h1

Cobalt Strike 03.13.14 – NECCDC Edition

March 13, 2014

I’m writing this from a New Hampshire Bed and Breakfast where I’ve apparently received the Jacuzzi suite. I’m here for a romantic weekend running psexec and managing Beacons inside of student networks for the North East Collegiate Cyber Defense Competition event. This is my seventh year with this event.

I made a lot of development progress early into my recent development cycle and I like to show up with my latest stuff, so everyone gets a Cobalt Strike update today. This release polishes the Cobalt Strike user experience and it adds a few features CCDC red teams will find very useful.

Export Staged Beacon Artifacts

You may now export an executable, service executable, 32-bit DLL, or 64-bit DLL with a fully staged Beacon. These fully staged artifacts are generated by Cobalt Strike’s Artifact Kit for anti-virus evasion.

This feature is a big win for stealthy lateral movement. Now you can copy SMB Beacon [the whole thing!] to a target host, schedule it to run, and link to it from another Beacon. This allows you to gain control of a system and control it over the SMB protocol only. You can do these things without ever lowering Beacon’s sleep time to something that could get caught.

A complete artifact is also an ideal candidate for persistence. Beacon is designed to call home to multiple sites. If one address doesn’t work, Beacon will try another one. If there’s an error, Beacon gracefully recovers from it and tries again. These are traits you want in a persistent agent.

Beacons don’t always have to call out though. Export an SMB Beacon and persist it on a host. So long as port 445 is open, you can link to that Beacon over an SMB named pipe. SMB Beacon is the perfect bind backdoor for Windows.

Timestomp

Beacon now includes its own timestomp command. This command will match the Modified, Accessed, and Created times for one file to another.

Cleaning House

This release also benefits from a thorough scrub of Cobalt Strike’s codebase. This cleansing changes how Cobalt Strike waits for results when it calls into the team server or requests information from the user. Now, in most cases, these actions will not block any other actions from taking place. The result is a snappier and more robust Cobalt Strike client. You will also notice that Cobalt Strike is better with large file transfers to and from the team server and that it also responds to disconnections better.

If you’re a Cobalt Strike license holder, use the built-in update program to get the latest.  A 21 day trial of Cobalt Strike is also available.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s