this listener selection Delivery: Stageless (Staged not supported for the shellcode generator) Exit Method: process – exits the entire process that beacon is present in when the beacon is closed thread – exits only the thread in which beacon is running when the beacon is closed Local Shellcode Checkbox: May use if you are going to execute the shellcode from an existing Beacon Generates a Beacon shellcode payload that inherits key function pointers from a same-arch parent Beacon Existing Session: The parent Beacon session where the shellcode will pull session metadata Shellcode should be run from within this Beacon session x86 Checkbox: Check to generate x86 shellcode, x64 is generated by default Or Use Shellcode File: Use an externally generated raw shellcode file in lieu of generating Beacon shellcode This allows you to use previously exported shellcode files or output from other tools (Donut, msfvenom, etc) Formatting: raw – raw binary shellcode output, no formatting applied hex – hex formatted shellcode output 0x90,0x90,0x90 – shellcode formatted into a C# style byte array \x90\x90\x90 – shellcode formatted into a C\C++ style byte array b64 – option to base64 encode the shellcode early in the generation process (before any encryption) XOR Encrypt Shellcode Checkbox: Check to XOR encrypt the shellcode (only one encryption type can be selected at a time) XOR Key(s): Randomly generated and editable XOR key character(s) to use for encryption Multiple characters will result in multiple rounds of XOR encryption (i.e. ABCD) AES Encrypt Shellcode Checkbox: Check to AES encrypt the shellcode (only one encryption type can be selected at a time) Uses a python script to perform AES Block Cipher AES-CBC encryption Shellcode is padded with \0 values to reach block size requirements A randomly generated IV is prepended to the encrypted shellcode data AES Key: Randomly generated and editable AES key to use for encryption 32byte key is generated and preferred for 256bit encryption strength Encryption key byte lengths accepted are 16, 24, and 32 Encoding/Compression: none – No additional encoding or compression is done to the shellcode b64 – base64 encode the shellcode gzip then b64 – gzip compress then base64 the shellcode gzip – gzip compress the shellcode b64 then gzip – base64 then gzip compress the shellcode Multiline Output: Can be used for non-raw/binary output formats none – no multiline formatting, shellcode is one long string quoted – Shellcode is broken up into lines surround by quotation marks chunks.push_back – Shellcode is broken up into lines surrounded by chunks.push_back(” and “); Multiline Length: Number of shellcode characters in each line if a multiline output option is selected Generate Button: Select directory for shellcode output Defalut filename will be beacon but can be changed Any encryption key used will be displayed in a popup and also written the Cobalt Strike Script Console The byte size of the raw beacon shellcode and final formatted beacon shellcode will be displayed in a popup and also written to the Script Console Location of files used to generate/build the shellcode are set the .cs file [hide][Hidden Content]]

What is Cobalt Strike? Cobalt Strike is software for Adversary Simulations and Red Team Operations. What are Adversary Simulations and Red Team Operations? Adversary Simulations and Red Team Operations are security assessments that replicate the tactics and techniques of an advanced adversary in a network. While penetration tests focus on unpatched vulnerabilities and misconfigurations, these assessments benefit security operations and incident response. Why Cobalt Strike? Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer's network. Malleable C2 lets you change your network indicators to look like different malware each time. These tools complement Cobalt Strike's solid social engineering process, its robust collaboration capability, and unique reports designed to aid blue team training. Where do I learn how to use Cobalt Strike? Watch the Red Team Operations with Cobalt Strike course Review the documentation How much does Cobalt Strike cost? New Cobalt Strike licenses cost $3,500 per user for a one year license. License renewals cost $2,500 per user, per year. Request a quote to begin the purchase process. Who develops Cobalt Strike? Raphael Mudge is the creator of Cobalt Strike. Cobalt Strike 4.2 – Everything but the kitchen sink November 6, 2020 Cobalt Strike 4.2 is now available. This release overhauls our user exploitation features, adds more memory flexibility options to Beacon, adds more behavior flexibility to our post-exploitation features, and makes some nice changes to Malleable C2 too. [Hidden Content] [Hidden Content] Cobalt Strike Release Notes [Hidden Content] [Hidden Content]