Need OPSEC to help with with COBALT STRIKE

[topbood]

Please I to anyone with good knowledge of OPSEC and Modifying CS....

ive done the following:
-changed port
-new certificate
-created malleable c2profile


what else to i have to change of my OPSEC before i start my campaign (besides domain redirecting)
will i need to modify the beacon or good artifact kit or can i get away with good crypt let me know!


im followed this guide step by step https://programmer.group/hiding-skills-of-cobaltstrike-server.html

yes i know this is general stuff i should know just need to learn

 

[topbood]

while changing port in the file teamserver should i change 0.0.0.0 as well

Gyazo

gyazo.com

 

[topbood]

im also having issue with the artifact... when i start teamserver with the default port + certificate it works the beacon gets sent

but when i modify the port + certificate + c2profile my artifact.exe beacon doesnt send :/ but when i try the windows executable (s) beacon it works

anyone have an idea why? i appreciate any help !

 

[twistedone]

im also having issue with the artifact... when i start teamserver with the default port + certificate it works the beacon gets sent

but when i modify the port + certificate + c2profile my artifact.exe beacon doesnt send :/ but when i try the windows executable (s) beacon it works

anyone have an idea why? i appreciate any help !

Max value on any system for port is 65535, use the port below 65535

 

[topbood]

Max value on any system for port is 65535, use the port below 65535

i found that out the hard way yesterday haha. thanks any idea on how to fix the artifact

 

[twistedone]

i found that out the hard way yesterday haha. thanks any idea on how to fix the artifact

which profile are you using? and using stageless or staged?

 

[topbood]

which profile are you using? and using stageless or staged?

a malleable c2profile i created.. and staged.

 

[twistedone]

check if the staged is enabled or not in your profile. and run the c2lint on your profile if it passes or not .

 

[r1z]

Please I to anyone with good knowledge of OPSEC and Modifying CS....

ive done the following:
-changed port
-new certificate
-created malleable c2profile


what else to i have to change of my OPSEC before i start my campaign (besides domain redirecting)
will i need to modify the beacon or good artifact kit or can i get away with good crypt let me know!

im followed this guide step by step https://programmer.group/hiding-skills-of-cobaltstrike-server.html

yes i know this is general stuff i should know just need to learn

Well there is too many articles around, but the quick way for you to make hidden teamserver is to make redirector through socat to your teamserver.

for this plan you need minimum 2 vps; or 3 vps, and will be better if you make them seperatly, vps1 --> DC1; vps2 --> DC2, and so on.
1) buy 2 or 3 vps with minimum cpu, 256 ram, and make then redirector to your teamserver.
2) block all traffic in your teamserver, and allow only the redirectors.

this way you will keep your teamserver safe from all shitty scanners and blueteamers, they only can catch you if they access your redirectors, and this could happen in 10%, but most of the time if you get reported in your vps; the DC will suspened your account, and you can ask then for access to get some files.. once you access the suspended redirector; just wipe it and rent a new one from another DC, and include it in your listerner, FSO.

keep safe;
./r1z

 

[rwanda]

Change your malleable c2, use a valid SSL certificate.
Make sure your teamserver file doesn't have a shitty CA name like this:
$ grep -i 'keytool -' teamserver
keytool -keystore ./cobaltstrike.store -storepass sUp3r@dm1n -keypass sUp3r@dm1n -genkey -keyalg RSA -alias cobaltstrike -dname "CN=H@ck3r.live.com, OU=H@ck3r Corporation, O=H@ck3r Corporation, L=Sm1thhat, S=NewAlien, C=UK"

Change to something like CN=Outlook and etc

Use a redirector if thats your thing, you can use tyk.io or others.
When you create listeners or web delivery in specific ports like 80 or 443, you use iptables and allow only connections coming from the specific ip range from your target.
ex:
iptables -A INPUT -s 200.x.0.0/18 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
iptables -A INPUT -s 200.x.0.0/18 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP


Only allow your teamserver port to be accessible via localhost.
iptables -I INPUT -p tcp -s 0.0.0.0/0 --dport 12980 -j DROP
iptables -I INPUT 1 -p tcp -s 127.0.0.1 --dport 12980 -j ACCEPT

For profiles you can try using SourcePoint, although it will make your connection really slow because of 1001 configurations in the profile, but you can use it and tweak it.

PS: if you get a beacon and it does die after 1st callback, just change your strategy

 

[rwanda]

Well there is too many articles around, but the quick way for you to make hidden teamserver is to make redirector through socat to your teamserver.

for this plan you need minimum 2 vps; or 3 vps, and will be better if you make them seperatly, vps1 --> DC1; vps2 --> DC2, and so on.
1) buy 2 or 3 vps with minimum cpu, 256 ram, and make then redirector to your teamserver.
2) block all traffic in your teamserver, and allow only the redirectors.

this way you will keep your teamserver safe from all shitty scanners and blueteamers, they only can catch you if they access your redirectors, and this could happen in 10%, but most of the time if you get reported in your vps; the DC will suspened your account, and you can ask then for access to get some files.. once you access the suspended redirector; just wipe it and rent a new one from another DC, and include it in your listerner, FSO.

keep safe;
./r1z

For different networks I usually like using the dns beacon with long sleep.

 

[topbood]

For different networks I usually like using the dns beacon with long sleep.

Well there is too many articles around, but the quick way for you to make hidden teamserver is to make redirector through socat to your teamserver.

for this plan you need minimum 2 vps; or 3 vps, and will be better if you make them seperatly, vps1 --> DC1; vps2 --> DC2, and so on.
1) buy 2 or 3 vps with minimum cpu, 256 ram, and make then redirector to your teamserver.
2) block all traffic in your teamserver, and allow only the redirectors.

this way you will keep your teamserver safe from all shitty scanners and blueteamers, they only can catch you if they access your redirectors, and this could happen in 10%, but most of the time if you get reported in your vps; the DC will suspened your account, and you can ask then for access to get some files.. once you access the suspended redirector; just wipe it and rent a new one from another DC, and include it in your listerner, FSO.

keep safe;
./r1z

thanks both you guys i will try these both and get back to you...

by the way after these are finished. should i follow r1z guide to modify? or with the redirectors will i be "off the grid" ?

 

[Sec13B]

i found this , can be used like redirector:
Paranoid_Workstation_IPTables_Firewall_Script-v1.2.txt

or you can do ufw deny
example : sudo ufw deny from 198.81.128.0/18 to any
anyway , if you want safe , pay attention to r1z this will tech you everything you need to know

#! /bin/sh

# By simonsays - BlueBox Underground v1.2 - Dec. 2005
#
# Version Changes:
# - Added more DOD & reserved networks per IANA ipv4 latest assignments
# - Added Cyveillance networks. They sell mined data to agencies.
# - Added verified Netcraft probe servers.
#
# This is a simple iptables firewall script drops most US Government, some data mining bots that contract
# and sell data to the US Government, most Netcraft probes, logs the attemtps, and drops any other unsolicited
# traffic to your machine. It is probably best suited for workstation use.
#
# The specific government IP's in the drop section of the ruleset are probably reduntant since we DROP all
# traffic at the end of the script. Having the specific networks dropped first allows for rules to be inserted
# after if you want to accept traffic to specific protocols (http, ssh, ftp, et al).
#
# Compatability: Should work on all *nix platforms that have iptables/netfilter support in their kernel.
# This script is best launched at boot. IPTables logs to /var/log/messages by default.

echo "Configuring Firewall:"
echo -n "Flushing Tables..."
     iptables --flush INPUT
     iptables --flush OUTPUT
     iptables --flush FORWARD
echo "Done."

echo -n "Starting Logs..."
# Log all connection attempts from banned networks
#gov
iptables -A INPUT -s 198.81.128.0/18 -j LOG --log-prefix "CIA: "
iptables -A INPUT -s 162.81.0.0/16 -j LOG --log-prefix "NCE: "
iptables -A INPUT -s 144.51.0.0/16 -j  LOG --log-prefix "NCSC/NSA: "
iptables -A INPUT -s 199.196.128.0/19 -j LOG --log-prefix "IRS: "
iptables -A INPUT -s 198.137.240.0/23 -j LOG --log-prefix "EOP: "
iptables -A INPUT -s 164.117.0.0/16 -j LOG --log-prefix "DOD: "
iptables -A INPUT -s 131.84.0.0/16 -j LOG --log-prefix "DTIC: "
iptables -A INPUT -m iprange --src-range 140.0.0.0-140.75.255.255 -j LOG --log-prefix "DOD NIC: "
iptables -A INPUT -m iprange --src-range 214.0.0.0-215.255.255.255 -j LOG --log-prefix "DOD NIC: "
#data ming bots. these ignore robots.txt
iptables -A INPUT -s 63.148.99.224/27 -j LOG --log-prefix "Cyveillance SpyBots: "
iptables -A INPUT -s 65.118.41.192/27 -j LOG --log-prefix "Cyveillance SpyBots: "
iptables -A INPUT -s 216.32.64.0/24 -j LOG --log-prefix "Cyveillance SpyBots: "
#netcraft probe servers
iptables -A INPUT -s 83.138.189.0/24 -j LOG --log-prefix "Netcraft Probe: "
iptables -A INPUT -s 194.72.238.0/24 -j LOG --log-prefix "Netcraft Probe: "
iptables -A INPUT -s 195.92.0.0/16 -j LOG --log-prefix "Netcraft Probe: "
iptables -A INPUT -s 64.160.19.0/24 -j LOG --log-prefix "Netcraft Probe: "
iptables -A INPUT -s 65.170.220.0/24 -j LOG --log-prefix "Netcraft Probe: "
iptables -A INPUT -s 68.10.141.0/24 -j LOG --log-prefix "Netcraft Probe: "
iptables -A INPUT -s 71.133.134.0/24 -j LOG --log-prefix "Netcraft Probe: "
iptables -A INPUT -s 128.223.189.0/24 -j LOG --log-prefix "Netcraft Probe: "
iptables -A INPUT -s 141.154.104.0/24 -j LOG --log-prefix "Netcraft Probe: "
iptables -A INPUT -s 142.103.93.0/24 -j LOG --log-prefix "Netcraft Probe: "


# End Logging
echo "Done."

echo "Loading Ruleset..."
# Drop ALL Traffic from the following networks.
# US GOVT
iptables -A INPUT -s 198.81.128.0/18 -j DROP #Central Intelligence Agency Networks
iptables -A INPUT -s 162.81.0.0/16 -j DROP #National Counterintelligence Executive
iptables -A INPUT -s 144.51.0.0/16 -j DROP #National Computer Security Center aka NAVY/NSA/.mil
iptables -A INPUT -s 199.196.128.0/19 -j DROP #Executive Office of Asset Forfeiture aka IRS/Treasury
iptables -A INPUT -s 198.137.240.0/23 -j DROP #Executive Office Of The President USA aka Whitehouse/EOP
iptables -A INPUT -s 164.117.0.0/16 -j DROP #Defense Information Systems Agency aka DOD
iptables -A INPUT -s 131.84.0.0/16 -j DROP #Defense Technical Information Cntr
iptables -A INPUT -s 140.185.0.0/16 -j DROP #Single Agency Manager aka Pentagon
iptables -A INPUT -m iprange --src-range 140.0.0.0-140.75.0.0 -j DROP #DOD Defense Informations Center
iptables -A INPUT -m iprange --src-range 214.0.0.0-215.255.255.255 -j DROP #DOD NIC
# netcraft probe servers
iptables -A INPUT -s 83.138.189.0/24 -j DROP #Netcraft Owned Class C #1
iptables -A INPUT -s 194.72.238.0/24 -j DROP #Netcraft Owned Class C #2
iptables -A INPUT -s 195.92.0.0/16 -j DROP #Netcraft Owned Class B
iptables -A INPUT -s 64.160.19.0/24 -j DROP #Probe Server Network
iptables -A INPUT -s 65.170.220.0/24 -j DROP #Probe Server Network
iptables -A INPUT -s 68.10.141.0/24 -j DROP #Probe Server Network
iptables -A INPUT -s 71.133.134.0/24 -j DROP #Probe Server Network
iptables -A INPUT -s 128.223.189.0/24 -j DROP #Probe Server Network
iptables -A INPUT -s 141.154.104.0/24 -j DROP #Probe Server Network
iptables -A INPUT -s 142.103.93.0/24 -j DROP #Probe Server Network
# private networks
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -m iprange --src-range 173.0.0.0-187.255.255.255 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -j DROP
iptables -A INPUT -s 255.255.255.255/32 -j DROP
# End Network Specific Droppings

# Begin SYN Flood Protection
iptables -A INPUT -p tcp  -m state --state INVALID -j DROP
iptables -A INPUT -p tcp --syn -m limit --limit 1/second -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# End SYN

# Allow Localhost Connections
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
# End Localhost

# Allow External Traffic To Reply To You
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
# End Reply

# Drop everything else not specified
iptables -A INPUT -d 0/0 -j DROP
# End Drop

echo "Done."
echo "Firewall Configuration Complete."