Cobalt Strike Tapas II

This blog post is a collection of articles and links Cobalt Strike users may find interesting. Let’s jump into it:

1. Redirecting Cobalt Strike DNS Beacons

Redirectors are a popular offensive technique to obscure a C2 server’s actual source. They’re also nice because you can create and remove redirectors much easier than tearing down and standing up new C2 servers. I’ve written about HTTP redirectors in the past, but I’ve never had a good solution for DNS Beacons. rvrsh3ll to the rescue! Redirecting Cobalt Strike DNS Beacons shows how to stand up DNS redirectors for Cobalt Strike’s DNS Beacon.

2. Load Cobalt Strike’s Beacon via Windows NetShell

Using NetShell to Execute Evil DLLs and Persist on a Host describes how to load a “Helper DLL” into NetShell for persistence and code execution. Marc Smeets from Outflank B.V. adapted the post’s concepts into a POC to kick off Cobalt Strike’s Beacon with this technique.

3. MSSQL Agent Jobs for Command Execution

Optiv has a blog post that describes how to (ab)use MSSQL Agent Jobs to execute a payload. The payload in this post? Cobalt Strike’s Beacon. Here’s a demo of the attack:

 

4. portfwd command?

Cobalt Strike has reverse port forwards. Cobalt Strike also has SOCKS pivoting. Why not port forwards? Who knows! Fortunately, it’s easy enough to script a portfwd [target] [port] command with Aggressor Script. This command opens up [port] on the team server and forwards it through through the Beacon’s C2 path to the specified [host]:[port]. Unfortunately, the primitives exposed by CS’s team server don’t account for port bending. Maybe a future improvement?