AWS - Cobalt Strike :: not2clever.me

Summary

This is a quick overview of my Cobalt Strike AWS configuration. There are a ton of instructions online, so I’m not going to go through so much detail as everyone else.

Configuration

Once you’re logged into your AWS console, select EC2, then choose the VM that you want. My Ubuntu instance belongs to the “free tier”, so it only has 1 GB of memory, 1 CPU, and 20 GB of disk space.

For the network ports, I selected the below and only allowed my home IP to access this instance. There’s always room for improvement, but for my needs, this is good enough, especially since I shut down after I’m done labbing.

Once the VM is available, just ssh into it using the ssh keys to test out connectivity.

ssh -i ubuntu_cs.pem ubuntu@ec2-1-2-3-4.compute-1.amazonaws.com

Now that we’re good to go, let’s upload our Cobalt Strike folder to the instance using the below command.

scp -i ubuntu_cs.pem -r cobaltstrike ubuntu@ec2-1-2-3-4.compute-1.amazonaws.com :/home/ubuntu/cobalt

At this point, we should be all set to use Cobalt Strike, so let’s take it out for a test drive.

Start the teamserver, profile is optional at this point.

sudo ./teamserver 1.2.3.4 YourPassword

On your local machine, launch the Cobalt Strike client.

./cobaltstrike

Cobalt Strike GUI.

One thing that I thought would be pretty cool, was to create a subdomain and use that to point CS or whatever C2 traffic to it instead of an IP. This also gave me a chance to play around with Route 53.

To do this, we simply navigate to Route 53 and select your Hosted Zone.

Create Record.

Enter your subdomain’s name and its IP address.

Now, whenever I create a CS beacon, I can just use c2traffic.not2clever.me as the address, intead of an IP.

I understand that this is bad OPSEC, but I’m only using this lab for my own personal tests.

Speaking of OPSEC, my phase 2 project is to experiment with CloudFront and use that service to hide my teamserver’s IP address.

Conclusion

As I mentioned at the beginning, this post is not meant to be an in-depth article explaining every single step, but more so an overview of adding C2 framework on an Amazon EC2 instance.

It also gave me the opportunity to learn about Route 53 and how to setup subdomains to point to various applications that I may have. One application that I’m going to configure next is GoPhish or some other phishing service. I think that should tie things up nicely for an AWS lab.

I hope that you enjoyed this writeup. Until next time, take care.