Module 7

Question 1

What is the primary goal of the post-exploitation phase in a red team engagement?

Answer 1

To hunt down the operational objective by locating it, identifying who has access, and executing a plan to gain access without being detected.

Question 2

List three examples of tactics, techniques, and procedures (TTPs) used during the post-exploitation phase.

Answer 2

Local/domain reconnaissance, privilege escalation, credential dumping, user impersonation, and lateral movement are all common post-exploitation TTPs.

Question 3

In post-exploitation, what is the term for assessing the machine you have access to and its environment?

Answer 3

Situational awareness.

Question 4

What Beacon command behavior category includes commands that only change or return values stored within Beacon’s memory?

Answer 4

House-Keeping.

Question 5

The _____ command behavior category in Cobalt Strike includes the most benign commands that only call Windows APIs.

Answer 5

API-Only

Question 6

The cd, cp, ls, ps, and pwd commands are all examples of what Beacon command behavior category?

Answer 6

API-Only.

Question 7

What is a Beacon Object File (BOF)?

Answer 7

A BOF is a C program compiled without a linker that can be loaded and executed in memory by a Beacon.

Question 8

What is the primary disadvantage of using a BOF for inline execution in Beacon?

Answer 8

If the code inside the BOF crashes, the Beacon process will die along with it.

Question 9

The _____ execution pattern involves spawning a temporary process and injecting a reflective DLL into it, with output read over a named pipe.

Answer 9

Fork & Run

Question 10

What is the main trade-off of using the ‘Fork & Run’ execution pattern compared to inline execution?

Answer 10

It provides better stability for Beacon but at the expense of a larger detection surface.

Question 11

What are the two ‘flavors’ of the Fork & Run execution pattern in Cobalt Strike?

Answer 11

The two flavors are ‘spawn’ and ‘explicit’.

Question 12

How does the ‘spawn’ variant of Fork & Run differ from the ‘explicit’ variant?

Answer 12

The ‘spawn’ variant creates a new temporary process for injection, while the ‘explicit’ variant injects into a process that already exists.

Question 13

Which two arguments in a Beacon command’s help text indicate it supports the ‘explicit’ Fork & Run variant?

Answer 13

The presence of [pid] and [arch] arguments indicates support for the ‘explicit’ variant.

Question 14

The execute-assembly and powerpick commands are examples of which Fork & Run variant?

Answer 14

The ‘spawn’ variant.

Question 15

The psinject command is an example of which Fork & Run variant?

Answer 15

The ‘explicit’ variant.

Question 16

What Cobalt Strike command injects a reflective VNC DLL to gain remote control of a user’s desktop?

Answer 16

The desktop command.

Question 17

How does the VNC session initiated by the desktop command tunnel its traffic back to the team server?

Answer 17

It creates a reverse port forward on the target which the VNC DLL uses to tunnel traffic.

Question 18

What is the default interaction mode for a VNC session started with the desktop command?

Answer 18

The session is in ‘view only’ mode by default.

Question 19

Which Beacon command executes a given command using cmd.exe /c on the target?

Answer 19

The shell command.

Question 20

Which Beacon command executes a target program directly without using cmd.exe?

Answer 20

The run command.

Question 21

Why does the command dir only work with the shell command and not the run command?

Answer 21

Because dir is a command that exists only within cmd.exe and is not a separate program on disk.

Question 22

For better OPSEC, what API-only command should be used as an alternative to shell dir?

Answer 22

The ls command.

Question 23

For better OPSEC, what API-only command should be used as an alternative to shell whoami?

Answer 23

The getuid command.

Question 24

Which Beacon command executes PowerShell by invoking powershell.exe?

Answer 24

The powershell command.

Question 25

Which Beacon command uses Unmanaged PowerShell by spawning a new process and injecting a DLL into it?

Answer 25

The `powerpick` command.

Question 26

Which Beacon command injects an Unmanaged PowerShell DLL into an existing process specified by a PID?

Answer 26

The `psinject` command.

Question 27

What is the purpose of the `powershell-import` command in Cobalt Strike?

Answer 27

It imports a local PowerShell script, making its cmdlets available for use with the `powershell`, `powerpick`, and `psinject` commands.

Question 28

What is the maximum number of PowerShell scripts that can be held by Beacon using `powershell-import` at one time?

Answer 28

Beacon can only hold one imported script at a time.

Question 29

Which Beacon command is used to execute a .NET assembly from memory?

Answer 29

The `execute-assembly` command.

Question 30

What type of .NET assemblies are supported by the `execute-assembly` command?

Answer 30

Only .NET Framework assemblies are supported; .NET/.NET Core assemblies are not.

Question 31

What command is used to execute a Beacon Object File (BOF) directly?

Answer 31

The `inline-execute` command.

Question 32

What is the term for the technique of spawning new Beacon sessions from existing ones?

Answer 32

Session passing.

Question 33

What Beacon command spawns a new process and injects shellcode for a listener, running as the same user?

Answer 33

The `spawn` command.

Question 34

What Beacon command spawns a payload as an alternate user by accepting plaintext credentials?

Answer 34

The `spawnas` command.

Question 35

Why might the `spawnas` command fail with error code 267 (`ERROR_DIRECTORY`)?

Answer 35

This can be caused by Beacon's current working directory being set to a location the alternate user cannot access.

Question 36

What is the simple fix for a `spawnas` failure caused by an inaccessible working directory?

Answer 36

Change Beacon's working directory to a location the target user can read, such as `C:\`.

Question 37

Which Beacon command is used to list files and directories in the current or a specified directory?

Answer 37

The `ls` command.

Question 38

Which Beacon command is used to change the Beacon's current working directory?

Answer 38

The `cd` command.

Question 39

Which Beacon command is used to see if a machine has any additional mapped drives?

Answer 39

The `drives` command.

Question 40

In the Cobalt Strike File Browser, what does it mean if a directory is greyed out?

Answer 40

It means the directory has not yet been viewed.

Question 41

The speed at which files can be downloaded from a target depends on the C2 channel's protocol and the Beacon's _____.

Answer 41

sleep time

Question 42

Where do files downloaded from a target initially get stored?

Answer 42

They are downloaded to the team server first.

Question 43

How does an operator transfer a downloaded file from the team server to their local machine?

Answer 43

By navigating to View > Downloads, selecting the file, and clicking 'Sync Files'.

Question 44

Which command shows a summary of file downloads that are still in progress?

Answer 44

The `downloads` command.

Question 45

Which command is used to terminate a file download that is in progress?

Answer 45

The `cancel [filename]` command.

Question 46

What Beacon command is used to list running processes on the target system?

Answer 46

The `ps` command.

Question 47

What privilege level must a Beacon be running at to read the architecture, session, and user information for all processes?

Answer 47

The Beacon must be running in high-integrity.

Question 48

What is the function of the `keylogger` command in Cobalt Strike?

Answer 48

It injects a keystroke logger into a process to capture key presses made by the user who owns that process.

Question 49

The `keylogger` runs as a long-term task. What command is used to view its Job ID (JID)?

Answer 49

The `jobs` command.

Question 50

How do you terminate a running keylogger job in Cobalt Strike?

Answer 50

First, use the `jobs` command to find its JID, then use `jobkill [JID]` to stop it.

Question 51

Where is the output from the `keylogger` command viewed?

Answer 51

The output is sent to a dedicated tab accessed via View > Keystrokes.

Question 52

What command is used to read the text content of a user's clipboard on the target machine?

Answer 52

The `clipboard` command.

Question 53

Which command is used to list all subkeys and values within a given registry path?

Answer 53

The `reg query` command.

Question 54

Which command is used to read the value of a single, specific registry key?

Answer 54

The `reg queryv` command.

Question 55

Which screenshot command in Beacon works by forcing a PrintScr keypress and grabbing the image from the user's clipboard?

Answer 55

The `printscreen` command.

Question 56

Which screenshot command in Beacon uses a post-exploitation DLL to grab the screen content without using the clipboard?

Answer 56

The `screenshot` command.

Question 57

What is the purpose of the `screenwatch` command?

Answer 57

It provides a way to take continuous screenshots of the user's desktop automatically.

Question 58

The frequency of screenshots taken by the `screenwatch` command is tied directly to the Beacon's _____ time.

Answer 58

sleep

Question 59

Where in the Cobalt Strike client are screenshots from `printscreen`, `screenshot`, and `screenwatch` viewed?

Answer 59

They are sent to a dedicated tab that can be accessed via View > Screenshots.

Question 60

In the context of Cobalt Strike command behavior, what does Inline Execution refer to?

Answer 60

The execution of a Beacon Object File (BOF) within the memory space of the Beacon process itself.

Question 61

Which command provides a useful way to run PowerShell scripts in the context of another user, assuming sufficient privileges?

Answer 61

The `psinject` command, by injecting into a process owned by that user.

Question 62

What is the underlying project that the `powerpick` and `psinject` commands are based on?

Answer 62

They are based on Lee Christensen’s UnmanagedPowerShell project.