Skip to content

ndr-repo/crto-notes

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
README.md
README.md
 
 

Repository files navigation

crto-notes

Cobalt Strike

Cobalt Strike Cheatsheet - Payloads All The Things

RTO Infrastructure

Redirectors

HTTP Redirectors

High-reputation Redirectors & Domain Fronting

http_proxy

proxy_http_redirect

Empire Domain Fronting with Microsoft Azure

redirector2empire

DNS Redirectors

Socat UDP Redirector

socat -T 5 udp4-listen:53,fork udp4:teamserver.example.net:53

Beacons

HTTP & HTTPS Beacons

HTTP & HTTPS Beacons - Cobalt Strike Manual

Listeners

Redops.at - Cobalt Strike CDN/Reverse Proxy Listener Setup

DNS Listeners

Redops.at - Cobalt Strike DNS Listeners

Weaponization

Miscellaneous

Microsoft Learn - PowerShell - Running Remote Commands

Session-contained PowerShell One-Liner - Cobalt Strike 4.0

Cobalt Strike 4.0 - Bring Your Own Weaponization

Offensive PowerShell - Fighting the Toolset - Cobalt Strike (2018)

Process Injection

Direct vs Indirect Syscalls

Cobalt Strike Beacon - Windows System Calls

Core Security - Creating Processes Using System Calls

DLL Injection

System Call References

CreateProcessW - create a process that will have the same access token as the caller 

CreateProcessAsUserW - create a process using an alternate access token

CreateProcessWithLogonW - create a process using a user's plaintext credentials

Each API calls into the NtCreateUserProcess kernel function.

Post-Exploitation

Command Obfuscation

base64 encoding

$command = 'cmd /C cmdkey /list' ; $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) ; $encodedCommand = [Convert]::ToBase64String($bytes) ; Write-Output $command ; Write-Output $encodedCommand

Useful Windows Shell Commands

Windows: List Services – CMD & PowerShell Manual Enumeration - Windows Privilege Escalation

Stored Credentials

cmd /C cmdkey /list

User Groups

whoami /groups

User Privileges

whoami /priv

Pivoting

DNS & HTTP Pivoting

DNS & HTTP Pivoting with Cobalt Strike’s Beacon

About

Certified Red Team Operator (CRTO) notes

Topics

cobalt-strike crto zeropointsecurity

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors