# Initial Acces / Aggressors ### Try get cob to load against 127.0.0.2 ### PowerShell: Try stick to powerpick using PPID spoofing #### agressor to check for powershell modules: ```cilkcpp on beacon_inital { # check is loggins is enables blog($1, "checking for PowerShell transcription"); bpowerpick($1, 'if((Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription" -ErrorAction SilentlyContinue).EnableTranscription -ne $null) {Write-Output "PowerShell Transcription is Enabled!" }'); blog($1, "Checking for PowerShell Script block Logging"); bpowerpick($1, 'if((Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription" -ErrorAction SilentlyContinue).EnableTranscription -ne $null) {Write-Output "PowerShell Script Block Logging is Enabled!" }'); blog($1, "Checking for PowerShell Module Logging"); bpowerpick($1, 'if((Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -ErrorAction SilentlyContinue).EnableTranscription -ne $null) {Write-Output "PowerShell Module Logging is Enabled!" }'); } ``` ## Host Recon: {% embed url="" %} {% embed url="" %} Think about running: * KeeTheif/ enum password managers * SessionGopher - Steal session tokens/ Passwords * SessionSearch * Invoke-ShareFinder | `Invoke-ShareFinder -ExcludeStandard -NoPing -CheckShareAccess` * Find interesting files | `Find-InterestingFile -Path C:\Users\Admin -Terms local` * Search for local admin access | `Find-LocalAdminAccess` or try `dir \\host\C$` #### Domain Trusts: * PowerView - Invoke-MapDomainTrust\ `Invoke-MapDomainTrust | Export-CSV - NoTypeInformation C:\Windows\Temp\trust.csv` * DomainTrustExplorer parses the CSV and outputs graphml file\ \ `python3 trust_explorer.py -f trust.csv -g` * View map using yED Immediate Persistence: `UserInitMprLogonScript`