Breaking News

Cobalt Strike Aggressor Script that Plays Device/AV/EDR Recon.

Writer: Jess Hires


As a red-team practitioner, we’re regularly the use of equipment that try to fingerprint information about a compromised machine, ideally in some of the necessary stealthy means conceivable. A few of our same old tooling for this began getting flagged by way of EDR merchandise, because of using Space house home windows CLI instructions. This aggressor script targets to unravel that downside by way of highest conceivable probing the machine the use of local registry queries, no CLI instructions.


Merely load reg.cna into Cobalt Strike the use of the Script Supervisor. Then right-click at the beacon you need to run registry recon on, and choose Registry then Recon, or sort regenum into the beacon console.

How does this artwork?

Essentially, the use of Cobalt Strike’s breg_query and breg_queryv purposes. Then, all beacon output is hijacked with beacon_output, looking for particular values. When a good fit is made, the output will also be highlighted within the beacon output. Since there is no beacon_output_reg or one thing equivalent, like beacon_output_ls and beacon_output_ps, all output must be captured for parsing.

What if my AV/EDR product isn’t detected? / How can I lend a hand?

That is anticipated. We couldn’t check for each and every AV/EDR resolution, and we knew that many will also be lacking. You’ll lend a hand us out by way of filing a GitHub factor at the side of the next knowledge:

  • If this can be a Device/AV/EDR get admission to
  • The identify of the product
  • Similar registry entries that can be utilized to for sure ID the product

Supply : KitPloit – PenTest Equipment!

Leave a Reply

Your email address will not be published. Required fields are marked *

Donate Us