Cobalt Strike Aggressor Script that Plays Device/AV/EDR Recon.
Writer: Jess Hires
As a red-team practitioner, we’re regularly the use of equipment that try to fingerprint information about a compromised machine, ideally in some of the necessary stealthy means conceivable. A few of our same old tooling for this began getting flagged by way of EDR merchandise, because of using Space house home windows CLI instructions. This aggressor script targets to unravel that downside by way of highest conceivable probing the machine the use of local registry queries, no CLI instructions.
reg.cna into Cobalt Strike the use of the Script Supervisor. Then right-click at the beacon you need to run registry recon on, and choose
Recon, or sort
regenum into the beacon console.
How does this artwork?
Essentially, the use of Cobalt Strike’s
breg_queryv purposes. Then, all beacon output is hijacked with
beacon_output, looking for particular values. When a good fit is made, the output will also be highlighted within the beacon output. Since there is no
beacon_output_reg or one thing equivalent, like
beacon_output_ps, all output must be captured for parsing.
What if my AV/EDR product isn’t detected? / How can I lend a hand?
That is anticipated. We couldn’t check for each and every AV/EDR resolution, and we knew that many will also be lacking. You’ll lend a hand us out by way of filing a GitHub factor at the side of the next knowledge:
- If this can be a Device/AV/EDR get admission to
- The identify of the product
- Similar registry entries that can be utilized to for sure ID the product
Supply : KitPloit – PenTest Equipment!