Red Teaming on Azure: How to Secure Your Cobalt Strike Teamserver Using Redirectors

Vishal Raj

·

Follow

Published in

System Weakness

·

11 min read

·

Jun 16, 2024

Listen

Share

Introduction:

In the rapidly evolving landscape of cybersecurity, red teaming has become an essential practice for organizations aiming to test their defenses against real-world attack scenarios. Among the various tools available for red team operations, Cobalt Strike stands out as a versatile and powerful framework designed to simulate advanced threat actors. It provides a comprehensive suite of tools for command and control, post-exploitation, and lateral movement, making it a preferred choice for professional red teams.

However, with great power comes great responsibility. The effectiveness of Cobalt Strike in a red teaming engagement heavily relies on the security and stealth of its infrastructure. A compromised or exposed teamserver can lead to the detection of the red team’s activities and potentially severe consequences. Therefore, configuring Cobalt Strike in a secure manner is paramount.

This article delves into the process of setting up a Cobalt Strike teamserver on Microsoft Azure, a popular cloud platform known for its robustness and scalability. The focus will be on configuring the environment to ensure that the teamserver remains hidden and secure, utilizing a redirector server to obfuscate the true origin of the command and control (C2) traffic.

We will explore the following key aspects:
Prerequisites: Understanding the requirements and preparing the necessary tools and accounts.
Azure Environment Setup: Establishing a secure virtual network with appropriate subnets for the teamserver and redirector.
Teamserver Configuration: Installing and configuring the Cobalt Strike teamserver on an Azure virtual machine (VM).
Redirector Server Setup: Deploying and configuring a redirector server to forward traffic to the teamserver, effectively hiding it from direct internet exposure.
Testing the Setup: Ensuring the entire configuration works as intended by validating the communication between the redirector and the teamserver.

By the end of this article, you will have a securely configured Cobalt Strike environment on Azure that leverages a redirector server for enhanced stealth and security. This setup not only protects your teamserver from direct exposure but also provides a robust infrastructure for conducting sophisticated red team operations. Whether you are a seasoned red teamer or new to using Cobalt Strike, this step-by-step guide will help you achieve a secure and efficient setup.

Prerequisites

Before diving into the setup and configuration of the Cobalt Strike teamserver and redirector on Azure, ensure you have the following prerequisites in place:

1. Azure Account : A valid Microsoft Azure account with sufficient credits or a subscription plan to create and manage virtual machines, networks, and other resources. Familiarity with the Azure portal and basic Azure services.
2. Licensed Cobalt Strike: A legitimate, licensed copy of Cobalt Strike. Ensure you have the necessary license key and installation files. Access to the Cobalt Strike support portal for documentation and updates.

Disclaimer

This article is intended for educational and informational purposes only. The author and publisher of this article are not liable for any damages, losses, or legal actions resulting from the use or misuse of the information provided. The techniques and configurations discussed are designed to help security professionals and organizations enhance their understanding of cybersecurity practices, specifically in the context of red teaming and penetration testing.

Setting Up the Azure Environment:

1. Login to the Azure Portal

• Go to the Azure Portal and sign in with your Azure account credentials.s

2. Create a New Resource Group

• Navigate to “Resource Groups” and click on “Add.”
• Enter a name for your resource group and select the appropriate region.
• Click “Review + create” and then “Create” to finalize the resource group.

3. Create a Virtual Network

Inside the newly created resource group, click on “Add” to create a new resource. Search for “Virtual Network” and select it from the list of services. Click on “Create” and configure the following settings:

• Name: Enter the name for your network
• Address Space: Set it to 192.168.0.0/24 .

Create a Subnet with this virtual network:

• Subnet Name: Subnet-01.
• Subnet Address Space: 192.168.1.0/24.

4. Create a VM for Cobalt Strike Teamserver:

• Inside the resource group, click on “Add” to create a new resource.
• Search for “Virtual Machine” and select it from the list of services.
• Click on “Create” and configure the following settings for the first VM:

i.) Basics

• Image: Select Ubuntu 20.04 LTS.
• Size: Choose Standard_B1s.
• VM Name: Enter CSvm01.
• Username: Enter your preferred username (ubuntu).
• Authentication Type: Select “SSH public key.”
• SSH Public Key Source: Generate a new key pair.
• Key Pair Name: Name the SSH public key.

ii) Disks

• Leave the default settings for the OS disk.

iii) Networking

• Virtual Network: Select the VNet that we created at step 3.
• Subnet: Select Subnet-01.
• Public IP: Select “None” (since the Cobalt Strike team server will not be accessible from the internet for better security).
• NIC Network Security Group: Choose “Basic” and allow port 22 as an inbound port rule for SSH access.

iv.) Management, Advanced, and Tags

• Leave the default settings for these sections unless specific configurations are needed for your environment.

v.) Review + Create

• Review all the configurations and click “Create” to deploy the VM.

Download the ssh private key to your local computer, we use this key to login to our vm’s.

5. Create the Redirector VM:

• Follow the same steps as in 4 to create the redirector VM. In the Networking blade, create a public IP for the redirector because our Cobalt Strike Beacon and Cobalt Strike Client will communicate with the redirector from the public network. Use the existing SSH key generated in step 4.

By following these steps, you will create two VMs in your Azure environment: one for the Cobalt Strike teamserver (CSvm01) without a public network access, and a redirector VM (Redirectorvm01) with a public IP to manage incoming traffic.

Configuring the Cobalt Strike Teamserver:

1. Add Inbound Traffic Rules to Network security group:

Navigate to the network security group associated with your Cobalt Strike teamserver VM (CSvm01).

Add inbound security rules to allow traffic from the redirector private IP address on the necessary ports:

• — Port 50050 (Cobalt Strike teamserver port)

• — Port 80 (HTTP for redirector communication)

By configuring these inbound traffic rules, you ensure that only traffic from your redirector server can reach the Cobalt Strike teamserver on the specified ports, enhancing the security and control over your red team operations.

2. SSH to the Cobalt Strike VM Through the Redirector VM Using SSH Key

To securely access the Cobalt Strike teamserver VM (CSvm01) through the redirector VM (Redirectorvm01) using SSH key authentication, follow these steps:

i.) Locate the SSH Private Key

• Ensure you have the SSH private key file (.pem) that corresponds to the SSH public key added to both CSvm01 and Redirectorvm01 during their creation.

ii.) SSH Configuration on Redirector VM (Redirectorvm01)

• Open a terminal or SSH client on your local machine.
• Use the following command to SSH into the redirector VM (Redirectorvm01) from your local machine:

ssh -i /path/to/your/private_key.pem username@redirector_public_ip

#Replace /path/to/your/private_key.pem with the path to your SSH private key file and username with your SSH username.

iii.) SSH Configuration from Redirector VM to Cobalt Strike VM (CSvm01)

• Once connected to Redirectorvm01, use the following SSH command to connect to CSvm01:

ssh -i /path/to/your/private_key.pem username@CSvm02_private_ip

# Replace /path/to/your/private_key.pem with the same SSH private key file path used in step 2 and username with your SSH username configured on CSvm01. Replace cs_vm_private_ip with the private IP address of CSvm01.

4. Accessing the Cobalt Strike Teamserver and installing dependencies

• After successfully ssh into CSvm01, we first need to Update the repository by running the command: sudo apt-get update.After update , install openJDK-17 or latest java version, as the teamserver runs on Java.
• After that you can install Cobalt Strike teamserver using your licensed key and start or manage the teamserver as needed for your red team operations.

Creating and Configuring the Redirector Server:

1. Configuring the Security Group

Before setting up the redirector server (Redirectorvm01), configure the network security group (NSG) to allow inbound traffic on ports 50050 and 80. Follow these steps:

• Navigate to the Azure Portal and locate the network security group associated with Redirectorvm01.
• Add inbound security rules for: Port 50050 and Port 80

2. SSH to the Redirector VM (Redirectorvm01), Update Repository, and Install socat

• Connect to Redirectorvm01 using SSH with your SSH private key and username.

ssh -i /path/to/your/private_key.pem username@redirector_public_ip

• Update the repository and install socat:

sudo apt update
sudo apt install socat

3. Using screen Command and Running socat

• screen is a terminal multiplexer that allows you to run multiple virtual terminal sessions within a single SSH session. It enables you to detach and reattach sessions, making it ideal for long-running processes or commands that you want to keep running even if your SSH connection drops.

Running socat Commands:

• Use screen to run socat commands as background processes. Here’s how you can set up port forwarding using socat:

# Start a new screen session
screen -S socat

# Forward traffic from port 80 on Redirectorvm01 to port 80 on CSvm01
sudo socat TCP-LISTEN:80,fork TCP:192.168.1.4:80 &

# Forward traffic from port 50050 on Redirectorvm01 to port 50050 on CSvm01
sudo socat TCP-LISTEN:50050,fork TCP:192.168.1.4:50050 &

# Press 'Ctrl + A + D' to detached from screen 

Setting Up the Attacker Machine

Now, we need to start the Cobalt Strike client to connect to our teamserver through the redirector. Navigate to the machine where the Cobalt Strike client is installed (Kali OS) and follow these steps:

1. Open the Cobalt Strike Client:

In the Cobalt Strike client, enter the following connection details:

• Host: Enter the public IP address of Redirectorvm01.
• Port: 50050 (or the port configured for the teamserver).
• User: Your Cobalt Strike username.
• Password: Your Cobalt Strike teamserver password.

This setup will direct your connection to the redirector, which will then forward it to the Cobalt Strike teamserver (CSvm01).

2. Verify Connection:

• Once connected, verify that the connection is established and that you can interact with the teamserver.

3. Adding a Listener Using the Redirector IP Address:

In the Cobalt Strike client, go to Cobalt Strike > Listeners.

Add a New Listener:

Configure the following settings:

• Listener Name: Give your listener a descriptive name.
• Payload: Choose the appropriate payload (e.g., Beacon HTTP).
• HTTP Host: Enter the public IP address of Redirectorvm01.
• Port: Set the port you want to use (e.g., 80 or 443).
• HTTP Host (Stager): Set this to the redirector public IP address.

This configuration ensures that the listener uses the redirector’s public IP address, directing incoming traffic to the redirector, which will then forward it to the teamserver.

4. Launching a Scripted Web Delivery Attack in Cobalt Strike:

In the Cobalt Strike client, go to Attacks > Scripted Web Delivery(s).

Configure Scripted Web Delivery:

• URI Path: Set the URI path (e.g., /payload). This is the URL path that the target will request to download the payload.
• Local HOST: Enter the redirector public IP address.
• Local Port: Enter the port number 80.
• Listener: Select the listener that we previously created that uses the redirector public IP.
• Type: Select Powershell.
• x64: Select x64.

After setting the configuration, click Launch. Cobalt Strike will generate a PowerShell command that you can use to deliver the payload.

5. Deploy the Payload: Copy the PowerShell Command and Deliver the Command to the Target.

• I’m using my own windows sandbox for testing purpose. you can use social engineering or other methods to deliver the PowerShell command to the target. When the target executes this command, it will download and execute the Cobalt Strike Beacon from the redirector, which forwards the connection to the Cobalt Strike teamserver.

Once the target executes the PowerShell command, monitor the Cobalt Strike client for incoming connections. Interact with the compromised system through the Cobalt Strike interface

By following these steps, you will have launched a scripted web delivery attack using Cobalt Strike. This attack leverages the redirector to hide the teamserver, ensuring that your operations remain stealthy and secure.

Below in Fig:4.6 showing the successful connection from a victim machine to the Cobalt Strike teamserver, indicating that the traffic was correctly routed through the redirector.

Summary

In this guide, we walked through the comprehensive process of setting up a Cobalt Strike teamserver on Azure, enhanced with a redirector server for better security. Here’s a brief recap of the steps covered:

1. Introduction: We introduced the importance of securely deploying Cobalt Strike for red teaming, emphasizing the use of a redirector server to protect the main teamserver from direct exposure to the internet.
2. Prerequisites: We outlined the essential requirements, including an Azure account, a licensed Cobalt Strike copy, OpenJDK 17, and SSH keys.
3. Setting Up the Azure Environment: We created a resource group, a virtual network with a subnet, and two virtual machines (VMs): one for the Cobalt Strike teamserver and one for the redirector.
4. Configuring the Cobalt Strike Teamserver: We set up the security group, installed OpenJDK 17, and configured the VM to only allow traffic from the redirector.
5. Creating and Configuring the Redirector Server: We configured the security group, installed socat, and used it to forward traffic from the redirector to the teamserver, utilizing the screen command to ensure persistent processes.
6. Verifying the Setup: We verified the setup by successfully connecting a victim machine to the Cobalt Strike teamserver through the redirector and included a screenshot for confirmation.

Conclusion

By following this guide, you have established a robust and secure environment for Cobalt Strike operations on Azure. Utilizing a redirector server significantly enhances the security posture of your red team infrastructure by preventing direct exposure of the teamserver to the internet. This setup ensures that your red team activities remain discreet and protected from potential detection or interference.

The detailed steps provided, from setting up the Azure environment to configuring and verifying the servers, offer a clear and practical approach for deploying Cobalt Strike in a secure manner. Implementing these best practices allows you to conduct red team engagements effectively while maintaining a strong security posture.

For further enhancements, consider regularly updating your Azure environment, monitoring network traffic, and employing additional security measures such as intrusion detection systems (IDS) and virtual private networks (VPNs) to further safeguard your operations.