User-driven Attack Packages

The best attacks are not exploits. Rather, the best attacks take advantage of normal features to get code execution. Cobalt Strike makes it easy to setup several user-driven attacks. These attacks take advantage of listeners you’ve already setup. Navigate in the menu to Payloads and choose one of the following options.

HTML Application

An HTML Application is a Windows program written In HTML and an Internet Explorer supported scripting language. This package generates an HTML Application that runs a Cobalt Strike listener.

Navigate to Payloads -> HTML Application.

figure 36 - HTML Application Attack

Listener - Press the ... button to select a Cobalt Strike listener you would like to output a payload for.

Method - Use the drop-down to select one of the following methods to run the selected listener:

Executable: This method writes an executable to disk and run it.

PowerShell: This method uses a PowerShell one-liner to run your payload stager.

VBA: This method uses a Microsoft Office macro to inject your payload into memory. The VBA method requires Microsoft Office on the target system.

Press Generate to create the HTML Application.

MS Office Macro

The Microsoft Office Macro tool generates a macro to embed into a Microsoft Word or Microsoft Excel document.

Navigate to Payloads -> MS Office Macro.

figure 37 - MS Office Macro

Choose a listener and press Generate to create the step-by-step instructions to embed your macro into a Microsoft Word or Excel document.

This attack works well when you can convince a user to run macros when they open your document.

Payload Generator

Cobalt Strike's Payload Generator outputs source code and artifacts to stage a Cobalt Strike listener onto a host. Think of this as the Cobalt Strike version of msfvenom.

Navigate to Payloads -> Stager Payload Generator.

figure 38 - Payload Generator

Listener - Press the ... button to select a Cobalt Strike listener you would like to output a payload for.

Output - Use the drop-down to select one of the following output types (most options give you shellcode formatted as a byte array for that language):

C: Shellcode formatted as a byte array.

C#: Shellcode formatted as a byte array.

COM Scriptlet: A .sct file to run a listener

Java: Shellcode formatted as a byte array.

Perl: Shellcode formatted as a byte array.

PowerShell: PowerShell script to run shellcode

PowerShell Command: PowerShell one-liner to run a Beacon stager.

Python: Shellcode formatted as a byte array.

Raw: blob of position independent shellcode.

Ruby: Shellcode formatted as a byte array.

Veil: Custom shellcode suitable for use with the Veil Evasion Framework.

VBA: Shellcode formatted as a byte array.

x64 - Check the box to generate an x64 stager for the selected listener.

Press Generate to create a Payload for the selected output type.

Payload Generator (stageless)

Cobalt Strike's Payload Generator outputs source code and artifacts, without a stager, to a Cobalt Strike listener onto a host.

Navigate to Payloads -> Stageless Payload Generator.

figure 39 - Stageless Payload Generator

Listener - Press the ... button to select a Cobalt Strike listener you would like to output a payload for.

Guardrails - If your listener has been configured with gauardrails, the value is displayed as the default. Use the ... button to override the settings for the beacon.

figure 40 - Guardrail Settings

Output - Use the drop-down to select one of the following output types (most options give you shellcode formatted as a byte array for that language):

C: Shellcode formatted as a byte array.

C#: Shellcode formatted as a byte array.

Java: Shellcode formatted as a byte array.

Perl: Shellcode formatted as a byte array.

Python: Shellcode formatted as a byte array.

Raw: blob of position independent shellcode.

Ruby: Shellcode formatted as a byte array.

VBA: Shellcode formatted as a byte array.

Exit Function - This function determines the method/behavior that Beacon uses when the exit command is executed.

Process: Terminates the whole process.

Thread: Terminates only the current thread.

System Call - Select one of the following system call methods to use at execution time when generating a stageless beacon payload from the Cobalt Strike UI or a supported aggressor function:

None: Use the standard Windows API function.

Direct: Use the Nt* version of the function.

Indirect: Jump to the appropriate instruction within the Nt* version of the function.

HTTP Library - -Select the Microsoft library (WinINet or WinHTTP) for the generated payload.

x64 - Check the box to generate an x64 stager for the selected listener.

Press Generate to create a Payload for the selected output type.

Windows Executable

This package generates a Windows executable artifact that delivers a payload stager.

Navigate to Payloads -> Windows Stager Payload.

figure 41 - Window Executable

This package provides the following output options:

Listener - Press the ... button to select a Cobalt Strike listener you would like to output a payload for.

Output - Use the drop-down to select one of the following output types.

Windows EXE: A Windows executable.

Windows Service EXE: A Windows executable that responds to Service Control Manager commands. You may use this executable to create a Windows service with sc or as a custom executable with the Metasploit Framework’s PsExec modules.

Windows DLL: A Windows DLL that exports a StartW function that is compatible with rundll32.exe. Use rundll32.exe to load your DLL from the command line.

rundll32 foo.dll,StartW

x64- Check the box to generate x64 artifacts that pair with an x64 stager. By default, this dialog exports x64 payload stagers.

sign - Check the box to sign an EXE or DLL artifact with a code-signing certificate. You must specify a certificate in a Malleable C2 profile.

Press Generate to create a payload stager artifact.

Cobalt Strike uses its Artifact Kit to generate this output.

Windows Executable (Stageless)

This package exports Beacon, without a stager, as an executable, service executable, 32-bit DLL, or 64-bit DLL. A payload artifact that does not use a stager is called a stageless artifact. This package also has a PowerShell option to export Beacon as a PowerShell script and a raw option to export Beacon as a blob of position independent code.

Navigate to Payloads -> Windows Stageless Payload.

figure 42 - Windows Stageless Executable

This package provides the following output options:

Listener - Press the ... button to select a Cobalt Strike listener you would like to output a payload for.

Guardrails - If your listener has been configured with gauardrails, the value is displayed as the default. Use the ... button to override the settings for the beacon.

figure 43 - Guardrail Settings

Output - Use the drop-down to select one of the following output types.

PowerShell: A PowerShell script that injects a stageless Beacon into memory.

Raw: A blob of position independent code that contains Beacon.

Windows EXE: A Windows executable.

Windows Service EXE: A Windows executable that responds to Service Control Manager commands. You may use this executable to create a Windows service with sc or as a custom executable with the Metasploit Framework's PsExec modules.

Windows DLL: A Windows DLL that exports a StartW function that is compatible with rundll32.exe. Use rundll32.exe to load your DLL from the command line.

rundll32 foo.dll,StartW

Exit Function - This function determines the method/behavior that Beacon uses when the exit command is executed.

Process: Terminates the whole process.

Thread: Terminates only the current thread.

System Call - Select one of the following system call methods to use at execution time when generating a stageless beacon payload from the Cobalt Strike UI or a supported aggressor function:

None: Use the standard Windows API function.

Direct: Use the Nt* version of the function.

Indirect: Jump to the appropriate instruction within the Nt* version of the function.

HTTP Library - -Select the Microsoft library (WinINet or WinHTTP) for the generated payload.

x64 - Check the box to generate an x64 artifact that contains an x64 payload. By default, this dialog exports x64 payloads.

sign - Check the box to sign an EXE or DLL artifact with a code-signing certificate. You must specify a certificate in a Malleable C2 profile.

Press Generate to create a stageless artifact.

Cobalt Strike uses its Artifact Kit to generate this output.

Windows Executable (Stageless) Variants

This option generates all of the stageless payloads (in x86 and x64) for all of the configured listeners.

Navigate to Payloads -> Windows Stageless Generate All Payloads.

figure 44 - Windows Stageless Executable Variants

Folder - Press the folder button to select a location to save the listener(s).

System Call - Select one of the following system call methods to use at execution time when generating a stageless beacon payload from the Cobalt Strike UI or a supported aggressor function:

None: Use the standard Windows API function.

Direct: Use the Nt* version of the function.

Indirect: Jump to the appropriate instruction within the Nt* version of the function.

HTTP Library - -Select the Microsoft library (WinINet or WinHTTP) for the generated payload.

Sign - Check the box to sign an EXE or DLL artifact with a code-signing certificate. You must specify a certificate in a Malleable C2 profile.

Press Generate to create a stageless artifact.

 

Related Topics