Context Menu¶
The cockpit context menu is the primary command interface for operating on target machines. Right-click any machine node in the Pivot Graph or any row in the Beacon Table to open it. The menu provides instant access to 120+ post-exploitation techniques organized into 12 operational categories, with real-time search, favorites, OPSEC risk indicators, and one-click execution.
Keyboard shortcut
The search input auto-focuses when the menu opens. Start typing immediately to filter commands.
Search¶
A search bar at the top of the menu filters commands across all categories in real-time. Matches are checked against:
- Technique name (e.g., "LSASS", "Kerberoast")
- Description text (e.g., "credential", "lateral")
- Technique ID (e.g., "T1003.001", "PRIVESC_UAC_CMLUA")
When a search query is active, the category structure is replaced by a flat list of matching results. Clear the search to return to the normal category view.
Favorites & Recent Commands¶
- Favorites
-
Click the star icon on any technique to mark it as a favorite. Favorited techniques appear in a dedicated Favorites section at the top of the menu, above all categories. Favorites persist across browser sessions via localStorage.
To remove a favorite, click the filled star icon again.
- Recent Commands
-
The menu tracks your last 10 executed commands and displays the 5 most recent in a Recent section below Favorites. This lets you quickly repeat frequently used techniques without navigating into categories.
Recents update automatically each time you execute a technique.
Quick Actions¶
These actions appear at the top of the menu and operate on the selected machine's beacon:
| Action | Description |
|---|---|
| Open Shell | Opens an interactive shell tab for the beacon |
| Kill Beacon | Terminates the beacon process on the target |
| Set Sleep | Changes the beacon's sleep interval (in seconds) |
Explore¶
| Tab | Description |
|---|---|
| File Browser | Graphical file system browser for the target |
| Process List | Live process list with filtering and injection options |
| Desktop | VNC-style remote desktop view |
Tunneling¶
| Action | Description |
|---|---|
| SOCKS Proxy | Creates a SOCKS4a/5 proxy tunnel through the beacon |
| Port Forward | Configures reverse port forwarding |
Technique Categories¶
Techniques are organized into 12 operational categories following Cobalt Strike conventions. Categories with 5 or more techniques use two-level subcategory groupings for easier navigation.
| Category | Techniques | Subcategories |
|---|---|---|
| Credentials | 10 | SAM & LSA, LSASS, NTDS, Browser & Apps, LAPS/gMSA, Pass-the-Hash |
| Priv Esc | 19 | UAC Bypass, Potato, Token Manipulation, System |
| Lateral Movement | 4 | — |
| Injection | 5 | — |
| Evasion | 15 | AMSI/ETW, Sleep & Memory, Process, Logging, Config, LOLBins |
| Discovery | 18 | Network, Users & Groups |
| AD Attacks | 3 | — |
| Kerberos | 6 | — |
| Persistence | 1 | — |
| Coercion | 2 | — |
| Collection | 16 | Surveillance, Desktop, Data, Exfiltration |
| Execution | 22 | Shell & Script, Beacon Spawn, Code Execution, Impact |
Categories without subcategories (marked —) display techniques in a flat list.
OPSEC Risk Indicators¶
Every technique in the menu displays a color-coded dot indicating its detection risk level:
| Color | Risk | Meaning | Examples |
|---|---|---|---|
 | Low | Passive enumeration, configuration changes, benign API calls. Minimal telemetry generated. | Net View, Port Scan, Clipboard, Screenshot, Get Privileges, Token Store, OPSEC Config |
 | Medium | Active operations with moderate detection footprint. Fork-and-run, token manipulation, file operations, UAC bypass. | UAC Bypass (CMSTPLUA, fodhelper), Steal Token, File Operations, Registry, LOLBins |
 | High | Operations touching heavily monitored resources. LSASS, SAM, NTDS, process injection, credential dumping, PowerShell execution, destructive operations. | LSASS Dump, SAM Dump, DCSync, Kerberoast, Process Injection, AMSI/ETW Bypass, PowerShell |
Red means EDR is watching
Techniques with a red OPSEC dot touch resources that every modern EDR monitors closely (LSASS, SAM hive, ETW providers, remote process handles). Use them only when necessary and combine with evasion techniques (indirect syscalls, BeaconGate, sleep masking) to reduce detection surface.
Filter by risk
Use the search bar to quickly find low-risk alternatives. For example, searching "low" won't filter by risk level directly, but you can search by technique name -- prefer Net View over LSASS dump for initial enumeration.
Risk levels are sourced from the knowledge base YAML metadata in server/knowledge_base/techniques/ and served via the API. They are not hardcoded in the UI.
Privilege Badges¶
Techniques that require high integrity (administrator/SYSTEM context) display an amber shield icon next to their name. This helps operators identify which commands will fail from a medium-integrity beacon and which ones require privilege escalation first.
- No badge: Works from standard user context (medium integrity)
- Shield icon: Requires elevated context (high integrity or SYSTEM)
Escalate first
If your beacon is running at medium integrity, use a Priv Esc technique first (UAC Bypass, Potato, GetSystem) before attempting commands with the shield badge.
OS Filtering¶
The menu automatically filters techniques based on the target machine's operating system. Windows-only techniques are hidden when operating on a Linux beacon, and vice versa. Cross-platform techniques (e.g., port scanning, shell commands) appear on all targets.
This filtering happens transparently -- you only see techniques that are applicable to your current target.
Technique Execution¶
Techniques follow two execution paths depending on whether they require parameters:
- No required parameters
-
The technique executes immediately on click with default values. A toast notification confirms the task was queued. This is the most common case for enumeration and configuration commands.
- Required parameters
-
A parameter dialog opens, prompting you to fill in required fields (e.g., target PID for injection, username for token manipulation). Optional parameters show their defaults. Submit the dialog to execute.
Spawn Beacon¶
The Spawn Beacon submenu provides 7 lateral movement methods for deploying a new beacon on the target machine from an existing beacon on another machine:
| Method | Protocol | Description |
|---|---|---|
| PsExec | SMB | Creates a service on the remote host via SMB admin shares |
| WMI | DCOM/RPC | Executes via Windows Management Instrumentation |
| WinRM | HTTP/S | Uses Windows Remote Management (PowerShell remoting) |
| DCOM | RPC | Leverages Distributed COM objects for execution |
| Pass-the-Hash | NTLM | Authenticates using an NTLM hash instead of a password |
| Pass-the-Ticket | Kerberos | Authenticates using a forged or stolen Kerberos ticket |
| Token Impersonation | Local | Uses a stolen token from the current beacon |
P2P Links¶
The P2P Links submenu manages peer-to-peer beacon connections:
- Connect to TCP Bind -- connects to a TCP bind beacon listening on the target
- Unlink Child -- disconnects a linked child beacon
P2P connections allow beacons to chain together without direct internet access, routing traffic through parent beacons.
Playbooks¶
The Run Playbook submenu lists available automation playbooks. Playbooks are predefined sequences of techniques that execute in order, useful for common operational workflows like initial enumeration or credential harvesting.
See Automation & Playbooks for details on creating and managing playbooks.