Infrastructure Consolidation

Cobalt Strike’s model for distributed operations is to stand up a separate team server for each phase of your engagement. For example, it makes sense to separate your post-exploitation and persistence infrastructure. If a post-exploitation action is discovered, you don’t want the remediation of that infrastructure to clear out the callbacks that will let you back into the network.

Some engagement phases require multiple redirector and communication channel options. Cobalt Strike 4.0 is friendly to this.

A screenshot of a cell phone Description automatically generated

Figure 26. Infrastructure Consolidation Features

You can bind multiple HTTP, HTTPS, and DNS listeners to a single Cobalt Strike team server. These payloads also support port bending in their configuration. This allows you to use the common port for your channel (80, 443, or 53) in your redirector and C2 setups, but bind these listeners to different ports to avoid port conflicts on your team server system.

To give variety to your network indicators, Cobalt Strike’s Malleable C2 profiles may contain multiple variants. A variant is a way of adding variations of the current profile into one profile file. You may specify a Profile variant when you define each HTTP or HTTPS Beacon listener.

Further, you can define multiple TCP and SMB Beacons on one team server, each with different pipe and port configurations. Any egress Beacon, from the same team server, can control any of these TCP or SMB Beacon payloads once they’re deployed in the target environment.

 

Related Topics