Skip to main content

Core Impact and Cobalt Strike Interoperability

Introduction

Contrary to many perceptions, Cobalt Strike is actually not a penetration testing tool. As we mentioned earlier, we identify as a tool for post-exploitation adversary simulations and Red Team operations. However, we have recently begun offering interoperability with Core Impact, which is a penetration testing tool with features that align well with those of Cobalt Strike.

Core Impact is typically used for exploitation and lateral movement and validating the attack paths often associated with a penetration test. Used by both in-house teams as well as third-party services, Core Impact offers capabilities for remote, local, and client-side exploitation. Impact also uses post-exploitation agents, which, while they don’t have a cool name like “Beacon,” are versatile in both their deployment and capabilities, including chaining and pivoting.

While a previous blog dives deeper into the particulars, to quickly summarize, the interoperability piece comes in the form of session passing between both platforms. Those with both tools can deploy Beacon from within Core Impact. Additionally, users can spawn an Impact agent from within Cobalt Strike.

References

Session Passing from Core Impact to Cobalt Strike

One of the most important forms of tool interoperability is the ability to pass sessions between platforms.

Core Impact includes a Run shellcode in temporary process module to support session passing. This module spawns a temporary process and injects the contents of the specified file into it. The module does support spawning code x86 -> x86, x64 -> x64, and x64 -> x86.

To pass a session from Core Impact to Cobalt Strike:

Cobalt Strike

  1. Go to Payloads -> Windows Stageless Payload
  2. Click to choose your listener
  3. Change Output to raw
  4. Check x64 if you wish to export a x64 payload.
  5. Click Generate and save the file

Core Impact

  1. Right-click on the desired agent and click Set as Source
  2. Find the Run shellcode in temporary process module and double-click it.
  3. Set ARCHITECTURE to x86-64 if you exported an x64 payload
  4. Set FILENAME to the file generated by Cobalt Strike
  5. Click OK
  6. After some seconds, you should see a new beacon deployed in Cobalt Strike.

This pattern is a great way to spawn Cobalt Strike’s Beacon after a successful remote or privilege escalation exploit with Core Impact.

Session Passing from Cobalt Strike to Core Impact

You can also spawn a Core Impact agent from Cobalt Strike too. If Core Impact and Cobalt Strike can reach the same network, this pattern is a light way to turn an access obtained with Beacon (e.g., via phishing, lateral movement, etc.) into an Impact agent.

Core Impact

  1. Find the Package and Register Agent module and double-click it.
  2. Change ARCHITECTURE to x86-64 if you’d like to export an x64 agent
  3. Change BINARY TYPE to raw
  4. Change TARGET FILE to where you would like to save the file
  5. Expand Agent Connection
  6. Change CONNECTION METHOD and PORT to fit your preference. I find the Connect from target (reverse TCP connection) is the most performant.

Cobalt Strike

  1. Interact with a Beacon
  2. Type shspawn x64 if you exported an x64 agent. Type shspawn x86 if you exported an x86 agent.
  3. Find the <file generated by Core Impact> that you exported.
  4. Click Open.
  5. After some seconds, you should hear the famous New Agent Deployed🔊 announcement within Core Impact.

Tunnel Core Impact exploits through Cobalt Strike

Core Impact has an interesting offensive model. Its exploits and scans do not originate from your Core Impact GUI. The entire framework is architected to delegate offense activity through a source agent. The currently selected source agent also acts as a controller to receive connections from reverse agents [or to connect to and establish control of bind agents]. In this model, the offense process is: start with local agent, find and exploit target, set new agent as source agent, find and exploit newly visible targets, repeat until satisfied.

As the agent is the main offense actor in Core Impact, tunneling Core Impact exploits is best accomplished by tunneling the Core Impact agent through Cobalt Strike’s Beacon.

Cobalt Strike introduced the spunnel command to spawn Core Impact’s Windows agent in a temporary process and create a localhost-only reverse port forward for it. Here are the steps to tunnel Core Impact’s agent with spunnel:

Core Impact

  1. Click the Modules tab in the Core Impact user interface
  2. Search for Package and Register Agent
  3. Double-click this module
  4. Change Platform to Windows
  5. Change Architecture to x86-64
  6. Change Binary Type to raw
  7. Click Target File and press to decide where to save the output.
  8. Go to Agent Connection
  9. Change Connection Method to Connect from Target
  10. Change Connect Back Hostname to 127.0.0.1
  11. Change Port to 9000 (or any arbitrary value) and remember it.
  12. Press OK.

Cobalt Strike

  1. Right click on the asset and press Interact with a Beacon
  2. Type spunnel x64 [impact IP address] 9000 and press enter.
  3. Find the file generated by Core Impact that you exported.
  4. Press Open.
  5. After some seconds, you should hear the famous New Agent Deployed🔊 announcement within Core Impact.

This similar to passing a session from Cobalt Strike to Core Impact. The difference here is that the Impact agent’s traffic is tunneled through Cobalt Strike’s Beacon payload.

tip

What happens when Cobalt Strike’s team server is on the internet and Core Impact is on a local Windows virtual machine? We have a pattern for this too.

  1. Run a Cobalt Strike client from the same Windows system that Core Impact is installed on.
  2. Connect this Cobalt Strike client to your team server.
  3. In this setup, run spunnel_local x64 127.0.0.1 9000 to spawn and tunnel the Impact agent through Beacon.

The spunnel_local command is like spunnel, with the difference that it routes the agent traffic from Beacon to the team server and onwards through your Cobalt Strike client. The spunnel_local command was designed for this exact situation.

Explore on Your Own

At this point, you have explored some of Cobalt Strike's feature. Feel free to explore and test other command or features.