The release of Cobalt Strike 3.0 also saw the release of Advanced Threat Tactics, a nine-part course on red team operations and adversary simulations. This course is nearly six hours of material with an emphasis on process, concepts, and tradecraft.

If you’d like to jump into the course, it’s on YouTube:

Here are a few notes to explore each topic in the course with more depth.

0. Introduction

This is a course on red team operations and adversary simulations.

To learn more about Adversary Simulations and Red Team Operations:

Advanced Threat Actors:

Kiran Blanda maintains a GitHub repository with copies of public threat intelligence reports. Some companies put out material that shows their analysts know how to use IDA and take screenshots. Others provide some depth and speculate on the actor’s tradecraft. I really like the reports from Kaspersky and CrowdStrike.

Watch Michael Daly’s 2009 USENIX talk, The Advanced Persistent Threat. This talk pre-dates the marketing bonanza over APT actors and their work. This is a common sense discussion of the topic without an agenda. Even though it’s from 2009, the material is spot on.

Tools used in this course:

1. Operations

Advanced Threat Tactics starts with a high-level overview of Cobalt Strike’s model for distributed operations and red team collaboration.

To learn more about Cobalt Strike’s model for collaboration and operations:

2. Infrastructure

Infrastructure is the collection of domains, servers, and software that support your operation. One of Cobalt Strike’s strengths is its variety of communication channels and the flexibility you have to configure them. This lecture goes through the HTTP/HTTPS, DNS, and named pipe channels and shows you how to use special features with each. I also take you through how to stand up redirectors and test your infrastructure before an engagement.

To learn more about payload staging:

Read OJ Reeve’s Deep Dive into Stageless Meterpreter Payloads on the Metasploit blog. This post provides depth on the staging process for Meterpreter and explains stageless Meterpreter payloads.

I also wrote Staged Payloads – What Penetration Testers Should Know. These are my thoughts on the subject if any of the above is unclear. 🙂 Understanding staging is very important to understand the behavior and design decisions in tools like Cobalt Strike.

Cobalt Strike’s payload staging does not have any security features built into it. I discuss this in Talk to your children about payload staging. This blog post also details how to change your operations to limit payload staging over hostile networks.

Beacon Communication:

3. Targeted Attacks

This lecture goes through a process to execute a targeted spear phishing attack to get a foothold in a modern enterprise.

To learn more about this material:

User-Driven Attacks:

4. Post Exploitation

This lecture shows how to use Beacon for post-exploitation. If you have to operate with Beacon, this is good core material to know.

To learn more about this material:

Post-Exploitation:

Buy the Red Team Field Manual. This is a must-own for anyone working in this space. The tips and tricks here are quite applicable for all Beacon operators.

Watch Flying a Cylon Raider. This talk is a platform agnostic look at how to conduct post-exploitation and lateral movement without the Metasploit Framework. Understanding the concepts in this talk will help you get the most from the material in this course.

Interoperability with different offensive platforms is important. Read Session Passing from Cobalt Strike to learn how to pass sessions to the Metasploit Framework, PowerShell Empire, and other tools from Cobalt Strike.

5. Privilege Escalation

Think of this lecture as post exploitation, part 2. We dive into how to elevate privileges and use these privileges to harvest credentials and password hashes.

To learn more about User Account Control and the Bypass UAC attack:

Privilege Escalation:

Read Windows Privilege Escalation Fundamentals. This tutorial has a number of command-line recipes to find files with credentials and other things you should look for when trying to elevate your rights.

Read What you know about ’bout GPP? This blog post offers a look at the Group Policy Preferences privilege escalation vector. This is one of those issues that, while patched, remains an issue because the patch does not cleanup the problems created by this feature when it was last used. I didn’t have time to cover this problem in the course [six hours is enough!]; but this is a staple thing you should always check for.

Download the Elevate Kit to add new exploits to Beacon’s elevate command. The Elevate Kit is a good example of how to bring exploits from PowerShell Empire, the Metasploit Framework, and other sources into Cobalt Strike.

PowerUp:

Mimikatz:

6. Lateral Movement

This lecture is the use and abuse of native Windows capability and behavior to trade-up privileges and move around a network.

To learn more about enumeration and reconnaissance in a Windows Active Directory network:

Analysis of Trust Relationships

Read A Guide to Attacking Domain Trusts by Will Schroeder. This is the ultimate red teamer’s reference to this topic. You’ll really want to go through all of Will’s blog to understand this topic fully. He posts a lot about domain trusts and user hunting. Too much for me to keep up with here.

Read Derivative Local Admin by Justin Warner. This post discusses how you may understand and chain trust relationships (e.g., Bob is an admin on X, Joe is logged onto X, Joe is a domain admin) to elevate privileges in a network or attack a desired target.

Spend time with BloodHound, a JavaScript application that ingests data from a PowerShell script and identifies Active Directory trust-paths to reach a target of interest. This application automates a lot of the analysis that is necessary to identify lateral movement opportunities. My First Go with BloodHound shows how to setup and use this tool at a basic level.

Remote Management without Malware:

Pass-the-Hash:

Read How to Pass-the-Hash with Mimikatz. This blog post documents how to use mimikatz to pass-the-hash from Beacon

Read Pass-the-Hash is Dead: Long Live Pass-the-Hash by Will Schroeder. This blog post covers the May 2014 patch to Windows that puts restrictions around pass-the-hash.

Also, consult Pass-the-Hash is Dead: Long Live LocalAccountTokenFilterPolicy. This post is Will Schroeder’s March 2017 follow up to the his first post on this topic. This post documents how the restrictions around pass-the-hash really work and it explains the situations where these restrictions are not present.

Read Windows Access Tokens and Alternate Credentials. This post sheds light on how the pth and make_token commands in Beacon work.

Kerberos:

Remote Code Execution:

7. Pivoting

SOCKS, SOCKS, SOCKS! This lecture is about how to pivot with Beacon. You could also think about it as using and abusing SOCKS forwards, backwards, and any other way you want it.

More on this topic:

Read the SOCKS protocol specification. SOCKS is a simple (1 page) protocol that allows a SOCKS-aware application to connect to a SOCKS server and ask that server to initiate a connection on the client’s behalf.

Read Pivoting through SSH. This blog post describes the Proxies option in the Metasploit Framework.

Read Hacking through a Straw: Pivoting over DNS. This post talks about the SOCKS pivoting capability in Beacon.

Take a look at Cobalt Strike’s VPN Pivoting feature. I don’t talk about it much, because I don’t use it often. If you’d like to learn about layer-2 pivoting, I wrote a blog post on how this technology works with source code. It’s simpler than you might think.

Cobalt Strike 3.5 added SSH sessions. If you want to control UNIX targets, it’s worth your time to read up on these. You can pivot through SSH sessions the same way you pivot through Beacon sessions.

8. Malleable C2

Malleable C2 is Cobalt Strike’s domain specific language to change indicators in the Beacon payload. This ability to make Beacon look like other malware is arguably what makes it a threat emulation tool.

More on this topic:

9. Evasion

The Advanced Threat Tactics course concludes with a deep dive into evasion. This video is my to-the-minute notes on this topic.

To learn more about phishing and e-mail delivery:

Anti-virus evasion:

Read Facts and myths about antivirus evasion with Metasploit by Michael Schierl.

Read the Artifact Kit documentation. This is Cobalt Strike’s source code framework to build executables and DLLs to get past some anti-virus products.

Application Whitelisting:

Egress Restrictions:

Read An Unnecessary Addiction to DNS Communication. I often hear from folks who insist that DNS is the only way out of their network and the only way to reach servers that are otherwise isolated from the network. This post goes into depth on the evasion options with Cobalt Strike’s DNS communication scheme and it digs into the capability available in Cobalt Strike’s other Beacon variants.

Read HTTP Proxy Authentication for Malware to understand how Beacon’s HTTP/S stagers react to proxy authentication failures.

Read about Domain Fronting, a collection of techniques to use high-reputation domains as callbacks for your HTTPS (and sometimes, HTTP) Beacons. This is an interesting tactic to obfuscate your controller, defeat site categorization, and blend in with legitimate traffic.

Active Defenders:

Watch Operating in the Shadows given by Carlos Perez at DerbyCon 2015. In this talk, Carlos goes over the different advancements in blue’s ability to instrument Windows and the impact it will have on red teams and penetration testers who need to challenge them. This is a sign of things to come.

Take a look at Microsoft’s Advanced Threat Analytics technology. This defense tracks which systems/users pull which active directory objects, when, and how often. It’s designed to catch that awesome stuff discussed in part 6 of this course.

Also, check out UpRoot, an agentless host-based IDS written in PowerShell that leverages WMI subscriptions. UpRoot reports process creates, new network connections, and other host activity. Tools like UpRoot show the scrutiny red operators will need to learn to cope with when working with a mature hunt team.

Watch Infocyte‘s video on Enterprise Hunt Operations. While this is a product advertisement, listen closely for the information it collects. As a red operator, you need to understand what your actions look like to analysts who use these hunt platforms. Your job is to figure out how to craft your activity to grow and challenge these analysts.

PowerShell and Anti-virus:

In-memory Evasion:

Become familiar with the Malleable PE options introduced in Cobalt Strike 3.7. These options let you influence how Beacon lives in memory and change some indicators.

Go through In-memory Evasion, a four-part (+ bonus addendum) course on the cat and mouse game related to memory detections. This course introduces common heuristics to detect memory-injected DLLs, where and why these heuristics work, and options to defeat these heuristics.

Modern Defenses: