Running Commands

Runs a command from the command history. You can view history via the history command.

!! runs the most recent command from the command history. Equivalent to running !-1 or ! -1.

![number] or ! [number] runs a specific command from the command history:

• Including a positive number will run the command at that position in the command history (e.g., !1 runs the command at position 1 in history).

• Including a negative number will run the command that many commands back in the command history (e.g., !-1 runs the previous command).

![string] or ! [string] finds the most recent command in the history that starts with the string and run it.

!?[string] or ! ?[string] finds the most recent command in the command history that contains the string and runs it.

Spoofs [fake arguments] for [command] processes launched by Beacon.

This option does not affect runu/spawnu, runas/spawnas, or post-ex jobs.

Use argue [command] to disable this feature for the specified command.

Use argue by itself to list programs with defined spoofed arguments.

Functions for managing beacon configuration.

Use beacon_config to view and update beacon status and configuration.

The beacon_config commands are:

Use help beacon_config [command] for more information.

Change the use of beacon_gate at runtime to disable/enable the functionality.

Launches child processes with a binary signature policy that blocks non-Microsoft DLLs from loading into the child process.

Use blockdlls stop to disable this behavior.

This feature requires Windows 10 or later, or Windows Server 2012 or later.

Cancels a download that is currently in progress. Wildcards are OK.

Forces DNS Beacon to connect to you. During a checkin, Beacon posts its host metadata and dumps logged keystrokes.

Clears beacon queue.

Use data-store load to load post-ex items to Beacon. If the name is omitted, then the file name is used. The data store supports Beacon Object Files (bof) and .NET assemblies (dotnet). It is also possible to add arbitrary files to the data store (file). This provides a mechanism to upload data and then query it via BOFs using APIs such as BeaconStoreGetItem().

Use data-store unload to remove a specific post-ex item from the store.

Use data-store list to print the post-ex items currently available in the data store.

Lists any file downloads that are currently in progress.

Opens the file browser tab for this beacon. Starts in the current directory.

Use help to display a list of commands with short descriptions. The default layout (#list or #groups) is set in preferences.

Use help [command] to display the long-form description of a specified command.

Additional options:

• #list or #groups - Used to override the default layout from preferences.

• @[group-id] - Used to display a selected group (#groups layout only).

• -[contains-filter] - Used to filter the listed commands (#list or #groups layout).

group-id values:

• Special values - @builtin, @userdefined

• Predefined values - @housekeeping, @native, @postexdll, @bof

• User defined values - @[id] (you can define as needed, see aggressor function: beacon_command_group)

Example:

Show help using the "groups" layout for "native" group filtering to list commands that contain the text "spawn":

help #groups -spawn @native

Shows the command history.

Use history with the [number] argument to only show that number of most recent commands.

Use history without the [number] argument to list all the commands in the history.

Use history without the all argument to list all the commands in the history.

Lists long-running post-exploitation tasks.

Sets Beacon's mode to exchange data with the end-user. This only has an effect on a DNS beacon.

• mode dns - Gets tasks with DNS A record requests. Use this option to communicate with DNS when TXT records are not an option. Sends data as DNS requests with data encoded inside of the hostname.

• mode dns6 - Gets tasks with DNS AAAA record requests. Use this option to communicate with DNS when TXT records are not an option. Sends data as DNS requests with data encoded inside of the hostname.

• mode dns-txt - Gets tasks with DNS TXT record requests. This channel carries 189 bytes per request versus 4 bytes for a DNS A record request. Sends data with the same technique as the other DNS mode.

Assigns a note to this Beacon.

Imports a PowerShell script which is combined with future calls to the PowerShell command. You can only use one imported script at a time.

Uses the specified PID as a parent for processes Beacon launches. The runas command is not affected, but most other commands are.

Type ppid by itself to reset to default behavior.

Opens the process browser tab for this beacon.

Changes how often the beacon calls home. Use sleep 0 to force Beacon to call home many times each second.

Specify a jitter value (0-99) to force Beacon to randomly modify its sleep time.

When setting long sleep periods, use the sleep <number of days>d <number of hours>h <number of minutes>m <number of seconds>s <jitter>j format.

Example:

Sets a sleep period of 2 hours and 30 minutes with a jitter value of 15%. This can be achieved using:

sleep 9000 15 or sleep 2h 30m 15j

Both commands set the same sleep period of 9000 seconds with a jitter value of 15%.

The sleep 2h 30m 15j option allows you to set the sleep period without requiring mathematics to convert the period into seconds.

Sets the executable that Beacon spawns x86 and x64 shellcode into. You must specify a full-path. Environment variables are OK (e.g., %windir%\sysnative\rundll32.exe)

Do not reference %windir%\system32\ directly. This path is different depending on whether or not Beacon is x86 or x64. Use %windir%\sysnative\ and %windir%\syswow64\ instead.

Beacon will map %windir%\syswow64\ to system32 when WOW64 is not present.

Changes the syscall method at runtime. Valid method types are: None, Direct, and Indirect.

syscall-method without any arguments will query the current syscall method.

Lists the available command line variables. Command line variables will be replaced with the appropriate values when commands run.

Show the Windows error code for a Windows error code number.

Changes the directory on the host.

Connects to a TCP Beacon and re-establishes control of it. All requests for the connected Beacon will go through this Beacon.

Use unlink to disconnect from a TCP Beacon.

Copies a source file to the specified destination.

Opens the process and injects a Reflective DLL.

Downloads a file. To see the file, go to View -> Downloads.

Lists drives on the current system.

Executes the program. Does not block or return output.

Executes a local .NET process assembly on target. This command loads the CLR in a temporary process and loads the assembly into it. If the assembly is in the data store, this command will use the loaded item automatically. For more information (help data-store).

The optional PATCHES: argument can modify functions in memory for the process. Up to four patch-rule rules can be specified (space delimited).

"patch-rule" syntax (comma delimited): [library],[function],[offset],[hex-patch-value]

• library - 1-260 characters

• function - 1-256 characters

• offset - 0-65535 (The offset from the start of the executable function)

• hex-patch-value - 2-200 hex characters (0-9,A-F). Length must be even number (hex pairs).

Terminates the beacon session.

Enables as many system privileges as possible on current token.

Gets the User ID associated with the current token.

Opens the process and injects shellcode for the listener.

Runs a Beacon Object File in this Beacon session. A Beacon Object File is a C program, compiled as an object file, written to use conventions specified in the Cobalt Strike documentation. If the Beacon Object File is in the data store, this command will use the loaded item automatically. For more information, use help data-store.

Stops a long-running post-exploitation task.

Kills the specified process.

Connects to an SMB Beacon and re-establishes control of it. All requests for the connected Beacon will go through this Beacon. Specify an explicit [pipe] to link to that pipename. The default pipe from the current profile is used otherwise.

Lists all files in a folder.

Clones the current access token and sets it up to pass the specified username and password when you interact with network resources. This command does not validate the credentials you provide and it has no effect on local actions.

Makes a directory.

Moves the source file to the specified destination.

Executes the command using PowerShell. Any cmdlets from the last use of powershell-import are available here too.

Shows a list of processes.

Displays the current working directory of this Beacon.

Reverts to your original access token

Removes a file or folder.

Binds the specified port on the target host. When a connection comes in, Cobalt Strike will make a connection to the forwarded host/port and use Beacon to relay traffic between the two connections.

Binds the specified port on the target host. When a connection comes in, Cobalt Strike will make a connection to the forwarded host/port, via your Cobalt Strike client, and use Beacon to relay traffic between the two connections.

Executes a program on the target (returns output).

Attempts to execute a program as another user. If you do not specify DOMAIN, Beacon will try to authenticate as a local user.

This command will usually fail if you are in a SYSTEM context.

Attempts to execute a program with the specified PID as its parent. This program will run with the identity of the specified PID.

Sets an environment variable.

Executes the command using cmd.exe.

Opens the process and injects shellcode into it.

Spawns a process and injects shellcode into it.

Starts a SOCKS4a (default) or SOCKS5 server on the specified port. This server will relay connections through this Beacon.

SOCKS5 servers can be configured with NoAuth authentication (default), User/Password authentication, and some additional logging.

SOCKS5 Servers currently do not support GSSAPI authentication, UDP Association, and IPV6.

Use socks stop to stop the SOCKS servers and terminate existing connections.

Traffic will not relay while Beacon is asleep. Change the sleep time with the sleep command to reduce latency.

Spawns an x86 or x64 process and inject shellcode for the listener.

Attempts to spawn a payload as another user. If you do not specify DOMAIN, Beacon will try to authenticate as a local user.

This command will usually fail if you are in a SYSTEM context. Use make_token to create a token to pass the desired credentials instead.

Attempts to spawn a session with the specified PID as its parent. This session will run with the identity of the specified PID.

This is the spawn-and-tunnel command, which spawns an agent and creates a reverse port-forward tunnel to its controller.

This is the spawn-and-tunnel command, which spawns an agent and creates a reverse port-forward tunnel through your Cobalt Strike client to its controller.

Steals an access token from a process.

OpenProcessToken access mask suggested values:

• blank = default (TOKEN_ALL_ACCESS)

• 0 = TOKEN_ALL_ACCESS

• 11 = TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_QUERY (1+2+8)

Access mask values:

• STANDARD_RIGHTS_REQUIRED . . . . : 983040

• TOKEN_ASSIGN_PRIMARY . . . . . . : 1

• TOKEN_DUPLICATE . . . . . . . . : 2

• TOKEN_IMPERSONATE . . . . . . . : 4

• TOKEN_QUERY . . . . . . . . . . : 8

• TOKEN_QUERY_SOURCE . . . . . . . : 16

• TOKEN_ADJUST_PRIVILEGES . . . . : 32

• TOKEN_ADJUST_GROUPS . . . . . . : 64

• TOKEN_ADJUST_DEFAULT . . . . . . : 128

• TOKEN_ADJUST_SESSIONID . . . . . : 256

For more information, see Trust Relationships.

Use token-store steal to steal an access token and store it in the token store.

Use token-store steal-and-use to steal an access token, store it, and then immediately apply it to the current beacon.

Use token-store use to use an access token from the token store.

Use token-store show to print the access tokens currently available in the token store.

Use token-store remove to remove specific access tokens from the store.

Use token-store remove-all to remove all access tokens from the store.

OpenProcessToken access mask suggested values:

• blank = default (TOKEN_ALL_ACCESS)

• 0 = TOKEN_ALL_ACCESS

• 11 = TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_QUERY (1+2+8)

Access mask values:

• STANDARD_RIGHTS_REQUIRED . . . . : 983040

• TOKEN_ASSIGN_PRIMARY . . . . . . : 1

• TOKEN_DUPLICATE . . . . . . . . : 2

• TOKEN_IMPERSONATE . . . . . . . : 4

• TOKEN_QUERY . . . . . . . . . . : 8

• TOKEN_QUERY_SOURCE . . . . . . . : 16

• TOKEN_ADJUST_PRIVILEGES . . . . : 32

• TOKEN_ADJUST_GROUPS . . . . . . : 64

• TOKEN_ADJUST_DEFAULT . . . . . . : 128

• TOKEN_ADJUST_SESSIONID . . . . . : 256

For more information, see Trust Relationships.

Disconnects from a named pipe or TCP Beacon.

Specify an IP address or an IP address and session PID to disconnect a specific Beacon.

Uploads a file to host.

Sets up a Browser Pivot into the specified process. To hijack authenticated web sessions, make sure the process is an Internet Explorer tab. These processes have iexplore.exe as their parent process.

Use browserpivot stop to tear down the browser pivoting sessions associated with this Beacon.

Injects into the specified process to recover credential material from Google Chrome.

Use chromedump with no [pid] and [arch] arguments to spawn a temporary process to recover credential material from Google Chrome.

This command will use mimikatz to recover the credential material and should be run under a user context.

Deploys a Covert VPN to the target's system. You must have administrator privileges for the client to work.

Setup an [interface] through Cobalt Strike -> VPN Interfaces. The [ip address] is the IP address of the target interface you want to deploy the VPN client to.

Injects into the specified process to extract the NTLM password hashes.

Use dcsync with no [pid] and [arch] arguments to spawn a temporary process to extract the NTLM password hashes.

This command uses mimikatz to extract the NTLM password hash for domain users from the domain controller. Specify a user to get their hash only.

This command requires a domain administrator trust relationship.

Injects a VNC server onto the target and connects to it. You may specify whether the session is high- or low-quality.

Executes a local .NET process assembly on target. This command loads the CLR in a temporary process and loads the assembly into it. If the assembly is in the data store, this command will use the loaded item automatically. For more information, run help data-store.

The optional PATCHES: argument can modify functions in memory for the process. Up to four patch-rule rules can be specified (space-delimited).

"patch-rule" syntax (comma delimited): [library],[function],[offset],[hex-patch-value]

• library - 1-260 characters

• function - 1-256 characters

• offset - 0-65535 (The offset from the start of the executable function)

• hex-patch-value - 2-200 hex characters (0-9,A-F). Length must be even number (hex pairs).

Injects the hashdump tool into the specified process.

Use hashdump with no arguments to spawn a temporary process and inject the hashdump tool into it.

The hashdump tool will dump password hashes (warning: Injects into LSASS).

This command requires administrator privileges. If injecting into a pid that process requires administrator privileges.

Injects a keystroke logger into the specified process.

Use keylogger with no arguments to spawn a temporary process and inject the keystroke logger into it.

To terminate this task, use jobs to find the job ID and then use jobkill to kill the job.

Injects into the specified process to dump plaintext credentials and NTLM hashes.

Use logonpasswords with no [pid] and [arch] arguments to spawn a temporary process to dump plaintext credentials and NTLM hashes.

This command uses mimikatz and requires administrator privileges.

Injects into the specified process to run a mimikatz command.

Use mimikatz with no [pid] and [arch] arguments to spawn a temporary process to run a mimikatz command.

Use ! to make mimikatz elevate to SYSTEM before it runs your command. Some commands require this.

Use @ to make mimikatz impersonate Beacon's thread token before it runs your command. This is helpful for mimikatz commands that interact with remote systems (e.g., lsadump::dcsync)

Use ; to separate multiple mimikatz commands. The maximum length of the commands is 511 characters.

Injects the network and host enumeration tool into the specified process.

Use net with no [pid] and [arch] arguments to spawn a temporary process and inject the network and host enumeration tool into it.

Beacon's network and host enumeration tool. The built-in net commands are:

Use help net [command] for more information.

Injects into the specified process to run a port scan against the specified hosts.

Use portscan with no [pid] and [arch] arguments to spawn a temporary process to run a port scan against the specified hosts.

[targets] is a comma separated list of hosts to scan. You may also specify IPv4 address ranges (e.g., 192.168.1.128-192.168.2.240, 192.168.1.0/24).

[ports] is a comma separated list or ports to scan. You may specify port ranges as well (e.g., 1-65535).

The [arp|icmp|none] options dictate how the port scanning tool will determine if a host is alive. The ARP option uses ARP to see if a system responds to the specified address. The ICMP option sends an ICMP echo request. The none option tells the portscan tool to assume all hosts are alive.

The [max connections] option limits how many connections the port scan tool will attempt at any one time. The portscan tool uses asynchronous I/O and can handle a large number of connections at once. A higher value will make the portscan go much faster (default is 1024).

Executes the command using Unmanaged PowerShell. Any cmdlets from the last use of powershell-import are available here, too.

The optional PATCHES: argument can modify functions in memory for the process. Up to four patch-rule rules can be specified (space-delimited).

"patch-rule" syntax (comma delimited): [library],[function],[offset],[hex-patch-value]

• library - 1-260 characters

• function - 1-256 characters

• offset - 0-65535 (The offset from the start of the executable function)

• hex-patch-value - 2-200 hex characters (0-9,A-F). Length must be even number (hex pairs).

Injects a screenshot tool into the specified process.

Use printscreen with no arguments to spawn a temporary process and inject the screenshot tool into it.

printscreen forces a PrintScr keypress, grabs the screenshot from the clipboard, and then exits. This command will clear the clipboard contents after its done.

No long-running variant of this exists because destroying the clipboard periodically is not a good OPSEC practice.

Injects Unmanaged PowerShell into a specific process and executes the specified command. Any cmdlets from the last use of powershell-import are available here too.

Injects into the specified process to generate and impersonate a token.

Use pth with no [pid] and [arch] arguments to spawn a temporary process to generate and impersonate a token.

This command uses mimikatz to generate and impersonate a token that uses the specified DOMAIN, user, and NTLM hash as single sign-on credentials. Beacon will pass this hash when you interact with network resources.

Injects a screenshot tool into the specified process.

Use screenshot with no arguments to spawn a temporary process and injects the screenshot tool into it.

screenshot takes a picture of the visible desktop and exits.

Injects a screen watcher tool into the specified process.

Use screenwatch with no arguments to spawn a temporary process and inject the screen watch tool into it.

screenwatch sends a screenshot of the user's desktop (one per Beacon check-in) until terminated. If the user is idle, the screen watch tool will take a new screenshot every three minutes.

To terminate this task, use jobs to find the job ID and then use jobkill to kill the job.

Injects into the specified process to run an SSH client and attempts to log in to the specified target.

Use ssh with no [pid] and [arch] arguments to spawn a temporary process to run an SSH client and attempt to log in to the specified target.

Injects into the specified process to run an SSH client and attempts to log in to the specified target.

Use ssh-key with no [pid] and [arch] arguments to spawn a temporary process to run an SSH client and attempt to login to the specified target.

The key file needs to be in the PEM format. If the file is not in the PEM format, make a copy of the file and then convert the copy with the following command:

/usr/bin/ssh-keygen -f [/path/to/copy] -e -m pem -p

Prints detailed information about the beacon's runtime state such as its base address, allocated memory regions, allocated section details, heap records, and sleep mask information.

Useful for inspecting the current memory layout of Beacon.

Attempts to get the text clipboard contents.

Loads a DLL into the specified remote process via LoadLibrary(). The DLL must exist on the target.

Attempts to spawn an elevated session with the specified exploit.

Type elevate by itself to see a list of available local exploits.

Attempts to get SYSTEM.

Attempts to spawn a session on a remote target with the specified exploit.

Type jump by itself to see a list of available remote exploits.

Applies a Kerberos ticket to this session from a ccache file.

Purges Kerberos tickets from this session.

Applies a Kerberos ticket to this session.

Use query to query a key within the registry. Lists all subkeys and values.

Use queryv to query a subkey within the registry. Lists only the subkey and its value.

Use HKLM, HKCR, HKCC, HKCU, or HKU for the root

Specify x86|x64 to force a specific view of the registry.

Runs a [command] on [target] via [method].

Type remote-exec by itself to see a list of methods.

Attempts to run the specified command in an elevated context.

Type runasadmin by itself to see a list of available local exploits.