It is not Cobalt Strike’s goal to provide evasion out-of-the-box. Throughout each of the above steps, you will need to understand the target environment, its defenses, and reason about the best way to meet your objectives with what is available to you. Cobalt Strike generates high quality reports that you may present to your clients as stand-alone products or use as appendices to your written narrative. Provide the network administrators an activity timeline so they may find attack indicators in their sensors. This Cobalt Strike-only technique works with most sites and bypasses two-factor authentication.Ĭobalt Strike’s reporting features reconstruct the engagement for your client. Use browser pivoting to gain access to websites that your compromised target is logged onto with Internet Explorer. Cobalt Strike’s workflows make it easy to deploy keystroke loggers and screenshot capture tools on compromised systems. Cobalt Strike is optimized to capture trust relationships and enable lateral movement with captured credentials, password hashes, access tokens, and Kerberos tickets.ĭemonstrate meaningful business risk with Cobalt Strike’s user-exploitation tools. Pivot into the compromised network, discover hosts, and move laterally with Beacon’s helpful automation and peer-to-peer communication over named pipes and TCP sockets. Reprogram Beacon to use network indicators that look like known malware or blend in with existing traffic. Beacon walks through common proxy configurations and calls home to multiple hosts to resist blocking.Įxercise your target’s attack attribution and analysis capability with Beacon’s Malleable Command and Control language. Beacon will phone home over DNS, HTTP, or HTTPS. This post-exploitation payload uses an asynchronous “ low and slow” communication pattern that’s common with advanced threat malware. Cobalt Strike’s phishing tool repurposes saved emails into pixel- perfect phishes.Ĭontrol your target’s network with Cobalt Strike’s Beacon. Use Cobalt Strike’s spear phishing tool to deliver your weaponized document to one or more people in your target’s network. Cobalt Strike also has options to export its post-exploitation payload, Beacon, in a variety of formats for pairing with artifacts outside of this toolset. Cobalt Strike has options to turn common documents into weaponized artifacts. Weaponization is pairing a post-exploitation payload with a document or exploit that will execute it on target. The insights gleaned from reconnaissance will help you understand which options have the best chance of success on your target. Cobalt Strike’s system profiler is a web application that maps your target’s client-side attack surface. OverviewĪ thought-out targeted attack begins with reconnaissance. The rest of this manual discusses these features in detail. This section describes the attack process supported by Cobalt Strike’s feature set. ![]() The product is designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors. Feedback from the attack will show up in the Beacon console.Ĭopyright © Fortra, LLC and its group of companies.Īll trademarks and registered trademarks are the property of their respective owners.Cobalt Strike is a platform for adversary simulations and red team operations. ![]() Cobalt Strike will activate the tab for the selected Beacon and issue commands to it. If you’re on an internal engagement, consider hooking a Windows system that you control and use that as your starting point to attack other systems with credentials or hashes. There is no option to perform this attack without a Beacon session to attack from. Cobalt Strike’s asynchronous model of offense requires each attack to execute from a compromised system. Last, select which session you want to perform the lateral movement attack from. The SMB Beacon is usually a good candidate here. Next, choose the listener to use for lateral movement. ![]() Keep in mind, you need to operate from a high integrity context for this to work. Beacon will use this information to generate an access token for you. Select credentials from the credential store or populate the User, Password, and Domain fields. If you want to use credentials or hashes for lateral movement-that’s OK too. If you want to use the token in one of your Beacons, check the Use session’s current access token box. Navigate to -> Jump and choose your desired lateral movement option.įirst, decide which trust you want to use for lateral movement. Switch to the Targets Visualization or go to View -> Targets. Cobalt Strike also provides a GUI to make lateral movement easier.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |