support

Privilege Escalation

Go to [beacon] -> Access -> Elevate to launch a privilege escalation exploit. Choose a listener, select an exploit, and press Launch to run the exploit. This dialog is a front-end for Beacon's elevate command.


Cobalt Strike ships with three built-in exploits:

ms14-058 is a (dated) privilege escalation exploit that works against unpatched Windows 7 systems.

uac-dll is a Bypass UAC attack that attempts to elevate a payload, run by a local administrator, from a medium integrity context to a high integrity context. This attack uses a UAC-loophole to copy an Artifact Kit-generated DLL to a privileged location. It then runs an application that (a) assumes full privileges when run and (b) is vulnerable to DLL hijacking. These steps load a DLL that starts your Beacon session. This attack works on Windows 7 and unpatched versions of Windows 8 and later. This attack will not work if Always Notify is at its highest setting.

uac-token-duplication is another Bypass UAC attack to elevate from a medium integrity to high integrity context (as a local admin). This attack uses a UAC-loophole that allows a non-elevated process to launch an arbitrary process with a token stolen from an elevated process. This loophole requires the attack to remove several rights assigned to the elevated token. The abilities of your new session will reflect these restricted rights. This attack works on Windows 7 and later. If Always Notify is at its highest setting, this attack requires that an elevated process is already running in the current desktop session (as the same user). This exploit uses PowerShell to spawn a session.

You may add privilege escalation exploits to Cobalt Strike through the Elevate Kit. The Elevate Kit is an Aggressor Script that integrates several open source privilege escalation exploits into Cobalt Strike. https://github.com/rsmudge/ElevateKit.