Cobalt Strike:Host Reconnaissance

From RCATs
Revision as of 15:40, 13 February 2023 by SourMilk (talk | contribs) (→‎Basic Cobalt Commands)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Background

Prior to executing any post-exploitation steps, it is imperative for red teamers to assess the target system's security measures. This involves gathering information about the presence of antivirus (AV) software, endpoint detection and response (EDR) solutions, Windows audit policies, PowerShell logging, event forwarding, and other security-related components.

Host reconnaissance serves as an important factor in determining the level of risk involved in red team activities and shaping the tactics used during the engagement. By gathering information about the target system's security measures, red teamers can better understand the potential challenges and prepare accordingly. The concept of "offense in depth" is similar to "defense in depth," where multiple layers of security are implemented to provide redundancy. In the context of red teaming, it involves preparing a range of tools and strategies to achieve the same objective and minimize the risk of detection.

Basic Cobalt Commands

# Show a list of all active hosts in the current team server session
hosts

# Switch to a specific host for further analysis
use [host_ip]

# Provide information about the currently selected host
info

# Show the services running on the target host
services

# List all the processes running on the target host
ps

# Scan the target host for open ports and services
portscan [host_ip]

# Show any saved credentials for the target host
creds

# Enumerate information about the current user
enum_user

# Enumerate information about the target system
enum_system

# Enumerate information about the target network
enum_network

# Enumerate information about the target's domain
enum_domain

# Enumerate information about installed software
enum_software

# Enumerate information about open ports and services
enum_ports

# Enumerate information about running processes
enum_processes

# Enumerate information about the target's scheduled tasks
enum_schtasks

# Enumerate information about the target's local users and groups
enum_local_users

# List all running Cobalt Strike tasks
tasks

External Tools

SeatBelt

Beacon Object Files

https://github.com/trustedsec/CS-Situational-Awareness-BOF

Retrieved from "https://rcats.dev/rcats/index.php?title=Cobalt_Strike:Host_Reconnaissance&oldid=691"