Cobalt Strike Notes

Windows Executeable（s）和>Windows Executeable的区别

Windows Executeable（s）对应的是stage(stageless)
Windows Executeable 对应的是stager
stager是一个小程序，作用是下载stage并运行。stage则就是包含了很多功能的大马，用于接受和执行我们控制端的任务并返回结果。
stager通过各种方式下载stage并运行这个过程称为Payload Staging。同样Cobalt strike也提供了类似传统远控上线的方式，把功能打包好直接运行后便可以与teamserver通讯，这个称为Payload Stageless，如果需要生成Stageless，可以直接在Attack->Package->Windows Executeable（s）下生成。

去除CS证书特征

cs证书库默认密码123456，先添加证书，然后再删除默认的证书。

查看证书

keytool -list -v -keystore cobaltstrike.store

添加证书

keytool -keystore ./cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias microsoft -dname "CN=microsoft, OU=Microsoft, O=SoftwareSecurity, L=Washington, S=DC, C=US"

删除默认证书

keytool -delete -alias cobaltstrike

DSN beacon

一般来讲系统有个叫systemd-resolved的玩意会占用53端口，需要手动解除占用，才能使用cs的dns监听器

最后用nslook ns1.xxxxx来检验是否配置正确。

设置listener的时候，DNS Host(Stager)不是一定要填IP地址，可以填上面DNS Host的任意一条就行。

使用Cloudflare隐匿C&C

去Freenom注册个域名，然后挂到Cloudflare下。

Cloudflare -> SSL/TLS -> 源服务器 -> 创建证书

选择PEM格式，把源证书复制下来叫server.pem。私钥复制下来叫server.key。
然后

openssl pkcs12 -export -in server.pem -inkey server.key -out cfcert.p12 -name cloudflare_cert -passout pass:123456

sudo keytool -importkeystore -deststorepass 123456 -destkeypass 123456 -destkeystore cfcert.store -srckeystore cfcert.p12  -srcstoretype PKCS12 -srcstorepass 123456 -alias cloudflare_cert

然后在Malleable C2里加上这个

https-certificate {
    set keystore "cfcert.store";
    set password "123456";
}

另外一定要记得修改X-Forwarded-For 头配置，不然上线IP就是Cloudflare的数据中心了。

http-config {
    set trust_x_forwarded_for "true";
}

然后可以访问https://www.cloudflare.com/ips/，去把cloudflare的地址都加入云服务器的安全组，只允许cloudflare链接。

Difference Between Windows Executable(s) and > Windows Executable

Windows Executable(s) corresponds to stage (stageless).
Windows Executable corresponds to stager.

A stager is a small program whose purpose is to download and run the stage. The stage, on the other hand, is a large, feature-packed “trojan” used to receive and execute tasks from our control server and return results.
The process where a stager downloads and runs the stage through various methods is called Payload Staging. Similarly, Cobalt Strike also provides a method similar to traditional remote control “going online,” where all functionality is packaged and directly run, allowing communication with the teamserver. This is called Payload Stageless. If you need to generate a Stageless payload, you can generate it directly under Attack -> Package -> Windows Executable(s).

Removing Cobalt Strike Certificate Signatures

The CS certificate store’s default password is 123456. First, add a certificate, then delete the default certificate.

View certificates

keytool -list -v -keystore cobaltstrike.store

Add a certificate

keytool -keystore ./cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias microsoft -dname "CN=microsoft, OU=Microsoft, O=SoftwareSecurity, L=Washington, S=DC, C=US"

Delete the default certificate

keytool -delete -alias cobaltstrike

DNS Beacon

Generally, the system has a component called systemd-resolved that occupies port 53. You need to manually release the port to use Cobalt Strike’s DNS listener.

Finally, use nslook ns1.xxxxx to verify if the configuration is correct.

When setting up a listener, the DNS Host(Stager) field does not necessarily need to be filled with an IP address; you can fill it with any record from the DNS Host above.

Using Cloudflare to Conceal C&C

Register a domain at Freenom, then host it under Cloudflare.

Cloudflare -> SSL/TLS -> Origin Servers -> Create Certificate

Select PEM format, copy the origin certificate and save it as server.pem. Copy the private key and save it as server.key.
Then

openssl pkcs12 -export -in server.pem -inkey server.key -out cfcert.p12 -name cloudflare_cert -passout pass:123456

sudo keytool -importkeystore -deststorepass 123456 -destkeypass 123456 -destkeystore cfcert.store -srckeystore cfcert.p12  -srcstoretype PKCS12 -srcstorepass 123456 -alias cloudflare_cert

Then add this in Malleable C2

https-certificate {
    set keystore "cfcert.store";
    set password "123456";
}

Also, remember to modify the X-Forwarded-For header configuration; otherwise, the connecting IPs will appear as Cloudflare data centers.

http-config {
    set trust_x_forwarded_for "true";
}

You can then visit https://www.cloudflare.com/ips/ to add all Cloudflare IP addresses to the cloud server’s security group, allowing connections only from Cloudflare.