How to Write Malleable C2 Profiles for Cobalt Strike

It’s not fun to get caught on an assessment because your target has your toolset signatured. It’s even less fun if that signature is easily bypassed. Cobalt Strike’s Malleable C2 is a method of avoiding that problem when it comes to command and control (C2) traffic. Malleable C2 provides operators with a method to mold Cobalt Strike command and control traffic to their will. For instance, if you determine your target organization allows employees to use Pandora, you could create a profile to make Cobalt Strike’s C2 traffic look like Pandora on the wire. Alternatively, if a client wants to test detection capabilities, you could make your traffic look like a well-known malware toolkit like Zeus. Raphael Mudge (@armitagehacker) previously covered Malleable... [Read More]

Apache mod_rewrite Grab Bag

Apache mod_rewrite provides conditional redirection and obfuscation to a red teamer’s infrastructure. I’ve previously written about mod_rewrite in a few posts. In this post, I will cover a few quick tricks you can use in conjunction with techniques from my earlier posts while phishing or red teaming. Be sure you read the first-time setup instructions for mod_rewrite to configure your server to work properly. Payload Hot-Swapping We’ve all been in a situation where, just after sending out a large phishing batch, we realize that some aspect of the payload doesn’t work in the target environment. Previously, the batch would be burned. With mod_rewrite, we can create a ruleset to redirect requests for the original payload and redirect it to a new payload.... [Read More]

Beaconpire - Cobalt Strike and Empire Interoperability with Aggressor Script

Tester flexibility and the ability to adapt to each environment’s unique controls and technologies is critical on assessments. Achieving an assessment’s objective often requires the use of multiple toolsets. Justin Warner (@sixdub) wrote about the importance of tool diversity in his post Empire & Tool Diversity: Integration is Key. Two toolsets I frequently use are Cobalt Strike and Empire. Sometimes, an assessment requires migrating from one toolset to another for a specific task or, worse, if incident responders block your primary toolset. Currently, the most efficient way to pass sessions from one toolset to another is to use an existing session to run a payload for the target toolset. For example, passing a Beacon to Empire requires the tester to start an Empire... [Read More]

Black Magic Parsing with Regular Expressions - Parsing for Pentesters

In a previous post, @Sw4mp_f0x and I discussed the importance of data parsing skills for penetration testers and detailed the basics of how to get started with it. In that post we covered multiple ways to match text and search for specific strings. The examples we used were pretty straightforward, which is not always true to life. In this post we will cover more advanced pattern matching with regular expressions, giving you even greater control and flexibility over your parsing tools. Regular Expressions A regular expression, often referred to as regex, uses metacharacters, wildcards, and literal characters to define patterns that can be used with a wide range of Unix and Windows tools. Sounds simple, right? Regular expressions can prove to be... [Read More]

Adding Easy GUIs to Aggressor Scripts

As pentesters and red teamers, we have lots of commands floating around in our head. As much as the 1337 profess to hate GUIs, they sure do make testing a lot easier. Cobalt Strike provides testers a lot of power with an easy-to-use interface. Aggressor Script offers a wealth of extensibility options to expand Cobalt Strike’s built-in functions, but building out a custom GUI is a bit more difficult. Intro Cobalt Strike’s Aggressor Script is built upon Raphael Mudge’s Sleep language. As Raphael says, “Sleep is a Java-based scripting language heavily inspired by Perl,” and it includes the ability to create and access Java objects while still being an interpreted script. This means we can use a Java IDE with... [Read More]