The capability is cleaned up after it finishes running.ĭllload elevate svc-exe elevate uac-token-duplication getsystem jump psexec jump psexec64 jump psexec_psh kerberos_ccache_use kerberos_ticket_purge kerberos_ticket_use net domain reg query reg queryv remote-exec psexec runasadmin uac-cmstplua runasadmin uac-token-duplication timestomp Post-Exploitation Jobs (Fork&Run)
A Beacon Object File is a compiled C program, written to a certain convention, that executes within a Beacon session. The following commands are implemented as internal Beacon Object Files. Specify a jitter value (0-99) to force Beacon to randomly modify its sleep time.Use sleep 0 to force Beacon to call home many times each second. Change how often the beacon calls home.User runu if you want to run a command under a parent in another desktop session. This may break several of Beacon's features and workflows. Type ppid by itself to reset to default behavior.ĭo not specify a parent PID in another desktop session.
The runas command is not affected, but most other commands are. User specified PID as parent for processes Beacon launches.You may only use one imported script at a time. Import a powershell script which is combined with future calls to the powershell command. Sends data with the same technique as the other DNS mode. This channel carries 189 bytes per request versus 4 bytes for a DNS A record request. Sends data as DNS requests with data encoded inside of the hostname. Use this option to communicate with DNS when TXT records are not an option. List long-running post-exploitation tasks. Lists file downloads currently in progress During a checkin Beacon posts its host metadata and dumps logged keystrokes. Wildcards are OK.įorces DNS Beacon to connect to you.
Use argue to disable this feature for the specified command.This options does not affect runu/ spawnu, runas/ spawnas, or post-ex jobs Spoof for processes launched by Beacon.Some of these commands (e.g., clear, downloads, help, mode, note) do not generate a task for Beacon to execute. The following commands are built into Beacon and exist to configure Beacon or perform house-keeping actions. Specify an IP address or an IP address and session PID to disconnect a specific Beacon.Disconnect from a named pipe or TCP Beacon.Change the sleep time with the sleep command to reduce latency.
Traffic will not relat while Beacon is asleep.Use socks stop to stop the SOCKS4a server and terminate existing connections.This server will relat connections through this Beacon. Starts a SOCKS4a server on teh specified port.When a connection comes in, Cobalt Strike will make a connection to the forwarded host/port and use Beacon to relat traffic between the two connections. rportfwd īinds the specified port on the target host.Show current working directory of this beacon Move source file to the specified destination This command does not validate the credentials you provide and it has no effect on local actions.
Link to the beacon at the specified IP addressĬlone the current access token and set it up to pass the specified username and password when you interact with network resources. Stop a long-running post-exploitation task Prints the User ID associated with the current token Go to View > Downloads to see itĮnable as many system privileges as possible on current token