Privilege Escalation

Some post-exploitation commands require system administrator-level rights. Beacon includes several options to help you elevate your access including the following:

NOTE:

Type help in the Beacon console to see available commands. Type help followed by a command name to see detailed help.

Elevate with an Exploit

elevate - This command lists privilege escalation exploits registered with Cobalt Strike.

elevate [exploit] [listener] - This command attempts to elevate with a specific exploit.

You may also launch one of these exploits through [beacon] -> Access -> Elevate.

Choose a listener, select an exploit, and press Launch to run the exploit. This dialog is a front-end for Beacon's elevate command.

figure 60 - Elevate

You may add privilege escalation exploits to Cobalt Strike through the Elevate Kit. The Elevate Kit is an Aggressor Script that integrates several open source privilege escalation exploits into Cobalt Strike. https://github.com/rsmudge/ElevateKit.

runasadmin - This command by itself, lists command elevator exploits registered with Cobalt Strike.

runasadmin [exploit] [command + args] - This command attempts to run the specified command in an elevated context.

Cobalt Strike separates command elevator exploits and session-yielding exploits because some attacks are a natural opportunity to spawn a session. Other attacks yield a “run this command” primitive. Spawning a session from a “run this command” primitive puts a lot of weaponization decisions (not always favorable) in the hands of your tool developer. With runasadmin, it’s your choice to drop an executable to disk and run it, to run a PowerShell one-liner, or to weaken the target in some way.

If you’d like to use a PowerShell one-liner to spawn a session, go to [beacon] -> Access -> One- liner.

A screenshot of a cell phone  Description automatically generated

figure 61 - PowerShell One-liner

This dialog will setup a localhost-only webserver within your Beacon session to host a payload stage and return a PowerShell command to download and run this payload stage.

This webserver is one-use only. Once it’s connected to once, it will clean itself up and stop serving your payload.

If you run a TCP or SMB Beacon with this tool, you will need to use connect or link to assume control of the payload manually. Also, be aware that if you try to use an x64 payload—this will fail if the x86 PowerShell is in your $PATH.

Cobalt Strike does not have many built-in elevate options. Exploit development is not a focus of the work at Fortra. It is easy to integrate privilege escalation exploits via Cobalt Strike’s Aggressor Script programming language though. To see what this looks like, download the Elevate Kit (https://github.com/cobalt-strike/ElevateKit). The Elevate Kit is an Aggressor Script that integrates several open source privilege escalation exploits into Cobalt Strike.

Elevate with Known Credentials

runas [DOMAIN\user] [password] [command]- This runs a command as another user using their credentials. The runas command will not return any output. You may use runas from a non- privileged context though.

spawnas [DOMAIN\user] [password] [listener] - This command spawns a session as another user using their credentials. This command spawns a temporary process and injects your payload stage into it.

You may also go to [beacon] -> Access -> Spawn As to run this command as well.

With both of these commands, be aware that credentials for a non-SID 500 account will spawn a payload in a medium integrity context. You will need to use Bypass UAC to elevate to a high integrity context. Also, be aware, that you should run these commands from a working folder that the specified account can read.

Get SYSTEM

getsystem - This command impersonates a token for the SYSTEM account. This level of access may allow you to perform privileged actions that are not possible as an Administrator user.

Another way to get SYSTEM is to create a service that runs a payload. The elevate svc-exe [listener] command does this. It will drop an executable that runs a payload, create a service to run it, assume control of the payload, and cleanup the service and executable.

UAC Bypass

Microsoft introduced User Account Control (UAC) in Windows Vista and refined it in Windows 7. UAC works a lot like sudo in UNIX. Day-to-day a user works with normal privileges. When the user needs to perform a privileged action—the system asks if they would like to elevate their rights.

Cobalt Strike ships with a few UAC bypass attacks. These attacks will not work if the current user is not an Administrator. To check if the current user is in the Administrators group, use run whoami /groups.

elevate uac-token-duplication [listener] - This command spawns a temporary process with elevated rights and inject a payload stage into it. This attack uses a UAC-loophole that allows a non-elevated process to launch an arbitrary process with a token stolen from an elevated process. This loophole requires the attack to remove several rights assigned to the elevated token. The abilities of your new session will reflect these restricted rights. If Always Notify is at its highest setting, this attack requires that an elevated process is already running in the current desktop session (as the same user). This attack works on Windows 7 and Windows 10 prior to the November 2018 update.

runasadmin uac-token-duplication [command] - This is the same attack described above, but this variant runs a command of your choosing in an elevated context.

runasadmin uac-cmstplua [command] - This command attempta to bypass UAC and run a command in an elevated context. This attack relies on a COM object that automatically elevates from certain process contexts (Microsoft signed, lives in c:\windows\*).

Privileges

getprivs - This command enables the privileges assigned to your current access token.

 

Related Topics