h1

Cobalt Strike 01.08.14 – EXE Artifacts: A New Hope

January 8, 2014

Cobalt Strike has always exposed the Metasploit Framework’s tool to generate executables. Unfortunately, these executables are caught by anti-virus products. I’ve had a lot of feedback about this and I know it’s annoying.

The latest release of Cobalt Strike now generates artifacts from its own Artifact Kit.

The Artifact Kit is a proprietary source code framework to build binaries that smuggle payloads past anti-virus.

Customers have access to the Artifact Kit and its source code through the Cobalt Strike Arsenal. If the default technique gets caught–go to the arsenal, grab the Artifact Kit, and modify one of the existing techniques. Much like the Applet Kit from last year, I also provide a simple Cortana script to force Cobalt Strike to use your modifications over the built-in stuff.

The Artifact Kit generates x86 executables, x86 service executables, x86 DLLs, and x64 DLLs. This collection of output gives you a lot of flexibility for privilege escalation and backdoors.

Cobalt Strike’s psexec dialogs and Firefox add-on attack dialog now use the Artifact Kit to generate executables too.

Cryptolocker-style Social Engineering Attack

And, while we’re on the topic of executables, I’ve added a new social engineering package to Cobalt Strike—the Windows Dropper Trojan.

A common social engineering attack is to send a zip file that contains an executable designed to look like a document. When run, this executable opens a document, and silently executes the attacker’s malware. This is one of the ways Cryptolocker spread.

I’d call this low on the sophistication spectrum—but hey, it works!

Cobalt Strike’s Windows Dropper attack lets you generate an executable that stages a payload and opens a document to fool the user into thinking everything is OK. This attack also ties into Cobalt Strike’s Artifact Kit to generate the executable.

Fresh Paint for the MS Office Macro Attack

A long time favorite red team tactic is to embed a macro into a Word or Excel document. This release of Cobalt Strike updates the MS Office Macro Attack to automatically spawn your listener into an external 32-bit process. This way, if your target closes Office or if they’re using the 64-bit version of Office—your attack will still work.  This is an example of how Cobalt Strike goes beyond proof-of-concepts to launch attacks that succeed against real targets.

These items are the highlights that fit together in a theme. This release of Cobalt Strike is also redirector friendly (expect a blog post on this later). Check out the release notes for a full list of changes. If you’d like to give Cobalt Strike a try—grab the 21-day trial.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s