Cobalt Strike Guide: Getting started and learning how to use the framework effectively. Want to learn Cobalt Strike and use it in effective cyber tactical operations? Our Cobalt Strike guide provides entry-level access and comprehensive training to help you become an expert in this powerful framework. With our guide, you’ll get all the information and understanding you need to know how Cobalt Strike works and how to customize it for your needs. We’ll cover various aspects of using the framework, including data collection and analysis, deploying cyber decoys, exploiting vulnerabilities, and managing attacks.
Our guide offers practical examples, explanations of key concepts, and step-by-step instructions on how to complete various tasks using Cobalt Strike. You will learn how to effectively use its features and tools to achieve your cybersecurity goals. With our Cobalt Strike guide, you can quickly learn the framework and start using it in your projects. We’ll help you understand its powerful capabilities and teach you how to use it effectively for your cybersecurity needs. Access the Cobalt Strike tutorial today and expand your skills in this essential framework for penetration testing and cybersecurity.
Cobalt Strike includes several features to help you lock onto your target. This applies to both the profiling of potential targets and the creation and delivery of the payload.
On the client side, the system profiler
System Profiler is a client-side attack intelligence tool. This tool runs a local web server and fingerprints everyone who visits it. System Profiler provides a list of programs and plug-ins that it finds in the user’s browser. System Profiler also tries to discover the internal IP address of users behind a proxy server.
To run System Profiler, go to Attack -> System Profiler. To run the profiler, you need to specify the binding URI and port to run the Cobalt Strike web server.
If you provide a redirect URL, Cobalt Strike will redirect visitors to that URL after retrieving their profile. Click the Run button to start the system profile.
System Profiler uses an unsigned Java applet to detect an object’s internal IP address and determine which version of Java is on top of it. Thanks to Java’s “on the fly” security feature, this may raise suspicions. Clear the Use Java applet when receiving information check box to remove the Java applet from the system profile.
Check Enable SSL to allow access to System Profiler over SSL. This field will be disabled unless you specify a valid SSL certificate using Malleable C2. This is discussed in section 11.
Application Explorer
To view the results of System Profiler, go to View -> Applications. The “Applications” tab will open with a table with all the information about the applications collected by the system profiler.
Analysis tips
The application explorer contains a lot of useful information for planning a targeted attack. Here’s how to get the most out of this information:
The internal IP address field is collected from the data of a harmless, unsigned Java applet. If this field says “unknown,” it means that the Java applet is most likely not running. If you see an IP address here, it’s unsigned
A Java applet is launched. Internet Explorer reports the installed version. Internet Explorer version information does not change when receiving updates. Cobalt Strike uses the version of JScript.dll to evaluate how patched Internet Explorer is. Go to support.microsoft.com and look for the build number of JScript.dll (the third number in the version line) to match with the Internet Explorer update. *64 next to an app means it’s an x64 app.
Many of Cobalt Strike’s features run on its own web server. These services include System Profiler, HTTP Beacon and Web Drive-by Attacks.It is possible to host multiple Cobalt Strike functions on a single web server.
To manage Cobalt Strike web services, go to View -> Web Drive-by -> Manage. Here you can copy any Cobalt Strike URL to the clipboard or stop the Cobalt Strike web service. Use the View -> web log to track visits to Cobalt Strike web services.
If the web server sees a request from a Lynx, Wget, or Curl browser; CobaltStrike automatically returns a 404 page. It does this as a small defense against blue team surveillance. This can be configured using the C2 flex config ‘.http-config.block_useragents’.
The best attacks aren’t feats at all. Rather, the best attacks take advantage of common functions to gain the ability to execute code. Cobalt Strike makes it easy to set up multiple user-driven attacks. Listeners that you have already set up use these attacks. Go to the Payloads menu and select one of the following options.
HTML application
An HTML application is a Windows program written in HTML and the scripting language supported by Internet Explorer. This package generates an HTML application that runs Cobalt Strike’s Listener.
Go to Payloads -> HTML Application.
Listener – Click the … button to select the handler to output the Load Capacity to.
Method – Use the drop-down list to select one of the following methods to start the selected Listener:
Executable: This method writes an executable file to disk and runs it.
PowerShell: This method uses a one-line PowerShell command to run the trainee.
VBA: This method uses Microsoft Office macros to inject the payload into memory. The VBA method requires Microsoft Office to be installed on the target system.
Click the Create button to create an HTML application.
MS Office macros
The Microsoft Office Macro Tool creates macros to insert into a Microsoft Word document
or Microsoft Excel.
Go to Payloads -> MS Office Macro.
Select the Editor item and click Create to create step-by-step instructions for embedding macros in a Microsoft Word or Excel document.
This attack works well when you can convince the user to run the macros when they open the document.
Payload generator
The payload generator outputs the source code and artifacts for placing the Listener on the host. Think of it as MSFVENOM’s version of Cobalt Strike.
Go to Payloads -> Stager Payload Generator.
Parameters
Listener – Click the … button to select the handler to output the Load Capacity to.
Output – Use the drop-down list to select one of the following output types (most options give you shellcode formatted as a byte array for the language):
C: Shellcode formatted as a byte array. C#: Shellcode formatted as a byte array. COM script: .sct file to run the handler.
Java: Shellcode formatted as a byte array.
Perl: Shellcode formatted as a byte array.
PowerShell: A PowerShell script to run shellcode.
PowerShell command: A one-line PowerShell command to run the Beacon producer.
Python: Shellcode formatted as a byte array.
Raw: A block of positional shellcode.
Ruby: Shellcode formatted as a byte array.
Veil: Custom shellcode suitable for use with the Veil Evasion framework.
VBA: Shellcode formatted as a byte array.
x64 – Configured to generate an x64 stager for the selected Listener.
Click the Create button to create a payload for the selected output type.
Payload generator (stepless)
The Cobalt Strike payload generator generates stageless source code and artifacts for Listener on Host.
Parameters
Listener – Click the … button to select the handler to output the Load Capacity to.
Output – Use the drop-down list to select one of the following output types (most options give you shellcode formatted as a byte array for the given language):
C: Shellcode formatted as a byte array. C#: Shellcode formatted as a byte array. Java: Shellcode formatted as a byte array. Perl: Shellcode formatted as a byte array.
Python: Shellcode formatted as a byte array.
Raw: A block of positional shellcode.
Ruby: Shellcode formatted as a byte array.
VBA: Shellcode formatted as a byte array.
Exit Function – Process: Thread: x64 – Set to generate an x64 stager for the selected Listener.
Click the Create button to create a payload for the selected output type.
Executable file for Windows
This package generates an executable Windows artifact provided by stager.
Go to Payloads -> Windows Stager Payload
This package provides the following creation options:
Listener – Click the … button to select the handler to output the Load Capacity to.
Output – Use the drop-down list to select one of the following output types:
Windows EXE: An executable file for Windows.
Windows Service EXE: executable file for Windows that responds to Service Control Manager commands. You can use this executable to create a Windows service using sc or as a custom executable using the PsExec modules in the Metasploit framework.
Windows DLL: A Windows DLL that exports the StartW function compatible with rundll32.exe. Use rundll32.exe to load the DLL from the command line. rundll32 foo.dll,StartW
x64 – Set to create x64 artifacts in conjunction with the x64 stager.By By default, this dialog exports x64 stagers.
sign – Set to sign the EXE or DLL artifact with a code signing certificate. The certificate must be specified in the Malleable profile.
Click the Create button to create a stager artifact.
Cobalt Strike uses a set of artifacts to produce this result.
This option generates all stepless payloads (in x86 and x64) for all configured Listeners.
Go to payloads -> Windows Stageless generate all payloads.
Folder – Click the folder button to select a location to save listeners.
Sign – Set to sign the EXE or DLL artifact with a code signing certificate. The certificate must be specified in the Malleable C2 profile.
Click the Create button to create a stepless artifact.
The Cobalt Strike web server can host your custom packages. Select from the menu
Site Management -> hosts file and follow the following steps to configure:
Select the file you want to place.
Choose an arbitrary URL.
Select the mime type for the file.
By itself, the ability to place a file does not make a special impression. However, in the following sections, you will learn how to insert Cobalt Strike URLs into a phishing email. When you do this, Cobalt Strike will be able to match visitors to your file with emails sent and include this information in a social engineering report.
Set the Enable SSL option to transmit this content over SSL. This option is available if a valid SSL certificate is specified in the Malleable C2 profile.
Cobalt Strike provides you with several tools to configure web drive attacks. To quickly launch an attack, go to Attacks and select one of the following options:
Java Signed Applet attack
This attack launches a web server that hosts a self-signed Java applet. Visitors are asked to give permission to launch the applet. When a visitor gives this permission, you gain access to their system.
A signed Java applet attack uses the Cobalt Strike Java injector. On Windows, the Java Injector will inject shellcode for the Listener directly into memory.
Go to Attacks -> signed applet attack.
Local URL / Host / Path – Set the local URL path, host and port to configure the web server.
Listener – Click the … button to select the handler to output the Load Capacity to.
SSL – Configured to transmit this content over SSL. This option is available if you have specified a valid SSL certificate in your Malleable C2 profile.
Click the Launch button to start the attack.
Java Smart Applet attack
The Cobalt Strike Smart Applet attack combines several exploits to disable the Java security sandbox into a single package. This attack launches a web server that hosts a Java applet. Initially, the applet runs in the Java security sandbox and does not require user permission to run.
The applet analyzes the environment and decides which exploit to use. If the Java version is vulnerable, the applet disables the security sandbox and executes the payload using the Cobalt Strike Java injector.
Go to Attacks -> Smart Applet Attack.
Local URL/Host/Path – Set the Local URL Path, Host and Port to configure the web server.
Listener – Click the … button to select the handler to output the Load Capacity to.
SSL – Configured to transmit this content over SSL. This option is available if you have specified a valid SSL certificate in your Malleable C2 profile.
Click the Launch button to start the attack.
Delivery of the script via the Internet
This function generates a stepless artifact, places it on the Cobalt Strike web server, and presents a one-line command to download and run it.
Go to Attacks -> Scripted Web Delivery (S).
Parameters
Local URL/host/path – set the local URL path, host and port to configure the web server. Make sure the Host field matches the CN field of your SSL certificate. This will avoid a situation where the function will not work due to a mismatch between these fields.
Listener – Click the … button to select the handler to output the Load Capacity to.
Type – select one of the following types from the drop-down menu:
bitsadmin : This option hosts the executable and uses bitsadmin to load it. The bitsadmin method runs the executable via cmd.exe.
exe : This option creates an executable file and places it on the Cobalt Strike web server.
powershell: This option hosts a PowerShell script and uses powershell.exe to download the script and process it.
IEX powershell: This option hosts a PowerShell script and uses .exe powershell to load and process it. Similar to the previous powershell option, but is a shorter, one-line Invoke-Execution command.
python : This option places the script in Python and uses python.exe to download the script and run it.
x64 – Configured to generate an x64 stager for the selected Listener.
SSL – Configured to transmit this content over SSL. This option is available if you have specified a valid SSL certificate in your Malleable C2 profile.
Click the Launch button to start the attack.
You can use the Metasploit exploit framework to deliver the beacon. Beacon is compatible with Metasploit staging.To deliver Beacon using the Metasploit framework exploit:
Use windows/meterpreter/reverse_http[s] in the PAYLOAD parameter and configure LHOST and LPORT to point to your listener. You don’t pass Meterpreter, but you tell the Metasploit framework to create a staging HTTP[s] that will download the payload from the specified LHOST/LPORT.
Set DisablePayloadHandler to true. This will allow the Metasploit framework to avoid creating handlers inside the framework to service your payload connection.
Set PrependMigrate to true. This option tells the Metasploit framework to add shellcode that runs the payload stager in another process. This will help your beacon session to persist in the event of the exploit application crashing or being closed by the user.
Below is a screenshot of msfconsole used to create a Flash exploit to deliver an HTTP beacon located at 192.168.1.5 on port 80:
Before sending an exploit to a target, it must be decorated. Strik Cobalt website cloning tool can help with this. The site clone tool creates a local copy of the site with a little code added to make changes to the links and images so they work properly.
To clone a site, go to Site Management -> Clone Site.
You can combine the attack with a cloned site. To do this, write its URL in the Attack field, and Cobalt Strike will add it to the cloned site using IFRAME. Click the … button to select one of the running client-side exploits.
Cloned sites can also track keystrokes. Set the Keystroke Log on the cloned site. This will allow you to insert a JavaScript keylogger into the cloned site.
To view the keystrokes saved in the logs or to see the visitors to the cloned site, go to View -> Web Log.
Set the Enable SSL option to transmit this content over SSL. This option is available if you have specified a valid SSL certificate in your Malleable C2 profile. Make sure the Host field matches the CN field of your SSL certificate. This will avoid a situation where the function will not work due to a mismatch between these fields.
Now that you have an idea of client-side attacks, let’s talk about how to deliver the attack to the user. The most common way to break into an organization’s network is phishing. Cobalt Strike’s Spear Phishing tool allows you to send perfect emails using an arbitrary message as a template.
Goal
Before you send a phishing email, you need to gather a list of targets. Cobalt Strike waits for a target in a text file. Each line of the file contains one target. An email address can serve as a destination. You can also use email address, tab and name. If a name is provided, it helps Cobalt Strike customize each phishing email.
Templates
Next, you’ll need a phishing template. The advantage of templates is that you can reuse them in different operations. Cobalt Strike uses saved emails as templates. Cobalt Strike removes attachments, fixes coding issues, and rewrites each template for a specific phishing attack.
If you want to create your own template, create a message and send it to yourself. Most email clients have the ability to retrieve the original text of the message. In Gmail, click the down arrow next to the Reply button and select Show Original. Save this message to a file and then congratulate yourself – you’ve created your first Cobalt Strike phishing template.
Ви можете налаштувати свій шаблон за допомогою токенів Cobalt Strike. Кобальтовий страйк
Replaces the following markers in your templates:
Token description
%To%The email address of the person to whom the email is being sent.
%To_Name% The name of the person to whom the email is being sent.
%URL% The content of the embed URL field in the list phishing dialog.
Sending messages
Now that you have your targets and a template, you can start phishing. To launch the spear phishing tool, go to Attacks -> Spear Phish.
To send a phishing email, you first need to import a list of targets. You can import a plain text file that contains one email address per line. Import a file that contains the email address and name separated by tabs or commas to fine-tune your message. Click the folder next to the Goals field to import the goals file.
Set Template to an email template. The Cobalt Strike email template is just a saved email. Cobalt Strike will remove redundant headers, delete attachments, rewrite URLs, re-encode the message and rewrite it for you.
Click on the folder next to the Template field to select one of them.
You have the option to add an attachment. This is a great reason to use one of the social engineering packages mentioned earlier. Cobalt Strike will add an attachment to the original phishing.
Cobalt Strike does not allow you to compose a letter. Use a mail client, write a message and send it to yourself. Most web mail clients have the ability to see the original text of the message. In GMail, click the down arrow next to the Reply button and select Show Original.
You can also instruct Cobalt Strike to rewrite all URLs in the template to a URL of your choice. Set the Embed URL option to have Cobalt Strike rewrite each URL in the email template to the specified URL. URLs added in this way will contain a token that will allow Cobalt Strike’y to track any visitor to a specific phishing attack. Cobalt Strike’s reporting and web log features take advantage of this token.
Click … to select one of the sites hosted on Cobalt Strike.
When you paste a URL, Cobalt Strike appends ?id=%TOKEN% to it. Each message sent will receive its own token. Cobalt Strike uses this token to match site visitors to emails sent. If you care about generating reports, be sure to keep this value.
Install the mail server on an open relay or mail exchange (MX) record. If necessary, you can also log into the mail server to send phishing emails.
Click … next to the Mail Server field to configure additional server settings. You can specify a username and password for authentication.
The Random Delay option tells Cobalt Strike to delay each message for a random amount of time, up to the specified number of seconds. If this option is not set, Cobalt Strike will not delay its messages.
Set Bounce To as the email address to which bounced messages should be sent. This value does not affect which messages the targets see. Click the Preview button to view the generated message for one of the recipients. If everything looks good in the preview, click Submit to execute the attack. Cobalt Strike sends phishing emails through a C&C server.
HelpSystems regularly asks for evasions. Does Cobalt Strike bypass antivirus products? What antivirus products are bypassed? How often is the inspection carried out?
By default, Cobalt Strike artifacts are likely to be detected by most endpoint security solutions. While evasion is not the product’s default goal, Cobalt Strike provides some flexibility.
You, the operator, can modify the executables, DLLs, applets, and script templates that Cobalt Strike uses in its workflows. You can also export the Cobalt Strike beacon payload into various formats that work with third-party tools designed to facilitate evasion.
This chapter describes the features of Cobalt Strike that provide this flexibility.
Cobalt Strike uses a set of artifacts to build executables and DLLs. Artifact Kit is part of Arsenal Kit, which contains a collection of kits – the source code of the framework for creating executable files and DLL libraries that bypass some antivirus products.
Artifact set theory
Traditional antivirus products use signatures to detect known malware. If we inject our knowingly malicious shellcode into an executable, an antivirus product will recognize the shellcode and mark the executable as malicious.
To avoid such detection, an attacker usually obfuscates the shellcode in some way and places it in a binary file. This obfuscation process allows you to defeat antivirus products that use simple string searches to detect malicious code.
Many antivirus products go even further. They simulate the execution of an executable file in a virtual sandbox. At each stage of emulation, the antivirus product checks the presence of known malicious programs in the emulated technological space. If known malware is detected, the antivirus product flags the executable file or DLL as malicious. This method defeats many coders and packagers who try to hide known malware from Signature Antivirus products.
Cobalt Strike’s counter to this is simple. The antivirus sandbox has limitations. This is not a full virtual machine. There is system behavior that the antivirus sandbox does not emulate.
An artifact set is a set of executable templates and DLL templates that use some behavior that is not emulated by antivirus products to extract shellcode inside an executable file.
One method (see src-common/bypass-pipe.c in the artifacts collection) generates executables and DLLs that pass shellcode through a named pipeline. If the antivirus sandbox does not emulate named pipelines, it will not find malicious shellcode.
Of course, antivirus products can overcome specific implementations of a set of artifacts. If the antivirus manufacturer writes signatures for the technology you use, then the executable files and DLL libraries it creates will fall into the lens. This started to happen over time with the default bypass technique in Cobalt Strike 2.5 and below. If you want to get the most out of the artifact set, you’ll use one of its techniques as a basis for developing your own implementation of the artifact set.
However, even this is not enough. Some antivirus products use the antivirus vendor’s servers. There, the manufacturer determines whether the executable or DLL is legitimate or an unknown, never-before-seen executable or DLL. Some of these products automatically send unknown executables and DLLs to the vendor for further analysis and user notification. Others consider unknown executables and DLLs to be malicious. It depends on the product and its settings.
The point is that no amount of obfuscation will help you in this situation. You are faced with a different type of defense and will have to work around it accordingly. Treat these situations the same way you would whitelist attachments. Try to find a legitimate program (like powershell) that will deliver your staging payload in memory.
An artifact set is a set of executable templates and DLL templates that use some behavior that is not emulated by antivirus products to extract shellcode inside an executable file.
One method (see src-common/bypass-pipe.c in the artifacts collection) generates executables and DLLs that pass shellcode through a named pipeline. If the antivirus sandbox does not emulate named pipelines, it will not find malicious shellcode.
An artifact set is a set of executable templates and DLL templates that use some behavior that is not emulated by antivirus products to extract shellcode inside an executable file.
One method (see src-common/bypass-pipe.c in the artifacts collection) generates executables and DLLs that pass shellcode through a named pipeline. If the antivirus sandbox does not emulate named pipelines, it will not find malicious shellcode.
Go to Help -> Arsenal from licensed Cobalt Strike to download Arsenal Kit. You can also access Arsenal directly at https:// www.cobaltstrike.com/scripts
HelpSystems distributes the Arsenal Kit as a .tgz file. Use the tar command to get it. The Arsenal Set includes an Artifact Set that can be collected together with other sets or as a standalone set. For information on creating sets, see in the file README.md.
You are encouraged to modify the artifact set and its methods to suit your needs. Of course, experienced C programmers can do more with it, but a non-programmer can work with it. For example, a major antivirus product likes to write signatures to the executable files of the trial version of Cobalt Strike every time it is released.
Prior to version 2.5, the trial and license versions of Cobalt Strike used the named pipes technique in their executables and DLLs. The producer wrote the signature for the named pipe string used by the executable.
Overcoming their signatures, issue by issue, was simple, just changing the channel name in the source code of this technique.
Veil is a popular framework for generating executable files that bypass some antivirus products. You can use Veil to create Cobalt Strike executables.
Steps:
Go to Payloads -> Stager Payload Generator.
Select the handler for which you want to create an executable.
Select Veil as the output type.
Click the Create button and save the file.
Launch the Veil Evasion framework and select the technique you want to use.
Veil will eventually ask for shellcode. Select the Veil option to provide your own shellcode.
Paste the contents of the file generated by the Cobalt Strike payload generator.
Press Enter and you’ll get the new executable that Veil created.
HelpSystems distributes the source code of the Cobalt Strike Java Applet attacks as an Applet Kit. It is also available in the Cobalt Strike arsenal. Go to Help -> Arsenal and download the applet kit.
Use the included build.sh script to build the applet suite on Kali Linux. Many Cobalt Strike users use this feature to sign a Java applet attack using a purchased code signing certificate.
We strongly recommend doing this
To force Cobalt Strike to use your applet bundle instead of the built-in one, download the applet.cna script that comes with the applet bundle.
On the Cobalt Strike arsenal page, you’ll also notice a Power applet. This is an alternative implementation of the Cobalt Strike Java applet attacks that uses PowerShell to deliver the payload to memory. The power applet demonstrates how flexible you can be to recreate standard Cobalt Strike attacks in a completely different way and still implement them in your workflows. To force Cobalt Strike to use your applet bundle instead of the built-in one, download the applet.cna script that comes with the applet bundle.
The Resource Kit is Cobalt Strike’s tool for modifying the HTA, PowerShell, Python, VBA, and VBS scripting templates that Cobalt Strike uses in its workflows. The Resource Kit is part of the Arsenal Kit, which contains a collection of kits and is available to users with a license in the Cobalt Strike arsenal. Go to Help -> Arsenal to download the Arsenal Kit.
The README.md file that comes with the resource kit describes the included scripts and the functions they use. To bypass the protection, change the lines or behavior in these scripts.
To force Cobalt Strike to use script templates instead of the built-in script templates, download the dist/arsenal_kit.cna or dist/resource/resources.cna script. For more information, see Arsenal Kit’s README.md file.
The sleep mask set is the source code of the sleep mask function that is executed to obfuscate the beacon in memory before it goes to sleep. This entanglement technique can be used for beacon identification. To prevent this from happening, Cobalt Strike provides an aggressor script that allows the user to change the appearance of the sleep mask function in memory. Version 4.5 includes a list of bulk entries for masking and unmasking. Go to Help -> Arsenal to download the Arsenal Kit which includes the Sleep Mask Kit. You will need your license key for this.
For more information on the sleep mask kit, see arsenal-kit/README.md and arsenal-kit/kits/sleepmask/README.md.
Thanks to various open source guides.