For this example, we will be using AWS EC2 instances. Our team mostly uses Ubuntu for our development and production instances. We have found good success using Ubuntu and have moved the recent LTS 18.04.
This post will focus primarily on the manual installation of CobaltStrike, we will be following up this post with some additions to RAI (Rapid Attack Infrastructure). https://github.com/obscuritylabs/RAI
sudo apt update && sudo apt upgrade -y sudo apt install openjdk-11-jdk sudo update-java-alternatives -s java-1.11.0-openjdk-amd64
Install CobaltStrike in an automated fashion isn’t exactly perfect, but using some basic tools we can get the job done.
The first step is to set up your CS license keys and export them as a variable for later use. Then create your self a license file which CS will require:
sudo su export CSKEY=*INSERTKEYHERE* cd /opt echo $CSKEY > ~/.cobaltstrike.license
Once completed use the following curl magic to properly request a download link for the Linux TAR package. Finally, we can
wget our new CS package:
var=$(curl 'https://www.cobaltstrike.com/download' -XPOST -H 'Referer: https://www.cobaltstrike.com/download' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: https://www.cobaltstrike.com' -H 'Host: www.cobaltstrike.com' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Connection: keep-alive' -H 'Accept-Language: en-us' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0.1 Safari/604.3.5' --data "dlkey=$CSKEY" | sed -n 's/.*href="\([^"]*\).*/\1/p' | grep /downloads/ | cut -d '.' -f 1) wget https://www.cobaltstrike.com$var.tgz
Once this is complete we update CS and we are off to the race.
cd cobaltstrike && ./update