Cobalt Strike Guide. #4 Post Exploitation Hidden Beacon

15 June 2023 31 minutes Author: Lady Liberty

Cobalt Strike Post Exploitation and Stealth Beacon Guide

Want to learn about the powerful post-exploitation capabilities and hidden Beacon usage in Cobalt Strike? Our guide provides detailed training and practical guidance to effectively use these features in this framework. In our Cobalt Strike guide, we’ll focus on post-exploitation, the phase that occurs after successfully penetrating a target system. You will learn how to use various methods and techniques to collect information, extend privileges, create persistent access, and ensure long-term presence in the system. Special attention will be paid to the hidden Beacon – a mechanism that allows you to create an invisible and undetectable connection with the attacker. We’ll look at different methods of installing and managing Beacon, as well as ways to hide it from antivirus and intranet threat detection systems.

Our guide offers concrete examples and step-by-step instructions on how to use post-exploitation features and hidden Beacon in Cobalt Strike. We’ll teach you strategies and techniques that will help you avoid detection and ensure you operate effectively in highly secure systems. With our Cobalt Strike tutorial, you’ll gain the in-depth knowledge and skills to master post-exploitation and hidden Beacon in this powerful cybersecurity framework. Access the Cobalt Strike Post Exploitation and Stealth Beacon guide today and become a true expert in the world of cyber security.

Post-operation

Hidden Beacon

Beacon is a Cobalt Strike payload for simulating the actions of attackers. Use the beacon to transmit data over the network via HTTP, HTTPS, or DNS. You can also set limits on which hosts will disconnect from the network by managing beacons through named Windows pipes and TCP sockets.

Beacon is flexible and supports asynchronous and interactive communication. Asynchronous communication is low and slow (“low and slow” communication scheme). Beacon will contact the C&C server, download its tasks and stop network activity. Interactive communication takes place in real time.

Beacon network indicators are subject to change. Redefine the beacon interaction using the malleable language of C2 Cobalt Strike. This will allow you to disguise beacon activity so that it looks like other malware or blends in with legitimate traffic.

Beacon console

Right-click a beacon session and select interact to open its console. The console is the main user interface of a Beacon session.

The Beacon console allows you to see what tasks have been issued to the beacon and see when it downloaded them. It is also where command output and other information is displayed

Figure 33.  Beacon console

Between the Beacon console input and output is the status bar. This status bar contains information about the current session. In the standard configuration, the status bar shows the NetBIOS name of the target, the username and PID of the current session, and the time the beacon was last registered.

Every command given to the beacon, whether through the GUI or the console, will be displayed in this window. If a command is given by a teammate, CobaltStrike will add its handle to the command.

Chances are, you’ll spend most of your time with Cobalt Strike in the Beacon console. It’s worth spending time getting to know his teams. Type help in the Beacon console to see the available commands. Type help and the name of the command for detailed help.

Beacon menu

Right-click on a lighthouse or inside its console to open a menu

Lighthouse. This is the same menu used to open his console.

The following items are available:

The Access menu contains options for manipulating trust relationships and increasing the level of access.

The Overview menu contains options for obtaining information and interacting with the target system.

In the Pivoting menu, you can configure tools for tunneling traffic through Beacon.

In the Session menu, you can manage the current beacon session.

Figure 34. Beacon menu

Some visual representations of Cobalt Strike (summary graph and session table) allow you to select multiple beacons at once. Most actions performed through this menu apply to all selected beacon sessions.

Asynchronous and interactive operations

Remember that Beacon is an asynchronous payload. Commands are not executed immediately. Each team stands in line. When Beacon registers (connects to you), it downloads these commands and executes them one by one. At this time, Beacon will also notify you of any results it has received. If you make a mistake, use the clear command to clear the command queue for the current beacon.

By default, beacons are logged every sixty seconds. You can change this with the sleep command. Use the sleep command followed by a time in seconds to specify how often the beacon should be registered. You can also specify a second number from 0 to 99. This number is the jitter factor. Beacon will change the timing of each check-in by a random factor that you specify as the jitter factor. For example,  sleep 300 20 will make the beacon sleep for 300 seconds with a 20% jitter rate. This means that the beacon will sleep a random value between 240 and 300 seconds after each registration.

To make the beacon register multiple times per second, try using sleep 0. This is interactive mode. In this mode, commands will be executed immediately. You must make your beacon interactive before tunneling traffic through it. Several beacon commands (eg browserpivot, desktop, etc.) will automatically bring the beacon online the next time you check in.

Execution of commands

The shell command  instructs the Beacon to execute a command via cmd.exe on the compromised host. When the command is complete, Beacon will give you an exit. Use  Run command to run the command  without cmd.exe. The run command will give you the output. The execute command runs the program in the background and does not capture the output.

Use the powershell command to run a command using PowerShell on the compromised host. Use  the powerpick command to run a PowerShell cmdlet without powershell.exe. This command is based on the Unmanaged PowerShell method developed by Lee Christensen. The powershell and powerpick commands will use your current token. The psinject command will  inject Unmanaged PowerShell into a specific process and run your cmdlet from there.

The powershell-import command imports a PowerShell script into Beacon. The next time they use the powershell, powerpick, and psinject cmdlets, they will have access to the cmdlets from the imported script. Only one PowerShell script will be stored in the beacon at a time. Import an empty file to remove the imported script from the beacon.

The execute-assembly command will run the local .NET executable as a beacon job for post-production. You can pass arguments to this assembly as if it were running the Windows CLI. This command also inherits your current token.

If you want Beacon to execute commands from a specific directory, use the cd command in the Beacon console to switch the working directory for the Beacon process. The pwd command  will tell you which directory you are currently working from. The setenv command  sets an environment variable.

Beacon can execute beacon object files without spawning a new process. Beacon object files are compiled C programs written according to a specific convention that are executed as part of a Beacon session. Using inline-execute [  arguments ] to execute the Beacon object file with the given arguments.

Session transfer

The Cobalt Strike Beacon was originally designed as a reliable lifeline to maintain access to a compromised host. From day one, Beacon’s primary goal was to provide access to other Cobalt Strike listeners.

Use  the spawn command to create a session for the Listener. The spawn command takes an architecture (eg x86, x64) and a Listener as arguments.

By default, the spawn command starts a session on rundll32.exe. A vigilant administrator may find it strange that rundll32.exe periodically establishes a connection to the Internet. Find a more appropriate application (such as Internet Explorer) and use the spawnto command to specify which application Beacon should start for its sessions.

The spawnto command requires you to specify the architecture (x86 or x64) and the full path to the application you want to spawn. Type spawnto and press Enter to tell the beacon to revert to its default behavior.

Type  inject followed by the process id and listener name to inject the session into a specific process. Use ps to get a list of processes on the current system. Use  inject [pid] x64 to inject a 64-bit beacon into an x64 process.

The spawn and inject commands inject the stage’s payload into memory. If the scene payload is an HTTP, HTTPS, or DNS beacon and it can’t reach you, you won’t see the session. If the degree payload is a TCP or SMB binding beacon, then these commands will automatically attempt to connect to and take control of those payloads.

Use  the dllinject [pid] command to inject the reflective DLL into the process.

Use the shinject [pid] [arch] [/path/to/file.bin] command to inject shellcode from a local file into the target process. Use shspawn[arch][/path/to/file.bin] to spawn a “spawn to” process and inject the specified shellcode into that process.

Use dllload [pid] [c:\path\to\file.dll] to load a DLL from disk into another process.

Alternative parenting processes

Use  ppid [pid] to assign an alternate parent process to applications launched by a beacon session. This allows you to ensure that your activity merges with the legitimate activity of the object. The current beacon session must have the appropriate rights to the alternate parent process, and it is best if the alternate parent process exists in the same desktop session as your beacon. Enter ppid  with no arguments to have Beacon start processes without a fake parent process.

The runu command  executes a command with a different process as its parent. This command will be run with the privileges and desktop session of the alternate parent process. The current beacon session must have full rights to the alternate parent process. The spawnu command will create a temporary process that is a child of the given process and inject the stage payload into it. The value of spawnto determines which application is used as a temporary process.

Substitution of process arguments

Each beacon has an internal list of commands for which it must substitute arguments. When a Beacon executes a command that matches the list, it:

  1. Start the specified process in standby mode (with fake arguments)

  2. Updates the process memory with the actual arguments.

  3. Resumes the process

The result is that host tools that record the start of a process will see fake arguments. It helps to hide your real activity.

Use the [command] [false arguments] arguments to add a command to this internal list. The [command] part can contain an environment variable. Use the  argument to remove a command from this internal list. The argue command enumerates the commands in this internal list.

The logic of matching processes is accurate. If Beacon tries to run “net.exe”, it will not look for net, NET.EXE, or c:\windows\system32\net.exe in its internal directory. It will only select net.exe. x86 Beacon can only forge arguments in x86 child processes. Similarly, the x64 Beacon can only forge arguments in x64 child processes.

The real arguments are written to the memory area where the fake arguments are stored. If the real arguments are longer than the fake ones, the command fails

Blocking DLL libraries in child processes

Use blockdlls to start asking Beacon to launch child processes with a binary signature policy that blocks third-party (Microsoft) DLLs in process space. Use blockdlls stop to disable this behavior. This feature requires Windows 10.

Transferring and downloading files

download – this command downloads the requested file. There is no need to specify quotation marks for a file name with spaces. Beacon is designed for “low and slow” data leakage. At each check-in, Beacon will download a fixed chunk of each file it is instructed to retrieve. The size of this fragment depends on the current Beacon data channel. HTTP and HTTPS channels receive data in 512 KB chunks.

downloads – Used to view the list of downloads for this beacon.

cancel – Enter this command and filename to cancel a download in progress. You can use wildcards in this command to cancel the download of multiple files.

upload – this command uploads a file to the host.

timestomp – When uploading a file, it is sometimes necessary to update its timestamps so that it mixes with other files in the same folder. This command will help you do that. You can use the timestomp command to compare the modified, accessed, and created times of one file against another.

Go to View -> Downloads in Cobalt Strike to see the files your team has already uploaded. Only completed downloads are displayed on this tab.

Uploaded files are stored on the C&C server. To transfer files to your system, select them and click Sync Files. Cobalt Strike will then download the selected files to the selected folder on your system.

File Explorer

File Explorer is the ability to check files on a compromised system. Go to [beacon] -> Explore -> File Browser to open it.

You can also run the file_browser command to open a File Explorer tab starting from the current directory.

The file explorer will ask for the contents of the current working directory of the beacon. When this result is received, the file browser will open.

The left part of File Explorer is a tree that organizes known drives and folders into a single view. The right side of the File Explorer displays the contents of the current folder.

Figure 35. File explorer

Every file browser caches lists of received folders. A colored folder indicates that the contents of the folder are in the cache of this file browser. You can navigate to cached folders without having to create a new file list request. Click the Refresh button to ask the beacon to refresh the contents of the current folder.

A dark gray folder means that the contents of the folder are not in the cache of this file browser. Click on a folder in the tree to have Beacon generate an enumeration of that folder’s contents (and update the cache). Double-click the dark gray folder in the right current folder view to do the same.

To move up the list, click the folder button next to the file path on the right in the folder details view. If the parent folder is in the cache of this file browser, you will immediately see the results. If the parent folder is not in the browser cache, a task will be created to list the contents of the parent folder.

Right-click a file to download or delete it. To see which drives are available, click List Drives.

File system commands

You can also use the console to view and manage the Beacon file system.

Use the ls command to view a list of files in the current directory. Use the mkdir  command to create a directory. The rm command deletes a file or folder. The cp command copies the file to the destination. The mv command moves a file.

Windows registry

Використовуйте reg_query [x86|x64] [Hive\path\to\key], щоб надіслати запит до реєстру для певного розділу. Ця команда відобразить значення цього розділу і список всіх вкладених ключів. Параметр x86/x64 є обов’язковим і змушує Beacon використовувати WOW64 (x86) або власний вигляд реєстру.  reg_query [x86|x64] [Hive\path\to\key] [значення] запитає певне значення в розділі реєстру.

Keystrokes and screenshots

Beacon’s keystroke logging and screenshot tools are designed to be embedded in another process and report their results to your beacon.

To run  the keylogger, use pid x86 keylogger to enter the x86 process. Use pid  x64 keylogger to enter into an x64 process. Use the keylogger command to inject a keylogger into a temporary process. This tool will track keystrokes from the built-in process and report them to the beacon until the process completes or you terminate it

Remember that multiple keyloggers can conflict with each other. Use only one keylogger in each desktop session.

To take a screenshot, use pid x86 screenshot to inject the screenshot tool into the x86 process. Use the screenshot pid x64 command to enter an x64 process. This version of the screenshot command will take one screenshot and exit. The screenshot command implements the screenshot tool in a temporary process.

The screenwatch command  (with options to use a temporary process or inject it into an open process) will continuously take screenshots until you stop it.

Use the printscreen command (also with temporary process or embed options) to take a screenshot in another way. This command uses the PrintScr keystroke to place a screenshot on the user’s clipboard. This function recovers the screenshot from the clipboard and sends it to you.

When Beacon receives new screenshots or keystrokes, it sends a message to the console. However, screenshots and keystrokes are not available through this console  . Go to View -> keystrokes to see keystrokes logged across all beacon sessions  . Go to View  ->  Screenshots to view screenshots    of all Beacon sessions. Both of these dialog boxes are updated as new information becomes available. These dialogs allow a single operator to easily monitor keystrokes and screenshots of all beacon sessions.

Beacon Work Management

Some beacon functions run as tasks in another process (such as the keylogger and screenshot tool). These tasks run in the background and report their results as they become available. Use the jobs command to see what jobs are running in your beacon. Use the jobkill [job number] command to kill the job.

Process Explorer

Process Explorer does the obvious thing: it tells the beacon to show you a list of  processes and displays that information for you. Go to [beacon] -> Explore -> Show Processes to open the Process Explorer. You can also run the process_browser command to open a Process Explorer tab starting from the current location.

Figure 36. Process Explorer

The left part shows the appendages organized in the form of a tree. The current process for your beacon is highlighted in yellow.

The right part displays information about the process. Process Explorer also serves as a handy tool for impersonating another process’s token, deploying a screenshot tool or a keylogger.

Select one or more processes and click the corresponding button at the bottom of the tab.

If you select multiple beacons and instruct them to show processes, Cobalt Strike will display a process explorer that also indicates which host the process originated from.

This version of Process Explorer is a convenient way to deploy post-production tools on multiple systems simultaneously.

Simply sort by process name, highlight the processes of interest on the target systems, and click the  Screenshot or Keystroke Log button to deploy these tools to all selected systems.

Desktop control

To interact with the desktop on the target host, go to [beacon] -> Overview -> Desktop (VNC). This will put the VNC server in the memory of the current process and tunnel the connection through the beacon.

When the VNC server is ready, Cobalt Strike will open the Desktop HOST@PID tab. You can also use the desktop command to inject a VNC server into a specific process. Use the desktop architecture UNDER low|high. The last option allows you to specify the quality for the VNC session.

Figure 37. Desktop viewer tool

There are several buttons at the bottom of the desktop tab. These include:

If you can’t type text on the desktop tab, check the status of the Ctrl and Alt buttons. When you press any of these buttons, all clicks are sent with the  Ctrl or Alt modifier. Press Ctrl or Alt to disable this behavior. Make sure  the View Only button is not clicked either. To prevent accidental mouse movement, the View Only button is clicked by default.

Increased privileges

Some commands require system administrator privileges after operation. Beacon includes several options to help you increase your privileges, such as:

Increased privileges

elevate – This command lists the privilege escalation exploits listed by Cobalt Strike.

elevate  [exploit] [listener] – This command attempts to elevate privileges using a specific exploit.

You can also run one of these exploits using [beacon]-> Access-> Elevate.

Select Handler, select the exploit, and click Run to run it. This

The dialog box is the interface to the elevate command.

You can add privilege escalation exploits to Cobalt Strike with the Elevate kit. Elevate Kit is an attacker script that integrates several open source privilege escalation exploits into Cobalt Strike. https://github.com/rsmudge/ElevateKit.

runasadmin – This command itself lists the elevator privilege escalation exploits present in Cobalt Strike.

runasadmin  [exploit] [command + arguments] – This command attempts to run the specified command in a more privileged context.

Cobalt Strike distinguishes between privilege escalation elevators and session exploits because some attacks present the ability to create a session. Other attacks give you a primitive “execute this command” function. Generating a session from the “execute this command” primitive puts many decisions about the use of components (not always favorable) in the hands of the tool developer.

With runasadmin, you can dump an executable to disk and run it, run a one-line PowerShell command, or weaken the target in some way.

If you want to use a PowerShell one-liner to create a session, go to [beacon] -> Access  -> One-liner.

Figure 38. PowerShell One-liner

This dialog will configure a localhost-only web server in the beacon session to host the staging payload and return a PowerShell command to download and run that payload.

This web server is for single use only. After you connect to it once, it will clean up and stop serving your payload.

If you’re running a TCP or SMB Beacon with this tool, you’ll need to use connect or link to pass control of the payload manually. Also be aware that if you try to use an x64 payload, it won’t work if x86 PowerShell is in your $PATH.

Cobalt Strike doesn’t have many built-in options to increase privileges. Development of exploits is not the main focus of HelpSystems. However, it is easy to integrate privilege escalation exploits using the Aggressor Script programming language into Cobalt Strike. To see what it looks like, download the Elevate Kit (https://github.com/cobalt-strike/ElevateKit ). Elevate Kit is an attacker script that integrates several open source privilege escalation exploits into Cobalt Strike.

Elevation of privileges using known credentials

runas [DOMAIN\  user] [password] [command] – Runs a command on behalf of another user using their credentials. The runas command returns no results. You can use runes from an unprivileged context.

pawnas [DOMAIN\user] [password] [listener] – This command creates a session on behalf of another user using their credentials. This command spawns a temporary process and injects your staging payload into it.

You can also go to [beacon] -> Access -> Spawn As to execute this command.

When using both commands, be aware that account credentials that do not contain SID 500 will generate the payload in a medium integrity context. To elevate credentials to a high-integrity context, you must use the UAC bypass feature. It should also be remembered that these commands must be executed from a working folder that can be read by the specified account.

Obtaining the SYSTEM level

getsystem – This command allows you to impersonate the SYSTEM account token.

This level of access allows you to perform privileged actions that are not possible for the Administrator user.

Another way to get SYSTEM is to create a service that runs the payload. This is done using the command elevate svc-exe [listener]. It will dump the executable that runs the payload, create a service to run it, hand over control to the payload, and clean up the service and executable.

Bypass UAC

Microsoft introduced User Account Control (UAC) in Windows Vista and improved it in Windows 7. UAC works like sudo in UNIX. Every day, the user works with normal privileges.

When a user needs to perform a privileged action, the system asks if they want to elevate their privileges.

Cobalt Strike comes with several UAC bypass attacks. These attacks will not work if the current user is not an administrator. To check if the current user is a member of the administrators group, use the run whoami /groups command.

elevate uac-token-duplication [listener] – This command spawns a temporary elevated process and injects a staging payload into it. This attack exploits a loophole in UAC that allows a non-elevated process to start an arbitrary process with a token stolen from an elevated process. This vulnerability requires the attack to remove multiple rights assigned to the desired token. The capabilities of your new session will reflect these restricted rights. If Always Notify is set to the maximum value, this attack requires that the current desktop session is already running an elevated level (on behalf of the same user). This attack works on Windows 7 and Windows 10 before the November 2018 update.

runasadmin uac-token-duplication [command] This is the same attack described above, but this option runs a command of your choice in a privileged context.

runasadmin uac-cmstplua [command] – This command attempts to bypass UAC and run a command in a privileged context. This attack uses a COM object that automatically elevates privileges from certain process contexts (signed by Microsoft, located in c:\windows\*).

getprivs Privileges – This command allows you to activate the privileges assigned to your current access token.

Mimicry

Beacon integrates mimicry. Using mimic [pid] [arch] [module::command] <arguments> to enter into the specified process to execute the mimic command. Use mimikatz (without the [pid] and [arch] arguments) to create a temporary process to run the mimikatz command.

Mimikats must be run as SYSTEM for some commands to work. Attach the symbol! to force mimikats to rise to SYSTEM level before executing your command. For example, the command mimikatz !lsa::cache  will restore hashes of salted passwords cached by the system. Use  mimikatz [pid] [arch] [!module::command]<arguments> or mimikatz [!module::command] <arguments> (without [pid] and [arch] arguments).

From time to time you may need to run the mimikatz command with the current beacon access token. Append the @ symbol to the command to make the mime pretend to be the current beacon access token. For example, csync mimikatz @lsadump::d will run the dcsync command on mimikatz with the current beacon access token.

Use mimikatz [pid] [arch] [@modul::command] <arguments> or mimikatz  [@modul::command] <arguments> (without [pid] and [arch] arguments).

Collection of credentials and hashes

To dump the  hash go to [beacon] -> Access -> Dump Hashes. You can also  use the hashdump [pid] [x86|x64] command from the Beacon console to inject the hashdump tool into the specified process. Use hashdump (without the [pid] and [  arch] arguments) to create a temporary  process and inject the hashdump into it. These commands will call a task that is injected into LSASS and resets the local password hashes of the users on the current system. This command requires administrator privileges. When entering a PID into a process, that process also requires administrator privileges.

Use logonpasswords [pid] [arch] to enter the specified process to reset NTLM credentials and hashes. Use logonpasswords (without the [pid] and [arch] arguments) to create a temporary process to reset NTLM credentials and hashes. This command uses mimikatz and requires administrator privileges.

Use dcsync [pid] [arch] [DOMAIN.fqdn] <DOMAIN\user> to enter the specified NTLM hash extraction process. Use dcsync [DOMAIN.fqdn] <DOMAIN\USER>  to create a temporary process to extract NTLM hashes. This command  uses impersonation to obtain NTLM hashes for domain users from a domain controller. Specify a user to get only their hash. This command requires a proxy to communicate with the domain administrator.

Use chromedump [pid] [arch] to inject into the specified process to obtain credentials from Google Chrome. Use chromedump (without arguments [pid] and [arch]) to create a temporary process to retrieve credentials from Google Chrome. This command will use Mimikatz to obtain credentials and must be executed in the user context.

Account data, which are sent using the above commands, are collected by Cobalt Strike and stored in the account data model. Go to View -> Credentials to get the credentials of the current command server.

Port scanning

Beacon has a built-in port scanner. Use portscan [pid] [arch] [targets] [ports] [arp|icmp|none] [max connections] to enter the given process and start a port scan of the specified hosts. Use portscan [targets] [ports] [arp|icmp|none] [max. connection] (without the [pid] and [arch   ] arguments) to create a   Temporary process to start scanning the ports of the specified hosts.

The [targets] parameter is a comma-separated list of hosts to scan. IPv4 address ranges can also be specified (eg 192.168.1.128-192.168.2.240, 192.168.1.0/24)

The [ports] parameter is a comma-separated list of ports to scan. You can specify ranges (eg 1-65535).

The target discovery options [arp|icmp|none]  determine how the port scanner will determine if a host exists. The ARP option uses ARP to check for the presence of any system at the specified address. The ICMP option sends an ICMP echo request. The none option tells the port scan tool to assume that all hosts exist.

The [max connections] parameter limits the number of simultaneous port scanner connection attempts. The portscan tool uses asynchronous I/O and is capable of handling a large number of connections simultaneously. A higher value will make port scanning much faster. The default value is 1024.

The port scanner will run between beacon connections. When it gets the results, it will send them to the console. Cobalt Strike will process this information and update the target model based on the detected hosts.

You can also go to [beacon] -> Explore -> Port Scanner to launch the port scanner tool.

Enumeration of networks and hosts

The Network Beacon module provides tools for investigating and discovering targets on a Windows AD (Active Directory) network.

Use net [pid] [arch] [command] [arguments] to inject the network and host enumeration tool into the specified process. Use  net [command] [arguments] (without the [pid] and [arch] arguments) to create a temporary process and inject the network and host enumeration tool into it. The exception is the net domain command, which is treated as a BOF.net domain.

The commands in the network module are built on top of the Windows Network Enumeration API. Most of these commands are direct replacements for many of the built-in net commands in Windows (there are also a few unique features).

The following commands are available:

  • computers – list of hosts in the domain (groups)

  • dclist – list of domain controllers. (fills the target model)

  • domain – displays the domain for this host

  • domain_controllers – list of DCs (domain controllers) in the domain (groups)

  • domain_trusts – list of domain trusts

  • group – list of groups and users in groups

  • localgroup – lists of local groups and users in local groups. (great for lateral movement when you need to find who is the local admin on another system)

  • logons – lists of users registered on the host;

  • sessions – a list of sessions on the host

  • share – list of shared resources on the host

  • user – list of users and information about the user

  • time shows the presenter’s time

  • view – lists hosts in the domain (view service). (fills the target model)

Trust

Windows Single Sign-On is based on an access token. When a user accesses a Windows host, an access token is generated. This token contains information about the user and his rights. The access token also contains information needed to authenticate the current user to another system on the network.

Create or generate a token, and Windows will use its information to authenticate to a network resource. Use steal_token [pid] or steal_token [pid] <OpenProcessToken access mask> to steal an access token from an existing process.

If you want to see what processes are running, use ps. The getuid command will print your current token. To return to the original marker, use the rev2self command.

Possible values of the OpenProcessToken access token:

You can set your preferred default value using “.steal_token_access_mask” in the Malleable C2 global settings.

If you know the user’s credentials, use  make_token [DOMAIN\user] to create a token to pass those credentials. This token is a copy of your current token with modified registration information. It will show your current username. This is expected behavior.

The pth [pid] [arch] [DOMAIN\user] [ntlm hash] command is entered into the given process to create and impersonate the token. Use pth [DOMAIN\user] [ntlm hash] (no [pid] and [arch] arguments) to create a temporary process to create and impersonate the token. This command uses impersonation to create and impersonate a token that uses the specified domain, user, and NTLM hash

The Create Token dialog ([beacon]  -> Access -> Create Token) is the interface for these commands. It will present the content of the account model and use the appropriate command to convert the selected account into an access token.

Kerberos tickets

A golden ticket is a self-generated Kerberos ticket. Most often, the Golden Ticket is created with domain administrator rights.

Go to [beacon] -> Access -> Golden Ticket to forge a golden ticket with  Cobalt Strike. Provide the following information and Cobalt Strike will use mimicry to generate a ticket and inject it into your kerberos tray:

  • The user for whom you want to forge a ticket.

  • The domain for which you want to forge a ticket.

  • Domain SID.

  • NTLM hash of user krbtgt on the domain controller.

Use  kerberos_ticket_use [/path/to/ticket] to inject a Kerberos ticket into the current session. This will allow Beacon to communicate with remote systems using the rights specified in this ticket.

Use kerberos_ticket_purge to purge all kerberos tickets associated with your session.

Lateral movement

If you have a domain administrator or a user token that is a local administrator on the target computer, you can abuse these trusts to gain control of the target computer. Beacon has several built-in options for lateral movement.

Type  jump to list the lateral movement options listed in Cobalt Strike. Run jump [module] [target] [listener] to attempt to launch a payload to a remote target.

Run remote-exec to get a list of remote execution modules included in Cobalt Strike. Use remote-exec [module] [target] [command + arguments] to attempt to execute the specified command on the remote target.

Lateral traffic is an area similar to privilege escalation, where some attacks present a set of primitives to establish a session on a remote target. Some attacks grant primitives only for execution. Between jump and ranged execution gives you the flexibility to choose how to guard primitives just for execution.

Aggressor Script has an API to add new modules for jump and remote-exec. See the aggressor script documentation (especially the beacon section) for more information.

Lateral movement using a graphical interface

Cobalt Strike also provides a graphical interface to facilitate side scrolling. Go to the goals visualization or go to View -> Goals. Go to [target] -> Jump and select the side move option you want.

The following dialog box will open:

Figure 39. Lateral Movement dialog box

To use this dialog box:

First, decide what you want to use for lateral movement. If you want to use the token in one of your beacons, check the Use current access token option. If you want to use credentials or hashes for lateral movement, that will work too.

Select credentials from the credentials locker or fill in the Username, Password, and Domain fields. Beacon will use this information to generate an access token for you. Note that you must be running with a high integrity context (admin) for this to work.

Then select the Listener that will be used for lateral movement. SMB Beacon is usually a good candidate here.

And finally, choose from which session you want to perform a lateral movement. Cobalt Strike’s asynchronous attack model requires that every attack be launched from a compromised system.

It is impossible to perform this attack without a beacon session. If you’re involved in internal communications, consider plugging in a Windows system you control and using it as a launching point for credential or hash attacks on other systems.

Click the Start button. Cobalt Strike will activate the tab of the selected beacon and give it commands. Information about the attack will appear in the Beacon console.

Other teams

Beacon has several more commands not described above:

  • The clear command will clear the list provided by Beacon. Use it if you make a mistake.

  • Enter exit to ask the beacon to be turned off. Use kill [pid] to kill the process.

  • Use timestomp to match the modified, accessed, and created times of one file with the same parameters as another.

Thanks to various open source guides.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.