Background
Prior to executing any post-exploitation steps, it is imperative for red teamers to assess the target system's security measures. This involves gathering information about the presence of antivirus (AV) software, endpoint detection and response (EDR) solutions, Windows audit policies, PowerShell logging, event forwarding, and other security-related components.
Host reconnaissance serves as an important factor in determining the level of risk involved in red team activities and shaping the tactics used during the engagement. By gathering information about the target system's security measures, red teamers can better understand the potential challenges and prepare accordingly. The concept of "offense in depth" is similar to "defense in depth," where multiple layers of security are implemented to provide redundancy. In the context of red teaming, it involves preparing a range of tools and strategies to achieve the same objective and minimize the risk of detection.
Basic Cobalt Commands
# Show a list of all active hosts in the current team server session
hosts
# Switch to a specific host for further analysis
use [host_ip]
# Provide information about the currently selected host
info
# Show the services running on the target host
services
# List all the processes running on the target host
ps
# Scan the target host for open ports and services
portscan [host_ip]
# Show any saved credentials for the target host
creds