What is the primary goal of the ‘Lateral Movement’ tactic (TA0008)?
The adversary attempts to gain access to other computers on the network.
Lateral movement techniques in Cobalt Strike typically rely on legitimate remote management protocols using _____ credentials.
administrative
What are the two base primitives Cobalt Strike provides for executing commands on a target?
The jump and remote-exec commands.
What is the purpose of the jump command in Cobalt Strike?
It is a one-stop-shop that automates all steps required to execute a new Beacon payload on a target.
List the four automated steps performed by Cobalt Strike’s jump command.
It uploads a payload, remotely executes it, connects to the new session, and deletes the payload from the target.
What is the general syntax for the Cobalt Strike jump command?
The syntax is jump [exploit] [target] [listener].
Which Cobalt Strike jump technique uses a service to run a PowerShell one-liner?
The psexec_psh technique.
Which Cobalt Strike jump technique runs a PowerShell script via WinRM?
The winrm or winrm64 technique.
What is the purpose of the remote-exec command in Cobalt Strike?
It provides a broader capability for executing remote commands, requiring the operator to perform individual steps for lateral movement.
What is the general syntax for the Cobalt Strike remote-exec command?
The syntax is remote-exec [method] [target] [command].
What are the three remote execution methods available for the remote-exec command by default?
The methods are psexec, winrm, and wmi.
What is the underlying protocol that the Windows Remote Management (WinRM) technique uses?
WinRM is Microsoft’s implementation of the WS-Management protocol.
What is a major operational security advantage of using the WinRM lateral movement technique?
It executes a payload entirely within memory, without requiring it to be dropped to disk.
In what user context does a Beacon session established via WinRM run?
The Beacon runs in the context of the current or impersonated user.
Which default remote-exec method is the only one that returns command output?
The winrm method is the only one that returns output.
The PsExec lateral movement technique is named after a tool from which software suite?
It is named after a tool from the Sysinternals Suite.
What Windows component does the PsExec technique leverage to execute processes remotely?
It uses the Service Control Manager (SCM).
By default, PsExec is the only built-in technique that performs remote _____.
injection
Describe the process the special service binary payload uses during a PsExec jump.
It spawns a new temporary process, injects Beacon shellcode into it, and then closes itself so the service can be deleted.
In what user context will a Beacon executed via PsExec always run?
Beacons executed via PsExec will always run as SYSTEM.
Why is the PsExec technique generally considered ‘loud’ from an OPSEC perspective?
New service creations are relatively rare events and are often monitored.
How can Cobalt Strike’s jump and remote-exec commands be extended with custom techniques?
They can be extended via Aggressor Script.
What is the SCShell project in the context of Cobalt Strike?
It is a custom lateral movement technique that implements a variation of PsExec.
How does the SCShell technique differ from the default PsExec technique?
SCShell temporarily modifies an existing service to run a payload, whereas PsExec creates a new service.
-
Module 144
-
Module 243
-
Module 360
-
Module 466
-
Module 550
-
Module 660
-
Module 762
-
Module 856
-
Module 918
-
Module 1052
-
Module 1153
-
Module 1250
-
Module 1336
-
Module 1441
-
Module 1567
-
Module 1653
-
Module 1728
-
Module 1851
-
Module 1954
-
Module 2022
-
Cobalt Strike User Guide161
-
Cobalt Strike Installation Guide37
