Cobalt Strike tutorial series 3 beacon details

0x01 Beacon details

0x01.1 Beacon command

Through the learning of tutorial 2, configure the Listeners, let the target and execute our payload backdoor program, and then you can find that the target host is online

Right click the target selection to use Beacon, which we use to execute various commands

==In Cobalt Strike, his default heartbeat is 60s (that is, the sleep time is 60s, and the target host communicates with the team server every minute), which makes us slow to execute commands or perform other operations. It's very obvious in downloading files, so the response time is generally reduced, but it should not be too small in actual combat environment, otherwise the traffic will be particularly obvious==

Beacon is different from cmd in that many commands cannot be entered directly. For example, to view the ip address in cmd, you can directly enter ipconfig, but you need to enter shell ipconfig in beacon to view it. Don't dig here!

The commands that can be used directly in beacon are as follows:

Help: view help for all built-in commands of the beacon shell. How to view the usage of the specified command, eg:help checkin
 Note: give a name to the current directory machine, eg: note chicken1 shell
 cd: switch directories in the target system. Note that you need to use double slashes to switch directories in the win system, or use '/' eg: cd c:\
mkdir: create a new directory, eg: mkdir d:\beacon
 rm: delete file or directory, eg:rm d:\beacon
 Upload: upload files to the target system
 Download: download the specified file from the target system, eg:download C:\payload.txt
 Cancel: cancel the download task. For example, if a file is very large and the download time is very good, you can use this command to cancel the download in the middle
 Shell: execute the specified cmd command in the target system, eg:shell whoami
 getuid: view the user permissions of the current beacon session in the target system. If necessary, you need to raise the permissions.
pwd: View paths in the current directory system
 ls: list all files and directories in the current directory
 drives: lists all partitions in the target system
 ps: view the current list of all processes in the target system
 Kill: kill the specified process. eg:kill 6453
 Sleep: Specifies the sleep time of the controlled end. By default, the return time is 60s. You can use sleep 10 to modify the return time. In practice, it should not be too fast, or it is easy to be found. Generally, the return time is 80s
 jobs: list all tasks. Some tasks may take a little longer to execute. At this time, you can see the id of the corresponding specific task in the task list, and clear it specifically
 Jobkill: if you find that the task has not been executed or abnormal for a long time, you can use this command to end the task directly. eg:jobkill 3456
 Clear: clear the task queue inside the beacon
 checkin: force the control end to connect back once
 exit: terminate the current beacon session
 ctrl + k: clear screen

The Chinese command is as follows:

Command                   Description
    -------                   -----------
    browserpivot              Inject victim browser process
    bypassuac                 bypassUAC
    cancel                    Cancel download in progress
    cd                        Toggle directory
    checkin                   Force the accused end to connect once
    clear                     Eliminate beacon Internal task queue
    connect                   Connect to a Beacon peer over TCP
    covertvpn                 deploy Covert VPNClient
    cp                        Copy file
    dcsync                    fromDCExtract password hash in
    desktop                   Long-rangeVNC
    dllinject                 reflexDLLInjection process
    dllload                   Use LoadLibrary takeDLLLoad into process
    download                  Download File
    downloads                 List file downloads in progress
    drives                    List destination drive letters
    elevate                   Trying to raise power
    execute                   Execute program on target(No output)
    execute-assembly          Execute local in memory on target.NETprogram
    exit                      Sign out beacon
    getprivs                  Enable system privileges on current token
    getsystem                 Try to getSYSTEMJurisdiction
    getuid                    Get usersID
    hashdump                  Dump password hash
    help                      Help
    inject                    Generate sessions in a specific process
    jobkill                   Kill a background task
    jobs                      List background tasks
    kerberos_ccache_use       from ccache Import tickets from file to apply to this session
    kerberos_ticket_purge     Clear ticket for current session
    kerberos_ticket_use       from ticket Import tickets from file to apply to this session
    keylogger                 Keylogger
    kill                      End process
    link                      Connect to a Beacon peer over a named pipe
    logonpasswords            Use mimikatz Dump credentials and hash values
    ls                        List files
    make_token                Create token to pass credentials
    mimikatz                  Function mimikatz
    mkdir                     Create a directory
    mode dns                  UseDNS A As a communication channel(Only limitedDNS beacon)
    mode dns-txt              UseDNS TXTAs a communication channel(Only limited D beacon)
    mode dns6                 UseDNS AAAAAs a communication channel(Only limitedDNS beacon)
    mode http                 UseHTTPAs a communication channel
    mv                        move file
    net                       net command
    note                      Remarks       
    portscan                  Port scan
    powerpick                 adopt Unmanaged PowerShell Executive order
    powershell                adopt powershell.exe Executive order
    powershell-import         Import powershell Script
    ppid                      Set parent PID for spawned post-ex jobs
    ps                        Show process list
    psexec                    Use a service to spawn a session on a host
    psexec_psh                Use PowerShell to spawn a session on a host
    psinject                  Execute in a specific process PowerShell command
    pth                       Use Mimikatz To pass hash
    pwd                       Current directory location
    reg                       Query the registry
    rev2self                  Recover original token
    rm                        Delete files or folders
    rportfwd                  Port forwarding
    run                       Execute program on target(Return output)
    runas                     Execute the program with another user right
    runasadmin                Execute program under high authority
    runu                      Execute a program under another PID
    screenshot                Screenshots
    setenv                    Setting environment variables
    shell                     cmd Executive order
    shinject                  take shellcode Injection process
    shspawn                   Build the process and shellcode Injection into
    sleep                     Set sleep delay time
    socks                     start-upSOCKS4agent
    socks stop                Stop itSOCKS4
    spawn                     Spawn a session 
    spawnas                   Spawn a session as another user
    spawnto                   Set executable to spawn processes into
    spawnu                    Spawn a session under another PID
    ssh                       Use ssh Connecting to a remote host
    ssh-key                   Connecting to a remote host with a key
    steal_token               Steal token from process
    timestomp                 Apply a file timestamp to another file
    unlink                    Disconnect from parent Beacon
    upload                    Upload files
    wdigest                   Use mimikatz To store plaintext credentials
    winrm                     Use WinRM Generate session on host
    wmi                       UseWMIGenerate session on host
    ´╗┐argue                    Process parameter spoofing
Published 6 original articles, won praise 0, visited 82
Private letter follow

Tags: Session shell ssh DNS

Posted on Tue, 04 Feb 2020 04:14:17 -0500 by shwathi