{"id":12536,"date":"2021-04-23T21:48:27","date_gmt":"2021-04-23T16:18:27","guid":{"rendered":"https:\/\/kalilinuxtutorials.com\/?p=12536"},"modified":"2021-04-23T21:48:27","modified_gmt":"2021-04-23T16:18:27","slug":"movekit","status":"publish","type":"post","link":"https:\/\/kalilinuxtutorials.com\/movekit\/","title":{"rendered":"MoveKit : Cobalt Strike Kit For Lateral Movement"},"content":{"rendered":"\n

Movekit<\/strong> is an extension of built in Cobalt Strike lateral movement by leveraging the execute_assembly function with the SharpMove and SharpRDP .NET assemblies. The aggressor script handles payload creation by reading the template files for a specific execution type.<\/p>\n\n\n\n

IMPORTANT: To use the script a user will only need to load the MoveKit.cna<\/code> aggressor script which will load all the other necessary scripts with it. Additionally, depending on actions taken the SharpMove<\/a> and SharpRDP<\/a> assemblies will need to be compiled and placed into the Assemblies<\/code> directory. Finally, some of the file moving requires dynamic compiling which will require Mono.<\/p>\n\n\n\n

When loading the aggressor script there will be a selector loaded to the menubar<\/code> named Move<\/code>. There are multiple selections a user can select. First, users can select to execute a command on a remote system through WMI, DCOM, Task Scheduler, RDP, or SCM. Second, there is the Command<\/code> execution mechanism which uses download cradles to grab and execute the files. Third, the File<\/code> method drops a file on the system and executes it. There is Write File Only<\/code> that does not do any execution, move data only. Finally, there is a Default<\/code> settings to make using GUI faster and used with beacon commands. The default settings are used for anything that can accept a default.<\/p>\n\n\n\n

To use the beacon commands it will read the default settings and use a few command line arguments. A beacon command example: <exec-type> <target> <listener> <filename><\/code><\/p>\n\n\n\n

move-msbuild 192.168.1.1 http move.csproj<\/code><\/p>\n\n\n\n

Additionally, the custom pre built beacon command is a little bit different. Command example: move-pre-custom-file <target> <local-file> <remote-filename><\/code><\/p>\n\n\n\n

move-pre-custom-file computer001.local \/root\/payload.exe legit.exe<\/code><\/p>\n\n\n\n

The location field is the trickiest part of the project. When selecting WMI<\/code> file movement location<\/code> will be used, if SMB is selected then it will not be used (so it can be left empty). Location<\/code> takes three different values. First, it location<\/code> is a URL then when the payload is created it will be hosted by Cobalt Strike’s web server. The beacon host where the assembly will be executed from will make a web request to the URL and grab the file, which will be used in an event sub on the target host to write the file. Second, if location<\/code> is a Windows directory then it will upload the created file to the beacon host and the assembly will read it from the file system and store in the event sub to write to the remote host. Finally, if the location<\/code> field is a linux path or the word local<\/code> then it will dynamically compile the payload into the assembly being executed. However, if the file is above the 1MB file size limit then it will show an error.<\/p>\n\n\n\n

For all file methods the payload will be created through the aggressor script. However, if a payload is already created users can select to use the Custom (Prebuilt)<\/code> option to move and execute it.<\/p>\n\n\n\n

The kit contains different file movement techniques, execution triggers, and payload types.<\/p>\n\n\n\n

File movement is considered the method used for getting a file to a remote host File movement types:<\/strong><\/p>\n\n\n\n