Jump to content
Sign in to follow this  
Nytro

Using CloudFront to Relay Cobalt Strike Traffic

Recommended Posts

Using CloudFront to Relay Cobalt Strike Traffic

Brian Fehrman //

00398_08152019_UsingCloudFrontRelayCobal

Many of you have likely heard of Domain Fronting. Domain Fronting is a technique that can allow your C2 traffic to blend in with a target’s traffic by making it appear that it is calling out to the domain owned by your target. This is a great technique for red teamers to hide their traffic. Amazon CloudFront was a popular service for making Domain Fronting happen. Recently, however, changes have been made to CloudFront that no longer allow for Domain Fronting through CloudFront to work with Cobalt Strike. Is all lost with CloudFront and Cobalt Strike? In my opinion, no! CloudFront can still be extremely useful for multiple reasons:

  • No need for a categorized domain for C2 traffic
  • Traffic blends in, to a degree, with CDN traffic
  • CloudFront is whitelisted by some companies
  • Mitigates the chances of burning your whole C2 infrastructure since your source IP is hidden
  • Traffic will still go over HTTPS

In this post, I will walk you through the steps that I typically use for getting CloudFront up and going with Cobalt Strike. The general steps are as follows:

  1. Setup a Cobalt Strike (CS) server
  2. Register a domain and point it your CS server
  3. Generate an HTTPS cert for your domain
  4. Create a CloudFront distribution to point to your domain
  5. Generate a CS profile that utilizes your HTTPS cert and the CloudFront distribution
  6. Generate a CS payload to test the setup

 

1. Setup a Cobalt Strike (CS) server

In this case, I set up a Debian-based node on Digital Ocean (I will call this “your server”). I ran the following to get updated and setup with OpenJDK, which is needed for Cobalt Strike (CS):

apt-get update && apt-get upgrade -y && apt-get install -y openjdk-8-jdk-headless
 

Grab the latest Cobalt Strike .tgz file from https://www.cobaltstrike.com/download and place it onto your server. Unzip the .tgz, enter the directory, and install it with the following commands:

tar -xvf cobaltstrike-trial.tgz && cd cobaltstrike && ./update
 

Note that you will need to enter your license key at this point. This is all the setup that we need to do for now on CS. We will do some more configuration as we go.

2. Register a domain and point it to your CS server

We will need to register a domain so that we can generate an HTTPS certificate. CloudFront requires that you have a valid domain with an HTTPS cert that is pointed at a server that is running something like Apache so that it can verify that the certificate is valid. The domain does not need to be categorized, which makes things easy. I like to use https://www.namesilo.com but you are free to use whatever registrar that you prefer. In this case, I just searched for “bhisblogtest” and picked the cheapest extension, which was bhisblogtest.xyz for $0.99 for the year.

q0tnAntdDpmCLqtcQJG8orvymBJ2s91lxDnfKMza

Searching for a Domain

One of the reasons that I like namesilo.com is that you get free WHOIS Privacy; some companies charge for this. Plus, it doesn’t tack on additional ICANN fees.

P9fyqPzqmmpugSrp1sbYXeYyNRW9CnZqBJRhRniq

WHOIS Privacy Included for Free by namesilo.com

After you register the domain, use namesilo.com to update the DNS records. I typically delete the default records that it creates. After deleting the default DNS records, create a single A-Record that points to your server. In this case, my server’s IP was 159.65.46.217. 

NOTE: For those of you that are getting some urges right now, I wouldn’t suggest attacking it as it was burned before this was posted and likely belongs to somebody else if it is currently live.

ISpnGIARsfllfQvbpucp_BTbXCfGq5K4HQruFQbE

Setting DNS A-Record for Domain

Wait until the DNS records propagate before moving onto the next step. In my experience, this will typically take about 10-15 minutes. Run your favorite DNS lookup tool on the domain that you registered and wait until the IP address returned matches the IP address of your server. In this case, we run the following until we see 159.65.46.217 returned:

nslookup bhisblogtest.xyz
 
bIirr_8tAJq-p8FrIKAPsmwRKgBihGx5kF67LqPp

DNS Record has Propagated

Note: Debian doesn’t always have DNS tools installed… you might need to run the following command first if you can’t use nslookup, dig, etc.:

apt-get install -y dnsutils
 

3. Generate an HTTPS certificate for your domain

In the old days, you had to pay money for valid certificates that were signed by a respected Certificate Authority. Nowadays, we can generate them quickly and freely by using LetsEncrypt. In particular, we will use the HTTPsC2DoneRight.sh script from @KillSwitch-GUI. Before we can use the HTTPsC2DoneRight.sh script, we need to install a few prerequisites. Run the following commands on your server, assuming Debian, to install the prerequisites:

apt-get install -y git lsof
 

Next, make sure you are in your root directory, grab the HTTPsC2DoneRight.sh script, enable execution, and run it:

cd && wget https://raw.githubusercontent.com/killswitch-GUI/CobaltStrike-ToolKit/master/HTTPsC2DoneRight.sh && chmod +x HTTPsC2DoneRight.sh && ./HTTPsC2DoneRight.sh
 

Once the script runs, you will need to enter your domain name that you registered, a password for the HTTPs certificate, and the location of your “cobaltstrike” folder.

UpVOzpz_JJp-YOm4QpDvg23j-azIngO640XOGoqO

Running HTTPsC2DoneRight.sh

If all goes well, you should have an Amazon-based CS profile, named amazon.profile, in a folder named “httpsProfile” that is within your “cobaltstrike” folder. The Java Keystore associated with your HTTPS certificate will also be in the “httpsProfile” folder.

tCI2wEjh8eseJs1Lwlr6b4U9IkXWX7obvsZ2Zh2J

Output from HTTPsC2DoneRight.sh

If you run the command tail on amazon.profile, you will see information associated with your HTTPS certificate in the CS profile. We will actually be generating a new CS profile later but will need the four lines at the end of amazon.profile for that profile.

e-7MJXADaBYhLiugaAer-f4GCs9Jl8Z6QliePgYE

The tail of amazon.profile from HTTPsC2DoneRight.sh Showing Certificate Information Needed for CS Profile

At this point, you should be able to open a web browser, head to https://<yourdomain>, and see the default Apache page without any certificate errors. If the aforementioned doesn’t happen, then something has gone wrong somewhere in the process and the remaining steps likely won’t succeed.

59aGjq0wZsw-E0iRTRkQG0c2_ojMxV8zh9Tdf1Fq

Verifying HTTPS Certificate was Correctly Generated

4. Create a CloudFront distribution to point to your domain

The next step is to create a CloudFront distribution and point it your domain. The following is the article that I originally used and still reference to get the settings correct:

https://medium.com/rvrsh3ll/ssl-domain-fronting-101-4348d410c56f

Head to https://console.aws.amazon.com/cloudfront/home and login or create an account if you don’t have one already; it’s free. Click on “Create Distribution” at the top of the page.

awbMoNNIbBOnne_cwRV9ypTaLxaw6LfBTwEbsUup

Create CloudFront Distribution

Click on “Get Started’ under the “Web” section of the page.

S9rHvfJHmzfW51zJbFKHlyQ7sKnRq1rWsSRcu9Hi

Choosing “Get Started” under “Web” Section

Enter in your domain name for the “Origin Domain Name” field. The “Origin ID” field will automatically be populated for you. Make sure that the remaining settings match the following screenshots.

kx1kPVRQFbLo5Y5sq9DmqBeinS0VcBOxUCskqFvG

First Section of CloudFront Distribution Settings

rUTvjuEhNnyqowt1JnmYB9eoJo7SmKInSWOFSxZV

Second Set of CloudFront Distribution Settings

The remaining settings that are not included in the screenshots above do not need to be altered. Scroll to the bottom of the page and click the “Create Distribution” button.

SwyQx56HeRYxRHHvOnjxsxvFd60whhHq4JxhYt1Q

Click “Create Distribution” after Updating CloudFront Settings

You will be taken back to the CloudFront main menu and you should see a cloudfront.net address that is associated with your domain. The CloudFront address will be what we use to refer to our server from now on. You should see “In Progress” under the “Status” column. Wait until “In Progress” has changed to “Deployed” before proceeding. You may need to refresh the page a few times as this could take 10 or 15 minutes.

U8hZ-ugUskHiYgE-r26GRqHanUEw-6Ca03JqkaUE

CloudFront Distribution Address Deploying

After your distribution has been deployed, test that it is working by visiting https://<your_cloudfront.net_address> and verify that you see the Apache2 default page without any certificate errors.

m2lrDnSWV0AjPwl1xPzqIvfsz1tw_8CtAcD-NdBg

Verifying CloudFront Distribution is Deployed

5. Generate a CS profile that utilizes your HTTPS cert and the CloudFront distribution

We will now generate a CS profile to take advantage of our CloudFront distribution. Since most default CS profiles get flagged, we will take the time here to generate a new one. On your server, head back to the home directory and grab the Malleable-C2-Randomizer script by bluescreenofjeff.

cd && git clone https://github.com/bluscreenofjeff/Malleable-C2-Randomizer && cd Malleable-C2-Randomizer
 

The next step is to generate a random CS profile. I’ve found that the Pandora.profile template provides the fewest issues with this technique. Run the following command to generate a profile.

python malleable-c2-randomizer.py -profile Sample\ Templates/Pandora.profile -notest
 

We need to copy the profile that was created to the “httpsProfile” folder in our “cobaltstrike” folder. The screenshot below shows an example of the output from the Malleable-C2-Randomizer script and copying that file to the “httpsProfile” folder.

9xRohr-NScPfO10IX_8fx5RYoz05zdx3rfZDiIN9

Copying Malleable-C2-Randomizer Output-File to /root/cobaltstrike/httpsProfile/

Head into the “httpsProfile” folder so that we can modify our newly-created CS profile.

cd /root/cobaltstrike/httpsProfile
 

Remember when we did a tail on the amazon.profile file and saw the four lines that started with “https-certificate”? We need to grab those four lines and place them at the bottom of our new, CS Pandora-profile. Run the command tail again on amazon.profile and copy the last four lines (the https-certificate section).

PcXBD85fb-c4BucPF26_yjUZNU1gP6pGKrS71kHY

Copy Last Four Lines of amazon.profile

Open the newly-created Pandora profile in the text editor of your choice. Paste the four lines that you just copied to the bottom of the Pandora profile.

5nnt-exQw4jl_Zz8XLzBM-3k5xSh-W9-H5R4dg2e

Pasting Certificate Information into Pandora Profile

For good OpSec, we should change the default process to which our payload will spawn. Add the following lines to the end of your Pandora profile file, underneath of the https-certificate section that you added.

post-ex {        
        set spawnto_x86 "%windir%\\syswow64\\mstsc.exe";
        set spawnto_x64 "%windir%\\sysnative\\mstsc.exe";
}
 
3Mxf_RAWNsbQS1tsRQf1TrzqdPMrgxEiGVK1n_yX

Code Added to Pandora Profile to Change SpawnTo Process

The last thing that we need to modify in our Pandora profile is the host to which our payload will beacon. There are two places in the profile where the host needs to be changed. Find both locations in the Pandora profile where “Host” is mentioned and change the address to point to your cloudfront.net address that was generated as part of your CloudFront distribution.

nqf7eq6OXk7dnPys2Wdcrdo54bQsamxR4fobawJu

One Location of “Host” Value in Pandora Profile

4U2icOBEO6U1JoUxF0db5jg2Rh87PW8QlzQeUh7L

Other Location of “Host” Value in Pandora Profile

Kill the apache2 service on your server since it will conflict with the CS Listener that we will create in the final step. Run the following command on your server:

service apache2 stop
 

We are now ready to launch our CS Team Server with the new profile. Move up a directory so that you are in the cobaltstrike directory, which is /root/cobaltstrike in this case. Run the CS Team Server with the following template for a command:

./teamserver <IP OF CS SERVER> <PASSWORD FOR SERVER> <PATH TO PANDORA PROFILE> <C2 KILL DATE>
 
VqXm0cPyS1asrUALfK_3wku683LT7dVlbuHAXu3i

Running CS Team Server with Custom Pandora Profile

The CS Team Server should now be up and running and we can move onto the final steps.

6. Generate a CS payload to test the setup

The final step is to start a CS Listener and generate a CS payload. This step assumes you have installed the CS client on a system. Open the CS client and connect to your CS Team Server.

CkoS6f3QLygos5yyx8azXdNEESrvWjxxW3y-OlmJ

Connecting to CS Team Server

Choose the option in the CS client to add a new listener. Name the listener anything that you would like, which is “rhttps” in this example. Select the “windows/beacon_https/reverse_https” payload in the drop-down menu. In the “Host” field, enter the address of your CloudFront distribution that you created earlier. Enter 443 in the “Port” field” and then click save.

kL6heKeOfcGbl-YutOq3OcnK51JHrqgphD7KONl4

Settings for CS Listener

An additional popup screen will be shown that asks you to enter a domain to use for beaconing. Enter your CloudFront distribution address as the domain for beaconing and click the “Ok” button.

yVjyvwTBvmkWO4m2T2Ka7kcV5a7eLFyqVZHjx52Y

CloudFront Address Used as Beaconing Domain

You should now have a CS Listener up and running that is taking advantage of all of the work that has been done up to this point. The last step is to generate a payload to test that everything is working. I will state at this point that any CS Payload that you generate and attempt to use without additional steps will almost certainly be caught by AV engines. Generating a payload that does not get caught by AV is enough material for another blog post. The gist of it is that you typically generate CS Shellcode and use a method to inject that shellcode into memory. We will not dive into those details in this blog post as the focus on this post is how to use CloudFront as a relay for CS. For our purposes here, disable all of the AV that you have on the Windows system on which you will run the payload. Select the “HTML Application” payload from the menu shown in the screenshot below.

xUe_e5gx9B2anwA5JDivora6Z-RrEjf8v8WFaK2T

Selecting HTML Application as CS Payload Format

Make sure that the “Listener” drop-down menu matches the name that you gave to your listener, which is “rhttps” in this case. Choose “Executable” from the “Method” drop-down menu. Click the “Generate” button, choose a location to save the payload, and then run the payload by double-clicking on the file that was generated. You should observe in your CS-client window that a session has been established!

S8xKVsJljRGFZNq_Y8FoH1Rv4B86hheDOHwkpxya

Choosing Payload Listener and Method

6YUnq8izyKFl9ylnni5IeVmWPye-h5IS5l0k7fbz

Session Established

Protections

Preventing attackers from using CloudFront as a relay in your environment is, unfortunately, not as easy as just disallowing access to CloudFront. Disallowing access to CloudFront would likely “break” a portion of the internet for your company since many websites rely on CloudFront. To help mitigate the chances of an attacker establishing a C2 channel that uses CloudFront as a relay, we would suggest a strong application-whitelisting policy to prevent users from running malicious payloads in the first place.

Conclusion

Using CloudFront as a relay for your C2 server has many benefits that can allow you to bypass multiple protections within an environment and hide the origin of your C2 server. This article walked through all the steps that should be needed to set up a CloudFront distribution to use as a relay for a Cobalt Strike Team Server. Generating CS payloads that evade AV will be discussed in future posts.

Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts.

 

Sursa: https://www.blackhillsinfosec.com/using-cloudfront-to-relay-cobalt-strike-traffic/

  • Upvote 2

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...