Distributed Red Team Operations with Cobalt Strike

What if you could easily host malicious websites, send phishing emails, and manage compromised hosts across diverse internet addresses?

This week's Cobalt Strike adds the ability to manage multiple attack servers at once.

When you connect to two or more servers, Cobalt Strike will show a switch bar with buttons for each server at the bottom of your window. Click a button to make that server active. It's a lot like using tabs to switch between pages in a web browser.

To make use of multiple servers, designate a role for each one. Assign names to each server's button to easily remember its role.

Dumbly connecting to multiple servers isn't very exciting. The fun comes when you seamlessly use Cobalt Strike features between servers. For example:

Designate one server for phishing and another for reconnaissance. Go to the reconnaissance server, setup the system profiler website. Use the phishing tool to deliver the reconnaissance website through the phishing server. This is easy to do because Cobalt Strike's phishing dialog lets you embed sites setup in any server you're connected to.

Web drive-by exploits are especially interesting. Clone a website and embed an exploit on one server. Set the embedded exploit to reference a Beacon listener on another server. When a vulnerable user visits this site, their system will start beaconing to the beacon server.

This is trivial to do because Cobalt Strike will let you setup an attack that references a listener on any server you're connected to.

Distributed operations is a data headache for red teams. Each penetration testing server is a silo with a limited picture of the engagement. Cobalt Strike makes great strides to solve this problem. When you ask for a report, Cobalt Strike queries each server you're connected to, combines the data, and generates one report. A phishing attack sent from one server that sends users to a malicious website on another server will show in one report with all of the information properly cross-referenced.

Are you curious what all of this looks like? Watch the video:

Cobalt Strike is available Here. A 21-day trial is available. Press the Download link and provide your email address. The latest Armitage can connect to multiple servers too. This feature is more interesting in the context of Cobalt Strike because more features are usable across server instances.