User-driven Attack Packages

The best attacks are not exploits. Rather, the best attacks take advantage of normal features to get code execution. Cobalt Strike makes it easy to setup several user-driven attacks. These attacks take advantage of listeners you’ve already setup. Navigate in the menu to Payloads and choose one of the following options.

HTML Application

An HTML Application is a Windows program written In HTML and an Internet Explorer supported scripting language. This package generates an HTML Application that runs a Cobalt Strike listener.

Navigate to Payloads -> HTML Application.

figure 38 - HTML Application Attack

Press Generate to create the HTML Application.

MS Office Macro

The Microsoft Office Macro tool generates a macro to embed into a Microsoft Word or Microsoft Excel document.

Navigate to Payloads -> MS Office Macro.

figure 39 - MS Office Macro

Choose a listener and press Generate to create the step-by-step instructions to embed your macro into a Microsoft Word or Excel document.

This attack works well when you can convince a user to run macros when they open your document.

Payload Generator

Cobalt Strike's Payload Generator outputs source code and artifacts to stage a Cobalt Strike listener onto a host. Think of this as the Cobalt Strike version of msfvenom.

Navigate to Payloads -> Stager Payload Generator.

figure 40 - Payload Generator

Press Generate to create a Payload for the selected output type.

Payload Generator (stageless)

Cobalt Strike's Payload Generator outputs source code and artifacts, without a stager, to a Cobalt Strike listener onto a host.

Navigate to Payloads -> Stageless Payload Generator.

figure 41 - Stageless Payload Generator

Press Generate to create a Payload for the selected output type.

Windows Executable

This package generates a Windows executable artifact that delivers a payload stager.

Navigate to Payloads -> Windows Stager Payload.

figure 43 - Window Executable

This package provides the following output options:

Press Generate to create a payload stager artifact.

Cobalt Strike uses its Artifact Kit to generate this output.

Windows Executable (Stageless)

This package exports Beacon, without a stager, as an executable, service executable, 32-bit DLL, or 64-bit DLL. A payload artifact that does not use a stager is called a stageless artifact. This package also has a PowerShell option to export Beacon as a PowerShell script and a raw option to export Beacon as a blob of position independent code.

Navigate to Payloads -> Windows Stageless Payload.

figure 44 - Windows Stageless Executable

This package provides the following output options:

Press Generate to create a stageless artifact.

Cobalt Strike uses its Artifact Kit to generate this output.

Windows Executable (Stageless) Variants

This option generates all the stageless payloads (in x86 and x64) for all the configured listeners. Use the listeners_stageless aggressor function to see the list that will be used for the active team server.

Navigate to Payloads -> Windows Stageless Generate All Payloads.

figure 46 - Windows Stageless Executable Variants

Press Generate to create a stageless artifact.

 

Related Topics