Shulou(Shulou.com)06/02 Report--

How to use the Beacon command in Cobaltstrike4.0. In view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible way.

1. A host in the internal network has been controlled in the previous section.

Right-click the controlled host, select Interact, and enter the interaction mode. The default is 60s to update the interaction.

Third, select Session--Sleep, and change the interaction time to 5 seconds, which is convenient to see the effect.

4. Check the current directory, pwd

5. View file details, shell dir

7. Other related orders

Browserpivot injection victim browser process

Bypassuac bypasses UAC

Cancel cancels the download in progress

Cd changes directories

Checkin forces the accused to connect back once.

Clear clears the task queue within beacon

Connect Connect to a Beacon peerover TCP

Covertvpn deploys Covert VPN client

Cp copy Fil

Dcsync extracts password hash from DC

Desktop remote VNC

Dllinject reflection DLL injection process

Dllload uses LoadLibrary to load DLL into the process

Download download file

Downloads lists file downloads in progress

Drives lists the target drive letter

Elevate attempts to claim rights

Execute executes the program on the target (no output)

Execute-assembly executes local .NET programs in memory on the target

Exit exits beacon

Getprivs Enable system privileges oncurrent token

Getsystem attempts to get SYSTEM permission

Getuid gets user ID

Hashdump dump password hash value

Help help

Inject generates a session in a specific process

Jobkill kills a background task.

Jobs lists background tasks

Kerberos_ccache_use imports tickets from the ccache file to apply to this session

Kerberos_ticket_purge clears the ticket for the current session

Kerberos_ticket_use imports tickets from the ticket file to apply to this session

Keylogger keyboard recording

Kill ends the process

Link Connect to a Beacon peerover a named pipe

Logonpasswords uses mimikatz to dump credentials and hash values

Ls lists files

Make_token creates tokens to pass credentials

Mimikatz runs mimikatz

Mkdir creates a directory

Mode dns uses DNS An as the communication channel (DNS beacon only)

Mode dns-txt uses DNS TXT as the communication channel (D beacon only)

Mode dns6 uses DNS AAAA as the communication channel (DNS beacon only)

Mode http uses HTTP as a communication channel

Mv moves files

Net net command

Note remarks

Portscan performs port scan

Powerpick executes commands through Unmanaged PowerShell

Powershell executes commands through powershell.exe

Powershell-import Import powershell script

Ppid Set parent PID forspawned post-ex jobs

Ps displays a list of processes

Psexec Use a service to spawn asession on a host

Psexec_psh Use PowerShell to spawn asession on a host

Psinject executes PowerShell commands in a specific process

Pth uses Mimikatz to pass hashes

Pwd current directory location

Reg Query the registry

Rev2self restores the original token

Rm deletes a file or folder

Rportfwd Port Forwardin

Run executes the program on the target (returns output)

Runas executes the program with another user right

Runasadmin executes programs with high privileges

Runu Execute a program underanother PID

Screenshot screenshot

Setenv sets environment variables

Shell cmd executes command

Shinject injects shellcode into the process

Shspawn generation process and injecting shellcode into it

Sleep sets sleep delay time

Socks starts the SOCKS4 agent

Socks stop stop SOCKS4

Spawn Spawn a session

Spawnas Spawn a session as anotheruser

Spawnto Set executable tospawn processes into

Spawnu Spawn a session underanother PID

Ssh uses ssh to connect to remote hosts

Ssh-key uses a key to connect to a remote host

Steal_token steals tokens from the process

Timestomp applies a file timestamp to another file

Unlink Disconnect from parentBeacon

Upload uploads files

Wdigest Diploma Certificate using mimikatz transfer

Winrm uses WinRM to generate sessions on the host

Wmi uses WMI to generate sessions on the host

Argue process parameter spoofing

This is the answer to the question about how to use the Beacon command in Cobaltstrike4.0. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.