Process Browser

The Process Browser does the obvious; it tasks a Beacon to show a list of processes and shows this information to you. Go to [beacon] -> Explore -> Show Processes to open the Process Browser.

You can also issue the command, process_browser, to open the process browser tab starting in the current directory.

figure 58 - Process Browser

The left-hand side shows the processes organized into a tree. The current process for your Beacon is highlighted yellow.

The right-hand side shows the process details. The Process Browser is also a convenient place to impersonate a token from another process, deploy the screenshot tool, or deploy the keystroke logger.

Highlight one or more processes and press the appropriate button at the bottom of the tab.

If you highlight multiple Beacons and task them to show processes, Cobalt Strike will show a Process Browser that also states which host the process comes from. This variant of the Process Browser is a convenient way to deploy Beacon’s post-exploitation tools to multiple systems at once.

Simply sort by process name, highlight the interesting processes on your target systems, and press the Screenshot or Log Keystrokes button to deploy these tools to all highlighted systems.

 

Related Topics