optiv/Registry-Recon

Stars
317
Rank 129,425 (Top 3 %)
Language
License
MIT License
Created almost 3 years ago
Updated about 2 years ago

optiv/Registry-Recon

optiv

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Cobalt Strike Aggressor Script that Performs System/AV/EDR Recon

Registry-Recon

Cobalt Strike Aggressor Script that Performs System/AV/EDR Recon.

Author: Jess Hires

Description

As a red-team practitioner, we are often using tools that attempt to fingerprint details about a compromised system, preferably in the most stealthy way possible. Some of our usual tooling for this started getting flagged by EDR products, due to the use of Windows CLI commands. This aggressor script aims to solve that problem by only probing the system using native registry queries, no CLI commands.

Setup

Simply load reg.cna into Cobalt Strike using the Script Manager. Then right-click on the beacon you want to run registry recon on, and choose Registry then Recon, or type regenum into the beacon console.

How does this work?

Primarily, using Cobalt Strike's breg_query and breg_queryv functions. Then, all beacon output is hijacked with beacon_output, looking for specific values. When a positive match is made, the output will be highlighted in the beacon output. Since there is no beacon_output_reg or something similar, like beacon_output_ls and beacon_output_ps, all output must be captured for parsing.

What if my AV/EDR product isn't detected? / How can I help?

This is expected. We couldn't test for every AV/EDR solution, and we knew that many would be missing. You can help us out by submitting a GitHub issue including the following info:

If this is a System/AV/EDR entry
The name of the product
Relevant registry entries that can be used to positively ID the product

ScareCrow

ScareCrow - Payload creation framework designed around EDR bypass.

Freeze

Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods

Mangle

Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs

Ivy

Ivy is a payload creation framework for the execution of arbitrary VBA (macro) source code directly in memory. Ivy’s loader does this by utilizing programmatical access in the VBA object environment to load, decrypt and execute shellcode.

Freeze.rs

Freeze.rs is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls written in RUST

Go365

An Office365 User Attack Tool

Talon

A password guessing tool that targets the Kerberos and LDAP services within the Windows Active Directory environment.

mobile-nuclei-templates

Dent

A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors.

InsecureShop

An Intentionally designed Vulnerable Android Application built in Kotlin.

OSINT_Encyclopedia

Your go-to resource for all things OSINT

Microsoft365_devicePhish

A proof-of-concept script to conduct a phishing attack abusing Microsoft 365 OAuth Authorization Flow

blemon

Universal BLE Monitoring with Frida (or Objection)

rest-api-goat

KnockKnock

Enumerate valid users within Microsoft Teams and OneDrive with clean output.

rustyIron

rustyIron is a tool that takes advantage of functionality within Ivanti's MobileIron MDM solution to perform single-factor authentication attacks. rustyIron can locate the MobileIron MDM authentication endpoint, validate the authentication strategy of the environment, perform user enumeration, brute-force registration PIN values, and perform single-factor authentication attacks.

airCross

airCross is a tool that takes advantage of API functionality within VMWare's AirWatch MDM solution to perform single-factor authentication attacks. airCross can locate AirWatch authentication endpoint, validate the authentication strategy of the environment, collect GroupID authentication values, conduct single-factor authentication, and perform user enumeration, in some instances.

CVE-2020-15931

Netwrix Account Lockout Examiner 4.1 Domain Admin Account Credential Disclosure Vulnerability

nvdsearch

A National Vulnerability Database (NVD) API query tool

doppelganger

Doppelgänger is firmware that runs on ESP32 devices that can be embedded within commercially available RFID readers with the intent of capturing access control card data while performing physical security assessments. Doppelgänger keeps the operator's ease of access, maintenance, and operational communications in mind.

DATP_Queries

Microsoft Defender ATP Advanced Hunting Queries

Yara-Rules

netneedle

Network based steganography based control channels and chat.

showSSID

Luhn-Calculator

A very simple Burp extension to make it easier to enumerate credit cards in the Intruder.

burp-reset-a-tron

reset-a-tron Burp extension

burp-IBM-WebSphere-Portlet-Decoder

BurpSuite plugin for decoding IBM WebSphere Portlet States

burp-java-deserializer

android-ndk-crackme

A simple NDK-based application on which to demonstrate some important attack strategies.

warmap-go

VisualLockPickingWorkstation

The Visual Lock Picking Workstation is a Raspberry Pi enclosure which makes it possible to capture live video from a cutaway lock. It is intended as an instructional device which can be used to display the inner workings of a lock while teaching lock picking.

burpshellshock

Shellshock scanner for Apache MOD_CGI

talus

azure_runbooks

talus_client

checkpassword-.net

HIBP Pwned Passwords API Client for .NET apps

checkpassword-java

HIBP Pwned Passwords API client for Java projects

Lightning-Action-Editor

pyautoaws

Simple Python wrapper for Terraform/Ansible to build AWS resources

azure-api-management-tracing-helper

captcha-solve

terraform-eks

Terraform/Amazon EKS Deployment Starter Scripts