Skip to content

Some notes and examples for cobalt strike's functionality

License

Notifications You must be signed in to change notification settings

hacker213/Cobalt-Strike-CheatSheet

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
 
 
 
 
 
 

Repository files navigation

Cobalt Strike CheatSheet

Some notes and examples for cobalt strike's functionality.

Cobalt

Summary

Basic Menu Explanation

  • Cobalt Strike: The first and most basic menu, it contains the functionality for connecting to a team server, set your preferences, change the view of beacon sessions, manage listeners and agressor scripts.
  • View: The view menu consists of elements that manages targets, logs, harvested credentials, screenshots, keystrokes etc. The main purpose of it is to provide an easy way to access the output of many modules, manage your loots and domain targets.
  • Attacks: This menu contains numerous client side attack generating methods like phishing mails, website cloning and file hosting. Also provides numerous ways to generate your beacon payloads or just generate shellcode and save it for later use on another obfuscation tool.
  • Reporting: It provides an easy way to generate pdf or spreadsheet files containing information about the execution of an attack, this way it assists you on organizing small reports, making the final report writing process easier.
  • Help: Basic help menu of the tool.

Listeners

  • HTTP/HTTPS: The most basic payloads for beacon, by default the listeners will listen on ports 80 and 443 with always the option to set custom ports. You have the options to set proxy settings, customize the HTTP header or specify a bind port to redirect beacon's traffic.
  • DNS: A very stealthy payload options, provides stealthier traffic over the dns protocol, you need to specify the DNS server to connect to.
  • TCP: A basic tcp listener that bound on a spesific port.
  • SMB: An amazing option for internal spread and lateral move, this payload uses named pipes over the smb protocol and is the best approach to bypass firewalls when even default ports like 80 and 443 are black listed.
  • Foreign HTTP/HTTPS: These type of listeners give us the option to pass a session from the metasploit framework to cobalt strike using either http or https payloads. A useful example is to execute an exploit module from metasploit and gain a beacon session on cobalt strike.
  • External C2: This is a special type of listener that gives the option to 3rd party applications to act as a communication medium for beacon.

Malleable C2 Profiles

In simple words a malleable c2 profile is a configuration file that defines how beacon will communicate and behave when executes modules, spawns processes and threads, injects dlls or touches disk and memory. Not only that, but it configures how the payload's traffic will look like on a pcap, the communication interval and jitter etc.

The big advantage of custom malleable c2 profiles, is that we can configure and customize our payload to match our situation and target environment, that way we make our selves more stealthy as we can blend with the environment's traffic.

Aggressor Scripts

Aggressor Script is the scripting language built into Cobalt Strike, version 3.0, and later. Aggresor Script allows you to modify and extend the Cobalt Strike client. These scripts can add additional functions on existing modules or create new ones.
Aggressor Script Tutorial

Common Commands

  • help: Listing of the available commands.
  • help <module>: Show the help menu of the selected module.
  • jobs: List the running jobs of beacon.
  • jobkill <id>: Kill selected job.
  • run: Execute OS commands using Win32 API calls.
  • shell: Execute OS commands by spawning "cmd.exe /c".
  • powershell: Execute commands by spawning "powershell.exe"
  • powershell-import: Import a local powershell module in the current beacon process.
  • powerpick: Execute powershell commands without spawning "powershell.exe", using only .net libraries and assemblies. (Bypasses AMSI and CLM)
  • drives: List current system drives.
  • getuid: Get current user uid.
  • sleep: Set the interval and jitter of beacon's call back.
  • ps: Listing processes.
  • cd: Change directory.
  • cp: Copy a local file on another local location.
  • download/upload: Download a file and upload a local file.
  • cancel: Cancel a file download.
  • reg: Query Regisrty.

Exploitation

  • browserpivot: Will hijack a web session of internet explorer and make possible for us to browse the web as the victim's browser, including it's sessions, cookies and saved passwords.
  • dcsync: Perform the DCsync attack using mimikatz.
  • desktop: Inject a VNC server on the beacon process and get a remote desktop view of the target.
  • dllinject/dllload: Inject a reflective dll into a process/Load a dll on current process.
  • execute-assembly: Loads and executes a .NET compiled assembly executable completely on memory.
  • inject: Inject a beacon payload on a specified process and spawn a new beacon session under it's security context.
  • kerberos*: Manipulate kerberos tickets.
  • ppid: Spoofs the parent process of beacon for any post-exploitation child spawning job. That way we can hide our malicious post-exploitation jobs.
  • psinject: Inject on a specified process and execute a command using powerpick's functionality.
    📓 Powershell modules imported with powershell-import are available.
  • runu: Run a command under a spoofed process PID.
  • shinject: Inject shellcode into another a running process.
  • shspawn: Create a new process and inject shellcode into it.

Privilege Escalation

  • elevate: Contains a few ways to escalate your privileges using kernel exploits and UAC bypasses
  • getsystem: Attempts to impersonate system.
  • getprivs: Same as metasploit's function, enables the available privileges on the current token.
  • runasadmin: Attempts to run a command on an elevated context using a local kernel or UAC bypass exploit.

Pivoting

  • socks: Start a socks4a proxy server and listen on a specified port.
  • covertvpn: Deploy a VPN on the current system, will create a new interface and merge it into a specified IP. Using this we can use a local interface to access the internal target network.

Lateral Movement

  • portscan: Performs a portscan on a spesific target.
  • runas: A wrapper of runas.exe, using credentials you can run a command as another user.
  • pth: By providing a username and a NTLM hash you can perform a Pass The Hash attack and inject a TGT on the current process.
    ❗ This module needs Administrator privileges.
  • steal_token: Steal a token from a specified process.
  • make_token: By providing credentials you can create an impersonation token into the current process and execute commands from the context of the impersonated user.
  • jump: Provides easy and quick way to move lateraly using winrm or psexec to spawn a new beacon session on a target.
    ❗ The jump module will use the current delegation/impersonation token to authenticate on the remote target.
    💪 We can combine the jump module with the make_token or pth module for a quick "jump" to another target on the network.
  • remote-exec: Execute a command on a remote target using psexec, winrm or wmi.
    ❗ The remote-exec module will use the current delegation/impersonation token to authenticate on the remote target.
  • ssh/ssh-key: Authenticate using ssh with password or private key. Works for both linux and windows hosts.

Exflitration

  • hashdump: Dump the local SAM hive's NTLM hashes.
  • keylogger: Will capture keystrokes of a specified process and save them on a database.
  • screenshot: Will capture the screen of a current process and save it on the database.
  • logonpassword: Executes the well know logonpasswords function of mimikatz on the current machine.
  • mimikatz: You can execute any function of mimikatz.

Miscellaneous

  • spawn: Spawn a new beacon on the current machine, you can choose any type of listener you want.
  • spawnas: Spawn a new beacon on the current machine as another user by providing credentials.
  • spawnto: Sets the executable that beacon will use to spawn and inject shellcode into it for it's post-exploitation functionality. You must specify a full path to the executable.
  • spawnu: Attempt to spawn a session with a spoofer PID as its parent, the context of the process will match the identity of the specified PID.
  • argue: Will mask/spoof the arguments of a malicious command of our choice with legitimate ones.
  • blockdlls: This module will create and set a custom policy on beacon's child processes that will block the injection of any 3rd party dll that is not signed by microsoft, that way we can block any blue team tool that uses dll injection to inspect and kill malicious processes and actions.
  • timestomp: Tamper the timestamp of a file, by applying another file's timestamp.

About

Some notes and examples for cobalt strike's functionality

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published