Skip to content

Instantly share code, notes, and snippets.

@HarmJ0y

HarmJ0y/cobaltstrike_sa.txt

Created September 28, 2018 22:22
Show Gist options
  • Save HarmJ0y/fe676e3ceba74f22a28bd1b121182db7 to your computer and use it in GitHub Desktop.
Save HarmJ0y/fe676e3ceba74f22a28bd1b121182db7 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. HarmJ0y created this gist Sep 28, 2018.
    95 changes: 95 additions & 0 deletions cobaltstrike_sa.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,95 @@
    Windows version:
    reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

    Users who have authed to the system:
    ls C:\Users\

    System env variables:
    reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

    Saved outbound RDP connections:
    reg query x64 HKCU\Software\Microsoft\Terminal Server Client\Servers

    more info example:
    reg query x64 HKCU\Software\Microsoft\Terminal Server Client\Servers\10.10.10.25

    IE proxy settings:
    reg query x64 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
    reg query x64 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
    reg query x64 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
    reg queryv x64 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\ DefaultConnectionSettings


    From https://github.com/leechristensen/Random/blob/master/PowerShellScripts/Get-HostProfile.ps1:


    Check system policies (token filter policy/etc.)
    reg query x64 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

    Audit settings:
    reg query x64 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit

    Command line process auditing:
    reg queryv x64 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit ProcessCreationIncludeCmdLine_Enabled

    Check if PS version 2 is installed:
    reg queryv x64 HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine PowerShellVersion

    Check if PS version 5 is installed:
    reg queryv x64 HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine PowerShellVersion

    Check if CLR 2.0 installed:
    ls C:\Windows\Microsoft.Net\Framework\v2.0.50727\

    Check if CLR 4.0 installed:
    ls C:\Windows\Microsoft.Net\Framework\v4.0.30319\

    PowerShell transcription settings:
    reg query x64 HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription

    PowerShell module logging:
    reg query x64 HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging

    PowerShell script block logging:
    reg query x64 HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging

    LSA settings (NTLM, PPL, etc.)
    reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Lsa

    LAPS enabled:
    reg query x64 HKLM\Software\Policies\Microsoft Services\AdmPwd

    WEF settings:
    reg query x64 HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager\1

    MS Cached Logon Count:
    reg queryv x64 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon CachedLogonsCount

    Putty:
    reg query x64 HKCU\SOFTWARE\SimonTatham\Putty\

    Sysmon:
    reg query x64 HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters
    reg queryv x64 HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters Rules


    Users logged onto the machine:
    net logons

    Local admins:
    net localgroup administrators

    Local drives:
    drives

    Local shares:
    net share



    From https://github.com/threatexpress/red-team-scripts/blob/master/HostEnum.ps1:


    Recently typed "run" commands:
    reg query x64 HKCU\software\microsoft\windows\currentversion\explorer\runmru