User-driven Attack Packages

The best attacks are not exploits. Rather, the best attacks take advantage of normal features to get code execution. Cobalt Strike makes it easy to setup several user-driven attacks. These attacks take advantage of listeners you’ve already setup. Navigate to Attacks -> Packages and choose one of the following options.

HTML Application

An HTML Application is a Windows program written In HTML and an Internet Explorer supported scripting language. This package generates an HTML Application that runs a Cobalt Strike listener.

Navigate to Attacks -> Packages -> HTML Application.

Press Generate to create the HTML Application.

MS Office Macro

The Microsoft Office Macro tool generates a macro to embed into a Microsoft Word or Microsoft Excel document.

Navigate to Attacks -> Packages -> MS Office Macro.

Choose a listener and pess Generate to create the step-by-step instructions to embed your macro into a Microsoft Word or Excel document.

This attack works well when you can convince a user to run macros when they open your document.

Payload Generator

Cobalt Strike's Payload Generator outputs sourcecode and artifacts to stage a Cobalt Strike listener onto a host. Think of this as the Cobalt Strike version of msfvenom.

Navigate to Attacks -> Packages -> Payload Generator.

Press Generate to create a Payload for the selected output type.

Windows Executable

This package generates a Windows executable artifact that delivers a payload stager.

Navigate to Attacks -> Packages -> Windows Executable.

This package provides the following output options:

Press Generate to create a payload stager artifact.

Cobalt Strike uses its Artifact Kit to generate this output.

Windows Executable(S)

This package exports Beacon, without a stager, as an executable, service executable, 32-bit DLL, or 64-bit DLL. A payload artifact that does not use a stager is called a stageless artifact. This package also has a PowerShell option to export Beacon as a PowerShell script and a raw option to export Beacon as a blob of position independent code.

Navigate to Attacks -> Packages -> Windows Executable (S).

This package provides the following output options:

Press Generate to create a stageless artifact.

Cobalt Strike uses its Artifact Kit to generate this output.

 

Related Topics