User Guide
Cobalt Strike 4.6
Copyright Terms and Conditions
Copyright Help/Systems LLC and its group of companies.
The content in this document is protected by the Copyright Laws of the United States of America and other countries worldwide. The
unauthorized use and/or duplication of this material without express and written permission from HelpSystems is strictly prohibited.
Excerpts and links may be used, provided that full and clear credit is given to HelpSystems with appropriate and specific direction to
the original content. HelpSystems and its trademarks are properties of the HelpSystems group of companies. All other marks are
property of their respective owners.
202204130817
Welcome to Cobalt Strike 8
Overview 8
Installation and Updates 9
Starting the Team Server 16
Starting a Cobalt Strike Client 16
Distributed and Team Operations 18
Scripting Cobalt Strike 20
Running the Client on MacOS X 21
User Interface 22
Overview 22
Toolbar 23
Session and Target Visualizations 24
Tabs 26
Consoles 27
Tables 28
Data Management 28
Overview 28
Targets 29
Services 29
Credentials 30
Maintenance 30
Listener and Infrastructure Management 31
Overview 31
Listener Management 31
Cobalt Strike’s Beacon Payload 33
Payload Staging 33
DNS Beacon 33
HTTP Beacon and HTTPS Beacon 37
SMB Beacon 41
User Guide www.helpsystems.com page: 3
Table of Contents
TCP Beacon 43
External C2 45
Foreign Listeners 46
Infrastructure Consolidation 47
Payload Security Features 48
Initial Access 49
Client-side System Profiler 49
Application Browser 49
Cobalt Strike Web Services 50
User-driven Attack Packages 50
Hosting Files 54
User-driven Web Drive-by Attacks 55
Client-side Exploits 58
Clone a Site 59
Spear Phishing 59
Payload Artifacts and Anti-virus Evasion 62
The Artifact Kit 63
The Veil Evasion Framework 64
Java Applet Attacks 65
The Resource Kit 65
The Sleep Mask Kit 66
Post Exploitation 66
Beacon Covert C2 Payload 66
The Beacon Console 66
The Beacon Menu 67
Asynchronous and Interactive Operations 68
Running Commands 68
Session Passing 69
Alternate Parent Processes 70
Spoof Process Arguments 70
Blocking DLLs in Child Processes 71
Upload and Download Files 71
page: 4 www.helpsystems.com User Guide
Table of Contents
File Browser 71
The Windows Registry 72
Keystrokes and Screenshots 73
Controlling Beacon Jobs 73
The Process Browser 73
Desktop Control 74
Privilege Escalation 76
Mimikatz 78
Credential and Hash Harvesting 79
Port Scanning 79
Network and Host Enumeration 80
Trust Relationships 81
Lateral Movement 82
Lateral Movement GUI 82
Other Commands 83
Browser Pivoting 84
Overview 84
Setup 85
Use 86
How Browser Pivoting Works 87
Pivoting 87
What is Pivoting 87
SOCKS Proxy 87
Reverse Port Forward 88
Spawn and Tunnel 89
Pivot Listeners 90
Covert VPN 91
SSH Sessions 92
The SSH Client 92
Running Commands 93
Upload and Download Files 93
Peer-to-peer C2 94
User Guide www.helpsystems.com page: 5
Table of Contents
