11/10/2021 0 Comments Cobalt Strike Attack
Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Critical Cobalt Strike bug leaves botnet servers vulnerable to takedown New.Cobalt Strike is threat emulation software. To this end, Cobalt Strike provides several techniques that allow a red team to execute targeted attacks to compromise a target network, established a bridge head on a host, and then move laterally to gain additional access to computers, accounts, and, eventually, data.Upload File DDOS Attack TCP,UDP,ARME,Slowloris, HTTPGet, POSTHttp. To this end, Cobalt Strike provides several techniques that allow a red team to execute targeted attacks to compromise a target network, established a bridge head on a host, and then move laterally to gain additional access to computers, accounts, and, eventually, data.Cobalt Strike is a tool to support red teams in attack simulation exercises. Cobalt Strike 1 is a tool to support red teams in attack simulation exercises.The threat actors can choose between HTTP, HTTPS and DNS network communication. While the goal of Raphael Mudge, the author of Cobalt Strike, was to provide a framework to test network defenses to support the development of effective detection mechanisms and incident response procedures, the power provided by the tools was not lost on malicious actors (see, for example, ).Cobalt Strike is using GET and POST requests to communicate with the C2 server. The Cobalt Strike campaigns are as diverse as the operators who run them, employing a variety of lures, threat types, droppers, payloads, attack paths and use cases.This is a very useful feature when.Given its “dual nature” and wide adoption by both sides of the security battlefield, it is not surprising that security teams struggle to develop detection approaches to identify instances of Cobalt-Strike-related traffic, and, in particular, traffic associated with the command-and-control channel to compromised hosts. Cobalt Strike supports a lot of different types of attacks and allows you to generate payloads easily from the menu. The tool is so popular that there are Telegram channels and GitHub repositories dedicated to obtaining or producing modified, pirated copies of the Cobalt Strike software. For example, recently Cobalt Strike was used as part of both the SolarWinds supply-chain attack and the ransomware attacks against Colonial Pipeline. By default, Cobalt Strike will use GET requests to retrieve information and POST requests to send information back to the server.Soon, Cobalt Strike was copied, modified, and included in the toolset used in attacks against targets of all kinds.Multiple Team Servers might be leveraged during an attack so that various activities (from phishing to initial compromise, to lateral movement) can be associated with different pieces of the infrastructure.One of the most important components of the Cobalt Strike framework is the Beacon component. A Brief Cobalt Strike TutorialCobalt Strike has a client-server architecture, in which several users (e.g., the members of the red team performing the attack) connect to a Team Server using the Aggressor client application.The Team Server is the host that directly attacks the target network, and acts has a command-and-control component and team collaboration tool. To this end, we developed a grammar-based approach to the generation of Cobalt Strike configurations and an infrastructure for the automated collection of traffic samples.We believe that this approach could be useful to other practitioners.
The capability of modifying the C2 communication almost arbitrarily has two main advantages: On the one hand, one can make the communication “blend in” with benign traffic to avoid detection on the other hand, one can mimic known malware or adware beacons so to deceive security tools into classifying the traffic as a known (and possibly low-risk) threat. For example, one might specify that the information needs to be Base64 encoded and prepended with a specific string. The framework defines a domain-specific language so that one can customize the information exchanged as part of the beacons. This Beacon-to-Beacon communication happens using SMB named pipes and can be structured hierarchically.In addition to different styles and frequencies for beaconing, Cobalt Strike implements the concept of “Malleable C2”. Of course, a Beacon component also allows interactive access to the compromised host, if necessary.In addition to client-to-server C2 communication, Cobalt Strike provides a form of “peer-to-peer” beaconing, in which a compromised host infected with a Beacon component can use another compromised host (also infected with a Beacon component) to eventually reach the external C2 server. Cobalt Strike Attack Generator And RequestFor example, one can specify that the sleeptime field in the global options section can take a value between 1,000 and 30,000:CSDef(“cs-sleeptime”, CS_Set(“sleeptime”, Q(Int(min=1000, max=30000))), NEWLINE)Once the grammar for the C2 configuration is specified, one can simply use gramfuzz to create a grammar generator and request the generation of randomized instances of the grammar, possibly specifying the level of recursion for the generation process:Fuzzer.gen(cat_group=cat_group, num=num, max_recursion=recursion)The result is a malleable C2 configuration file, which is then passed to c2lint, a tool distributed as part of the Cobalt Strike framework, that can be used to make sure that a profile has a valid format.Once the configuration file passes the c2lint tests, it is ready for deployment. For example, the global options are a list of settings:Finally, the value of specific fields can be described in terms of ranges of values. For example, a configuration file can be express as the composition of a global options section, followed by a section defining the behavior of the HTTP server, followed by a section that focuses on the characteristic of the HTTP GET request, and finally a section about the HTTP POST request configuration, as in the following Python snippet:The defined sections are then specified further. To this end, we used the gramfuzz tool , which allows for the generation of instances of a grammar in a randomized fashion.The gramfuzz tool is a Python module that supports the specification of a document in terms of its components. For this purpose, we implemented a set of scripts using the Aggressor scripting language directly provided by Cobalt Strike. To avoid any possible side effects introduced by differences between the Wine network stack and the Windows native one, we compared network traces for the same type of interaction generated using both systems: After carefully comparing several of these traces we didn’t detect any notable differences.Another problem we faced was implementing a system that would make the Team Server and the victim host interact automatically. To solve this problem, we decided to execute the payload using Wine , a popular compatibility layer capable of running Windows executables on POSIX-compliant systems. A worker is a Docker container responsible to pick the profile at the top of the queue and spawn two additional containers: one for the Team Server and one for the victim host.A reader familiar with Cobalt Strike might have noticed an inconsistency at this point: the victim is deployed inside a Linux container, but Cobalt Strike payloads are only available for Windows. To achieve these requirements, we designed an orchestrator using a worker queue pattern backed by Docker and RabbitMQ.Conceptually, the system can be divided into four types of components: the C2 queue, the workers, the servers, and the victims.The C2 queue is a RabbitMQ queue holding the C2 profiles, generated in the previous stage of the pipeline, that needs to be deployed and executed. beacon_output_ls: fired when the Beacon output of the ls command is received by the server. We react to this event by sending the first command to the client (directory listing in our experiment). beacon_initial: fired when the Beacon contacts the server for the first time. We react to this event by generating a new Beacon executable and by creating a listener for it. ready: fired when a client is connected to the Team Server and it’s ready to act. For example, it is possible to listen to specific Beacon events and react accordingly by sending commands back to the victim or generate new artifacts, such as Beacons.Specifically, we use these capabilities to coordinate the communication exchange between the victim and the Team Server by using the following events:
0 Comments
Leave a Reply. |
AuthorRob ArchivesCategories |