Lateral Movement

Moving laterally between computers in a domain is important for accessing sensitive information/materials, and obtaining new credentials. Cobalt Strike provides three strategies for executing Beacons/code/commands on remote targets.

The first and most convenient is to use the built-in jump command - the syntax is jump [method] [target] [listener]. Type jump to see a list of methods. This will spawn a Beacon payload on the remote target, and if using a P2P listener, will connect to it automatically.

beacon> jump

Beacon Remote Exploits
======================

    Exploit                   Arch  Description
    -------                   ----  -----------
    psexec                    x86   Use a service to run a Service EXE artifact
    psexec64                  x64   Use a service to run a Service EXE artifact
    psexec_psh                x86   Use a service to run a PowerShell one-liner
    winrm                     x86   Run a PowerShell script via WinRM
    winrm64                   x64   Run a PowerShell script via WinRM

Each method has it's own set of OPSEC concerns - we'll review some of the main indicators of each technique as we go through them.

The second strategy is to use the built-in remote-exec command - the syntax is remote-exec [method] [target] [command]. Type remote-exec to see a list of methods.

beacon> remote-exec

Beacon Remote Execute Methods
=============================

    Methods                         Description
    -------                         -----------
    psexec                          Remote execute via Service Control Manager
    winrm                           Remote execute via WinRM (PowerShell)
    wmi                             Remote execute via WMI

The remote-exec commands simply provide a means of executing commands on a remote target. They are therefore not exclusive to lateral movement, but they can be used as such. They require more manual work to manage the payload, but do offer a wider degree of control over what gets executed on the target. You also need to connect to P2P Beacons manually using connect or link.

The third is to use Cobalt Strike's other primitives (powershell, execute-assembly, etc) to implement something entirely custom. This requires the most amount of effort but also offers you the greatest degree of control. Custom methods can be integrated into the jump and remote-exec commands using Aggressor.

Each of these strategies are compatible with the various techniques described in the User Impersonation chapter. For example, you can use pth to impersonate a user and then jump to move laterally.

Some of Seatbelt's commands can also be run remotely, which can be useful enumerating its configurations and defences before jumping to it.

beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe OSInfo -ComputerName=web

  Hostname                      :  web
  Domain Name                   :  dev.cyberbotic.io
  ProductName                   :  Windows Server 2022 Datacenter
  EditionID                     :  ServerDatacenter
  ReleaseId                     :  2009
  Build                         :  20348
  BuildBranch                   :  fe_release
  CurrentMajorVersionNumber     :  10
  CurrentVersion                :  6.3
  Architecture                  :  AMD6

Most lateral movement techniques leverage legitimate Windows management functionality, as this type of traffic and activity is not unusual to see on a network.