h1

Cobalt Strike Tapas

September 16, 2016

I’ve slowed down on my blogging since this year’s BlackHat and DEF CON. I’m hard at work on the 3.5 release and haven’t had spare cycles to put into blogging. That said, Cobalt Strike’s users have more than picked up the slack. Here’s a collection of recent links that Cobalt Strike users may find interesting.

1. A day in the life of a pentester: How I owned your domain in 4 hours

SPARTAN-001 has a post on /r/HowToHack that describes his use of Responder, Cobalt Strike, mimikatz, and Bloodhound to go from zero to domain admin in a few short hours. These first hand accounts are always fun to read.

2. Receiving Text Messages for Your Beacons

Chris Truncer has a blog post on how to receive a text message when a new Beacon comes into a team server. A few of these scripts were written for Cobalt Strike 2.x, but I haven’t seen a public example for Cobalt Strike 3.0 and later yet. Thanks Chris!

3. LetsEncrypt HTTPS C&C Setup Script for Cobalt Strike

Alex Rymdeko-harvey has posted a script that builds a ready-to-use HTTPS certificate for Cobalt Strike with LetsEncrypt. I’d love to see a blog post on this 🙂 *nudge* *nudge*. I’ve had multiple folks ask about how to use LetsEncrypt with Cobalt Strike. This script is a good place to start.

4. Adding Easy GUIs to Aggressor Scripts

This script from Jeff (just Jeff) shows how to use Eclipse to build Java/SWING GUIs and port these to the Aggressor Script language. This is actually easier than you might think. Cobalt Strike’s Aggressor Script can call Java APIs directly. If you’d like to build some GUIs to go with your scripts, take a look at this post.

One comment

  1. In my C2 infrastructure I use Letsencrypt certs on socat redirectors in order to have HTTPS beaconing. This works flawlessly. Using that, I evaded some advanced detection controls in my last engagement…

    Keep the good work.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s